Creating a NetworkPolicy

Set a NetworkPolicy that governs networks access among pods.

To set up NetworkPolicy, Calico networks must be enabled during installation of your cluster.

For more information about configuring network policies, see Network Policies .

1. From the navigation menu, click Platform > Network.
2. Select Create NetworkPolicy.

3. Enter the policy details. To create a NetworkPolicy, the following parameters are required:

   • A name for the policy.
   • Apply to - A list of pods to which the policy must be applied. If you do not specify a list of pods, the policy is applied to all pods. You can obtain a list of pods from the management console or from the Kubernetes CLI. See the From section that follows.
   • The port number and protocol to open. If you do not specify a port number, all ports are opened.

   • From - A list of pods that are allowed access. If you do not specify a list of pods, all pods are given access to the designated pods. You can use namespace and pod match label selectors to specify the allowed pods.

     If you select pod match label selector, all pods with the specified label are selected. The pod must be in the same namespace as the associated user. You can view a list of pod labels from the management console, or from the Kubernetes CLI. For example,

   • Pod match label selector

     1. Obtain the list of pods:

        kubectl get pods
        

        The output resembles the following text:

        NAME                          READY     STATUS    RESTARTS   AGE
        dev-nginx-254164163-02gbb     1/1       Running   0          2h
        dev-tomcat-3353689452-k5bpz   1/1       Running   0          2h
        

     2. Obtain the details from a pod. Run this command:

        kubectl describe pods dev-nginx-254164163-02gbb
        

        The output resembles the following text:

        Name:        dev-nginx-254164163-02gbb
        Namespace:    dev
        Node:        9.21.62.194/9.21.62.194
        Start Time:    Fri, 10 Mar 2017 03:50:16 -0500
        Labels:        app=dev-nginx
               image=nginx_1_11_7
               pod-template-hash=254164163
        Status:        Running
        IP:        10.1.53.6
        Controllers:    ReplicaSet/dev-nginx-254164163
        Containers:
        ...
        

   • Namespace match label selector

     If you select namespace match label selector, all pods that are associated with a namespace that have the specified namespace label are selected. You can view the namespace label from Kubernetes CLI.

     1. Obtain the list of namespaces:

        kubectl get namespaces
        

        The output resembles the following text:

        NAME          STATUS    AGE
        default       Active    1h
        dev           Active    31m
        kube-system   Active    1h
        qa            Active    29m
        

     2. Open the YAML file that describes a namespace. Run this command:

        kubectl get namespaces dev -o yaml
        

        In this example, dev is the name of the namespace.

        The YAML file opens and resembles the following text:

        apiVersion: v1
        kind: Namespace
        metadata:
         creationTimestamp: 2017-03-10T13:17:52Z
         labels:
           team: dev
         name: dev
        apiVersion: v1
        kind: Namespace
        metadata:
         creationTimestamp: 2017-03-10T13:17:52Z
         labels:
           team: dev
         name: dev
         ...
        

4. Click Create.