Network Policies
Purpose: For platform engineers, shows how to configure platform service network isolation and application-level NetworkPolicy patterns.
Task Summary
openCenter deploys NetworkPolicies for platform services (FluxCD, OLM) from openCenter-gitops-base. Application teams are responsible for defining NetworkPolicies for their own workloads. This guide covers the default platform policies and provides patterns for application-level isolation.
Prerequisites
- Calico CNI installed (default in openCenter clusters — supports NetworkPolicy enforcement)
kubectlaccess to the cluster
Platform Service Policies
FluxCD and OLM namespaces have NetworkPolicies deployed by default. These restrict ingress and egress to only the traffic each service requires.
Example: FluxCD namespace policy (deployed from gitops-base):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-flux-system
namespace: flux-system
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: flux-system
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: TCP
port: 443
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
This policy allows FluxCD pods to communicate within their namespace, reach external HTTPS endpoints (for Git and Helm repositories), and resolve DNS via kube-system.
Application Network Isolation Patterns
Default Deny
Start with a default-deny policy in each application namespace. This blocks all ingress and egress unless explicitly allowed:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: my-app
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Allow Specific Ingress
Allow traffic from the ingress controller to application pods:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress
namespace: my-app
spec:
podSelector:
matchLabels:
app: my-app
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-nginx
ports:
- protocol: TCP
port: 8080
Allow DNS Egress
Most pods need DNS resolution. Allow egress to kube-dns:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: my-app
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
Verification
Check which NetworkPolicies are active in a namespace:
kubectl get networkpolicy -n <namespace>
Test connectivity between pods (requires a debug pod):
kubectl run nettest --image=busybox --rm -it --restart=Never -n my-app -- wget -qO- --timeout=3 http://my-service:8080/health
If the connection is blocked by a NetworkPolicy, the request times out.
Troubleshooting
Pods cannot resolve DNS after applying default-deny: Add the DNS egress policy shown above. Default-deny blocks all egress, including DNS.
Ingress traffic blocked despite allow rule:
Verify the namespaceSelector labels match the ingress controller's namespace. Check with:
kubectl get namespace ingress-nginx --show-labels
Further Reading
- Defense-in-Depth Model — network security as Layer 5
- Kyverno Policy Catalog — policies that complement network isolation