Allow egress traffic to single IP address

About

Asked 27/3, 2019 at 10:50 Answered 27/3, 2019 at 11:53

Solved kubernetes configuration kubernetes-networkpolicy

I'm writing the network policies of a Kubernetes cluster. How can I specify a single IP address that I want to authorize in my egress policy instead of authorizing a whole range of IP addresses ?

Whitleather answered 27/3, 2019 at 10:50 Comment(0)

An example based on the official docs:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.11.12.13/32
    ports:
    - protocol: TCP
      port: 5978

It's essential to use /32 subnet prefix length which indicates that you're limiting the scope of the rule just to this one IP address.

Seigneury answered 27/3, 2019 at 11:53 Comment(3)

@ Bernard : will this allow egress calls from same IP (10.11.12.13) but from different port lets say 443 ? or egress calls will only be allowed from 10.11.12.13 IP and 5978 Port ? – Phrenology 7/7, 2021 at 3:41

@Phrenology the IP/port pair in the rule above designates a destination for the egress traffic. So, if you want to change the rule to match the destination port, just change the .spec.egress.ports.port field. On the other hand, if you're looking how to limit ingress traffic (from IP to the cluster), you need to use the .spec.ingress rules instead of the .spec.egress that's used in this example. Both have a similar logic and syntax though. – Seigneury 7/7, 2021 at 6:33

Fine example, thanks! Note though it will lead to a new problem (a minor and easily corrected one): failure in name resolution. Need to allow DNS traffic as well. – Triploid 11/7, 2023 at 5:20

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags