7:[["$","$12",null,{"fallback":null,"children":["$","$L13",null,{"reason":"next/dynamic","children":["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org/\",\"@type\":\"Article\",\"headline\":\"Tutorial: Cilium Network Policy in Practice (Part 2)\",\"image\":\"https://cdn.sanity.io/images/xinsvxfu/production/318b3bae3f021fbe4cf348a758f4e1b96433f1e4-1200x800.png\",\"datePublished\":\"2024-03-15T18:17:33.000Z\",\"dateModified\":\"2024-03-15T09:55:16.000Z\",\"description\":\"Learn how to build and deploy network policies for Kubernetes in this deep dive guide on Cilium Network Policy Tutorial.\",\"author\":[{\"@type\":\"Person\",\"name\":\"Paul Arah\",\"url\":\"https://isovalent.com/\"}]}"}}]}]}],["$","main",null,{"id":"top","children":[["$","header",null,{"className":"restricted mt-10 mb-14","children":[["$","$L18",null,{"href":"/blog/","className":"flex items-center justify-items-center gap-1 mb-6 text-sm font-bold text-action max-w-max","children":[["$","isov-icon",null,{"class":"block rotate-90","name":"arrow-right","size":"small"}],["$","isov-content",null,{"children":["$","span",null,{"className":"ui-text","children":"Blog"}]}]]}],["$","h1",null,{"className":"text-4xl text-nightfall font-bold mb-5 max-w-3xl","children":"Tutorial: Cilium Network Policy in Practice (Part 2)"}],["$","div",null,{"className":"article-details block sm:flex items-center justify-items-start sm:justify-items-center cursor-default","children":[[["$","isov-avatar","6a971ce6-ad13-a880-60fb-449643f28150",{"size":"medium","name":"Paul Arah","class":"mr-1","children":["$","$L19",null,{"src":"https://cdn.sanity.io/images/xinsvxfu/production/bcbfb734967bb8224be8ba791efcb849bb298bd2-288x288.jpg?auto=format&q=80&fit=clip&w=200","alt":"Paul Arah Image","slot":"avatar","height":200,"width":200}]}]],["$","div",null,{"className":"text-charcoal","children":[["$","span",null,{"className":"hidden sm:inline","children":"| "}],["$","span",null,{"children":["Published:"," ",["$","strong",null,{"className":"font-bold","children":"March 15, 2024"}]]}]," | ",[["$","$L1a","2159f293-7dd2-46f3-9b11-bf943ad2ae98",{"href":"/blog/networking-for-kubernetes","className":"inline-block text-action hover:underline font-bold pr-1","children":["Networking for Kubernetes",false]}]]]}]]}]]}],["$","section",null,{"id":"page-content","className":"mb-8","children":["$","$12",null,{"fallback":null,"children":["$","$L13",null,{"reason":"next/dynamic","children":["$","$L1b",null,{"content":[{"_key":"6ef11fca-8817-4988-b066-03bba7eda4b1","_type":"block","children":[{"_key":"910648c7-891c-4f88-9f1e-e73757a20a0d","_type":"span","marks":[],"text":"Just as a city's traffic smoothly flows when guided by clear rules and regulations, our Kubernetes cluster is about to undergo a transformation guided by Cilium Network Policies. Imagine navigating a city: certain areas might be restricted to pedestrians only, while others might allow limited car access. Similarly, when designing Network Policies, we need to consider: Who can access what? Define which applications (represented by \"pods\" in Kubernetes) can communicate with each other, on which ports, and using what protocols. Where can they go? This determines which resources (internal services or external resources) each pod can access. "}],"markDefs":[],"style":"normal"},{"_key":"281d4134-7256-4203-a6e1-8e5fc7e20056","_type":"block","children":[{"_key":"c4a32900-4512-402c-b3ce-6491499189f5","_type":"span","marks":[],"text":"In this second part of the network policy series, we'll navigate the complexities of designing these rules, exploring some common user stories that shed light on the practical implementation of Cilium Network Policies. The "},{"_key":"4351a66c-8d29-4e9d-8f5d-0be93a313a2c","_type":"span","marks":["fa7cbe6c-caed-4d25-a302-b49bcf7a1212"],"text":"first part "},{"_key":"16b29f03-5462-4665-afbd-e3bfb04f3156","_type":"span","marks":[],"text":"of this series introduces Cilium network policy and compares Kubernetes network policy with the Cilium network policy."}],"markDefs":[{"_key":"fa7cbe6c-caed-4d25-a302-b49bcf7a1212","_type":"link","href":"/blog/post/intro-to-cilium-network-policies/","openInNewTab":true}],"style":"normal"},{"_key":"8b581feb-8904-437a-ba18-027a3427b7a8","_type":"block","children":[{"_key":"000d2d87-4e97-461a-934c-21a8360465ab","_type":"span","marks":[],"text":"To help demonstrate how to use network policy to secure an application, we have prepared a hypothetical three-tier demo app. Our demo application comprises a frontend, a backend HTTP API, and a database. You can find a link to the Kubernetes manifest file on "},{"_key":"69baa007-31f1-49f0-887c-ad2488a97b4a","_type":"span","marks":["ed73097e-adc4-43ad-8764-49bbac680232"],"text":"Github"},{"_key":"7ba022ba-e0f2-4ed3-b2ed-04f5aa70d6d0","_type":"span","marks":[],"text":". "}],"markDefs":[{"_key":"ed73097e-adc4-43ad-8764-49bbac680232","_type":"link","href":"https://raw.githubusercontent.com/networkpolicy/demos/main/blog-1/demo.yaml","openInNewTab":true}],"style":"normal"},{"_key":"c9b48cab-2bad-4637-8f8b-933c620e0096","_type":"block","children":[{"_key":"dd2d93cf-f44b-4062-9602-68391d45d47c","_type":"span","marks":["strong"],"text":"Prerequisites"}],"markDefs":[],"style":"normal"},{"_key":"93b8e23b-5d56-43cf-a57c-f1bf9e1db050","_type":"block","children":[{"_key":"0cc24661-5430-4aab-a29a-80e1fe474619","_type":"span","marks":[],"text":"To follow along with this tutorial, we assume you have the following tools set up:"}],"markDefs":[],"style":"normal"},{"_key":"381b5a32-d2cf-4295-98c6-0c03515a07ee","_type":"block","children":[{"_key":"01fcc9fc-50b3-459d-b0f3-8cc59861bdd6","_type":"span","marks":["418150f9086a"],"text":"Kubectl"},{"_key":"a51753d52d8f","_type":"span","marks":[],"text":" installed locally."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"418150f9086a","_type":"link","href":"https://kubernetes.io/docs/tasks/tools/","isLink":false,"openInNewTab":true}],"style":"normal"},{"_key":"1033766d0f2d","_type":"block","children":[{"_key":"96e7b83224ca","_type":"span","marks":["299dd5f3f519"],"text":"Kind"},{"_key":"a8ae7c40b6e9","_type":"span","marks":[],"text":" installed locally."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"299dd5f3f519","_type":"link","href":"https://kind.sigs.k8s.io/docs/user/quick-start/","isLink":false,"openInNewTab":true}],"style":"normal"},{"_key":"b4d2722779a7","_type":"block","children":[{"_key":"09593226a93c","_type":"span","marks":[],"text":"The "},{"_key":"bf95920c6a2d","_type":"span","marks":["b799dd5c9dd4"],"text":"Cilium CLI"},{"_key":"96ccf5c21507","_type":"span","marks":[],"text":" installed."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"b799dd5c9dd4","_type":"link","href":"https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/#install-the-cilium-cli","isLink":false,"openInNewTab":true}],"style":"normal"},{"_key":"7b2429756573","_type":"block","children":[{"_key":"533580f12faa","_type":"span","marks":["b8799b3e1f28"],"text":"Hubble CLI"},{"_key":"66aa8ed3e0a0","_type":"span","marks":[],"text":" installed."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"b8799b3e1f28","_type":"link","href":"https://docs.cilium.io/en/stable/gettingstarted/hubble_setup/#install-the-hubble-client","isLink":false,"openInNewTab":true}],"style":"normal"},{"_key":"6114a63fe57a","_type":"block","children":[{"_key":"cba0c16ad682","_type":"span","marks":[],"text":"And a warm cup of your favorite beverage.😎"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"e3f47826-9714-4e3e-bff9-39ac4104461a","_type":"block","children":[{"_key":"ad04c96e-4d2e-4e9b-ab39-7755960d06e3","_type":"span","marks":[],"text":"Make a quick detour and install these tools if you haven’t. "}],"markDefs":[],"style":"normal"},{"_key":"514647be-ade6-44ae-9e3a-d30d592432cb","_type":"block","children":[{"_key":"940ba561-695f-427f-a9c0-9b061c47e586","_type":"span","marks":["strong"],"text":"Prepping Our Kubernetes Environment "}],"markDefs":[],"style":"h2"},{"_key":"ac386afa-b993-40d4-a266-5d1f91fc7d68","_type":"block","children":[{"_key":"c16e1312-369d-4e18-abca-bebe7f1d6c42","_type":"span","marks":[],"text":"We will provision our Kubernetes environment with "},{"_key":"7cd12ec6-05a0-4366-9b17-5904d2d0aa5d","_type":"span","marks":["b68596d7-f4e0-42df-a1c3-8d127c6a5afc"],"text":"Kind"},{"_key":"9baca233-4d38-4e0b-a9d1-3a447044f9d6","_type":"span","marks":[],"text":"; you can follow along using Kind like we've done here or any other Kubernetes environment with Cilium installed. The Kind config file below creates a Kind Kubernetes cluster with one control plane node and one worker node. The "},{"_key":"389cc30c-cce1-4e2c-9101-c026a0c6dc2d","_type":"span","marks":["code"],"text":"disableDefaultCNI"},{"_key":"d6be0290-a4c2-4aa5-9fd4-bbe215650ad3","_type":"span","marks":[],"text":" field is set to true to start our cluster with the Kind default network plugin disabled. "}],"markDefs":[{"_key":"b68596d7-f4e0-42df-a1c3-8d127c6a5afc","_type":"link","href":"https://kind.sigs.k8s.io/","openInNewTab":true}],"style":"normal"},{"_createdAt":"2024-09-30T11:27:29Z","_id":"bd728044-dd97-5ee2-c0b4-a5d5441feade","_key":"5b222fad-d791-4108-af05-8bbf38d9627d","_ref":"bd728044-dd97-5ee2-c0b4-a5d5441feade","_rev":"e9qWp8BVYg77bOSczcVwM5","_type":"codeBlock","_updatedAt":"2025-05-30T12:16:11Z","code":"#kind-config.yaml\nkind: Cluster\napiVersion: kind.x-k8s.io/v1alpha4\nnodes:\n- role: control-plane\n- role: worker\nnetworking:\n disableDefaultCNI: true","language":"yaml","title":"yaml - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"8737f5ac-10b4-4fa4-940d-68b4b09ff715","_type":"block","children":[{"_key":"4e12e883-2fb0-466a-b71e-2726a91614f6","_type":"span","marks":[],"text":"Save this config to a file named "},{"_key":"42ecdba3-822d-45b9-a928-e9d06bef7660","_type":"span","marks":["code"],"text":"config. yaml"},{"_key":"95926a79-6e4c-4765-9214-cf2e04362aad","_type":"span","marks":[],"text":" and create the cluster using the command "},{"_key":"52265704-8397-4d56-8830-d3f81d9a23ae","_type":"span","marks":["code"],"text":"kind create cluster --config config.yaml"}],"markDefs":[],"style":"normal"},{"_key":"5cd74ab8-98d7-46a7-a11a-bfab6841a43c","_type":"block","children":[{"_key":"2d77c792-52ef-45f5-a91e-cc6a2e0e8e17","_type":"span","marks":["strong"],"text":"Installing Cilium"}],"markDefs":[],"style":"normal"},{"_key":"f24222d6-3e10-4a03-bb13-d8ea9213d1c7","_type":"block","children":[{"_key":"24f951f7-015a-4dcb-aa1e-505877b6c3f0","_type":"span","marks":[],"text":"To install Cilium, ensure that you have the "},{"_key":"ec695bd8-edd9-4969-bf44-38446adc5555","_type":"span","marks":["297fb74a-a376-4557-a688-cdfcab00ae52"],"text":"Cilium CLI"},{"_key":"e0af1524-f424-4731-b371-0f6f39e4db26","_type":"span","marks":[],"text":" installed first and then run the command "},{"_key":"371f7fa3-2e4f-4da1-a787-f97a4c134239","_type":"span","marks":["code"],"text":"cilium install"},{"_key":"af5d2fbd-fa38-41e4-8954-3963cfdc6310","_type":"span","marks":[],"text":". The Cilium CLI will install Cilium automatically with the best configuration for our environment. Confirm your Cilium installation works with the "},{"_key":"3961f0e3-ebd5-4ab8-b46a-3280fd5a229a","_type":"span","marks":["code"],"text":"cilium status —wait"},{"_key":"d84d257d-8888-4cfd-b612-3df7f094f44e","_type":"span","marks":[],"text":" command. You should see an output similar to the one below. Check the Cilium "},{"_key":"eedc9928-2cb1-4395-9c33-a8634203d606","_type":"span","marks":["875c2bb2-7af7-4e03-9394-8e251fd235a0"],"text":"installation guide"},{"_key":"0c990bb3-9a45-4b81-b007-dad111ce89fe","_type":"span","marks":[],"text":" for more information if you’re using a different Kubernetes environment. If you run into issues setting up Kind with Cilium, there's a Kind installation guide in the Cilium "},{"_key":"eb20a803-cce4-4525-a0f6-7cf1b6988a5f","_type":"span","marks":["bcdb74c5-23d1-4126-9a7b-3b8968e603c7"],"text":"documentation"},{"_key":"48bfe045-ca2e-49b4-aa89-da1c1ddd8655","_type":"span","marks":[],"text":". "}],"markDefs":[{"_key":"297fb74a-a376-4557-a688-cdfcab00ae52","_type":"link","href":"https://github.com/cilium/cilium-cli","openInNewTab":true},{"_key":"875c2bb2-7af7-4e03-9394-8e251fd235a0","_type":"link","href":"https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/","openInNewTab":true},{"_key":"bcdb74c5-23d1-4126-9a7b-3b8968e603c7","_type":"link","href":"https://docs.cilium.io/en/stable/installation/kind/","openInNewTab":true}],"style":"normal"},{"_createdAt":"2024-09-30T11:27:30Z","_id":"2dfbe985-1a41-099c-496b-353bb60d8119","_key":"7eb7e52b-385a-4ab2-8761-88c3094da6a5","_ref":"2dfbe985-1a41-099c-496b-353bb60d8119","_rev":"be3C7ysj1QqQyrHso4cgZP","_type":"codeBlock","_updatedAt":"2024-10-01T10:51:43Z","code":"$$ cilium status --wait \n /¯¯\n /¯¯\\__/¯¯\\ Cilium: OK\n \\__/¯¯\\__/ Operator: OK\n /¯¯\\__/¯¯\\ Envoy DaemonSet: disabled (using embedded mode)\n \\__/¯¯\\__/ Hubble Relay: disabled\n \\__/ ClusterMesh: disabled\n\nDeployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1\nDaemonSet cilium Desired: 4, Ready: 4/4, Available: 4/4\nContainers: cilium Running: 4\n cilium-operator Running: 1\nCluster Pods: 9/9 managed by Cilium\nHelm chart version: 1.14.4\nImage versions cilium quay.io/cilium/cilium:v1.14.4@sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e: 4\n cilium-operator quay.io/cilium/operator-generic:v1.14.4@sha256:f0f05e4ba3bb1fe0e4b91144fa4fea637701aba02e6c00b23bd03b4a7e1dfd55: 1\n","language":"bash","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"4e463693-bf2d-4bfc-bc90-fb7ed925792b","_type":"block","children":[{"_key":"c09f1b0c-d087-4d48-91ec-094acabd2867","_type":"span","marks":["strong"],"text":"Setting Up Hubble for Observability "}],"markDefs":[],"style":"normal"},{"_key":"1dcb3eda-7257-45e2-8420-30f2109b3314","_type":"block","children":[{"_key":"c556edbf-e56e-40ea-bbb0-fc1d8ab66be4","_type":"span","marks":["36fdc819-7718-4db1-84f4-af3bbb0db5f0"],"text":"Hubble"},{"_key":"29761c62-35ed-4d87-9421-cbaab8dec9ba","_type":"span","marks":[],"text":" is the observability component of Cilium. Setting up Hubble will come in handy for inspecting, debugging, and visualizing network flows while crafting Cilium network policies that implement our user stories. Hubble already comes bundled with the default Cilium installation. To enable Hubble, run the command below:"}],"markDefs":[{"_key":"36fdc819-7718-4db1-84f4-af3bbb0db5f0","_type":"link","href":"/blog/post/hubble-series-re-introducing-hubble/","openInNewTab":true}],"style":"normal"},{"_createdAt":"2024-09-30T11:27:31Z","_id":"9b4f2630-d050-b7c6-682a-10e15c7075d3","_key":"5f6f44c8-b753-4840-9e7b-94678f4900c8","_ref":"9b4f2630-d050-b7c6-682a-10e15c7075d3","_rev":"PCAo7lqnhsEmi6r6qgQ2ww","_type":"codeBlock","_updatedAt":"2025-05-30T13:24:33Z","code":"$$ cilium hubble enable","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"8ded7ada-5c64-4b00-8d9b-bec308a12f45","_type":"block","children":[{"_key":"19958f52-5256-4996-8447-f74f245a3d28","_type":"span","marks":[],"text":"To confirm and validate that Hubble is enabled and running, run the "},{"_key":"d91cae67-8ed1-481c-b4b0-7f9c35624bdb","_type":"span","marks":["code"],"text":"cilium status —wait"},{"_key":"170182c8-0883-4b11-ac96-719e3bd0e075","_type":"span","marks":[],"text":" command. The"},{"_key":"b588c498-6cee-44a0-ab30-15e2d5a93b62","_type":"span","marks":["em"],"text":" Hubble Relay"},{"_key":"c5bc2f48-ccdc-4dd3-8e2e-db87b5f9ed8d","_type":"span","marks":[],"text":" field from the command output should now display “OK”. "}],"markDefs":[],"style":"normal"},{"_key":"7c29edca-19ec-4b40-aab8-3d77d9b08c26","_type":"block","children":[{"_key":"53cc7b20-f82b-4c3a-ac13-e0224d46e16b","_type":"span","marks":[],"text":"Hubble provides both a CLI and a UI client for observing and querying network traffic flow data. We will use the Hubble CLI in this tutorial. Install the Hubble CLI if you have not already done so. "}],"markDefs":[],"style":"normal"},{"_key":"381e4510-0066-469f-b3af-66b77fb89845","_type":"block","children":[{"_key":"63337242-a333-4ad1-ad46-237f4ab8d1a8","_type":"span","marks":[],"text":"To enable access to the Hubble API from our local machine, we create a "},{"_key":"dd6af5f7-4124-4446-9ab3-bbbe7dc3a8f2","_type":"span","marks":["f49d26c6-83f5-4782-9e22-90694e96d4a7"],"text":"port forward"},{"_key":"3091b03e-5c5a-4cd9-820a-b0fb13bcaded","_type":"span","marks":[],"text":" to our local machine. Run the "},{"_key":"fb6a1add-2830-414e-b818-526f6576b297","_type":"span","marks":["code"],"text":"cilium hubble port-forward&"},{"_key":"614448fb-3cb0-4a9d-b319-cccf76447b0c","_type":"span","marks":[],"text":" command. Run the "},{"_key":"1db978af-8d19-4b6c-9fb1-adce7050883b","_type":"span","marks":["code"],"text":"hubble status"},{"_key":"2ec30435-b013-4a10-9be1-b4dbcd3f60a2","_type":"span","marks":[],"text":" to validate that the Hubble CLI client can access the hubble API. "}],"markDefs":[{"_key":"f49d26c6-83f5-4782-9e22-90694e96d4a7","_type":"link","href":"https://kubernetes.io/docs/reference/kubectl/generated/kubectl_port-forward/","openInNewTab":true}],"style":"normal"},{"_createdAt":"2024-09-30T11:27:32Z","_id":"5f1b26f3-5609-d0b6-524a-301bc67a7cb0","_key":"f737e98e-0a52-4d1c-b3ff-b8595a2334d1","_ref":"5f1b26f3-5609-d0b6-524a-301bc67a7cb0","_rev":"Ay0qd2uUQtJvWcq7ns8aen","_type":"codeBlock","_updatedAt":"2025-05-30T13:24:42Z","code":"$$ hubble status\nHealthcheck (via localhost:4245): Ok\nCurrent/Max Flows: 2,391/8,190 (29.19%)\nFlows/s: 5.87\nConnected Nodes: 2/2","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"30a88770-b222-4cf9-8177-d3051a95e3fe","_type":"block","children":[{"_key":"ba58a177-b561-4024-b5b8-3a18ca9ad816","_type":"span","marks":["strong"],"text":"Deploying the Demo Workloads"}],"markDefs":[],"style":"normal"},{"_key":"222a8313-c5b4-41b2-98ed-b7909bfd75e6","_type":"block","children":[{"_key":"a33c5314-2f76-4ba7-90d6-db1b5c368bb4","_type":"span","marks":[],"text":"Deploy the demo application on the cluster using the command:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:33Z","_id":"73fd8b4b-1027-c725-1285-81042fb92218","_key":"f6f6c616-620c-4fb1-919f-f093a0066c13","_ref":"73fd8b4b-1027-c725-1285-81042fb92218","_rev":"PCAo7lqnhsEmi6r6qgQ5cl","_type":"codeBlock","_updatedAt":"2025-05-30T13:24:49Z","code":"$$ kubectl apply -f https://raw.githubusercontent.com/networkpolicy/demos/main/blog-1/demo.yaml","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"3b54cc84-03cb-449a-a04b-dc3d66dba768","_type":"block","children":[{"_key":"0cb324b5-2c95-48dc-8b68-5135537273ca","_type":"span","marks":[],"text":"Check the created resources. You should have 3 deployments, 3 services, and 2 pods per deployment. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:34Z","_id":"22df11b7-cab3-4e73-3499-bae533379086","_key":"ed879a97-81ad-4827-8299-aea76d6f7d79","_ref":"22df11b7-cab3-4e73-3499-bae533379086","_rev":"PCAo7lqnhsEmi6r6qgQ9Zt","_type":"codeBlock","_updatedAt":"2025-05-30T13:24:57Z","code":"$1c","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"a8c63bfc-6f9e-4a8d-8dcf-5aec24c1c812","_type":"block","children":[{"_key":"26778d64-403d-467a-81c1-5048f50d4ea1","_type":"span","marks":["strong"],"text":"Categorizing Ingress and Egress Traffic "}],"markDefs":[],"style":"normal"},{"_key":"76185b48-c963-480e-aa91-14aea42d61e7","_type":"block","children":[{"_key":"b196f7a1-82d0-408c-98be-3fb603dc6494","_type":"span","marks":[],"text":"To put it simply, ingress refers to incoming/inbound traffic, and egress refers to outgoing/outbound traffic. Depending on which pod's perspective we're evaluating the traffic from, this could vary. Let's go through a couple of scenarios."}],"markDefs":[],"style":"normal"},{"_key":"7f3be019-e2d2-49ed-bbb8-34b2a0e090fa","_type":"block","children":[{"_key":"347bb3f9-912a-4dab-8a70-abd072d181a4","_type":"span","marks":[],"text":"When a user accesses our frontend application, this is ingress traffic from the frontend pods perspective. When our frontend application makes an HTTP call to the backend API, this is egress traffic from the frontend pod perspective, but from the backend pod perspective, this is ingress traffic. To allow traffic between two pods, the egress side of the sending pod and the ingress side of the receiving pod must both allow traffic. This ensures compliance with "},{"_key":"01df7d23-db74-472c-be03-712bf913eb7c","_type":"span","marks":["672b8558-73d8-41f6-9ab2-4e0f1da0e866"],"text":"zero-trust"},{"_key":"1400ddd7-0307-46f1-966b-1b20d7f9eafe","_type":"span","marks":[],"text":" principles by allowing each pod to enforce its policy instead of relying on the policies of other pods."}],"markDefs":[{"_key":"672b8558-73d8-41f6-9ab2-4e0f1da0e866","_type":"link","href":"/blog/post/zero-trust-security-with-cilium/","openInNewTab":true}],"style":"normal"},{"_key":"383a4e21-07e8-4c12-8990-197c4cc84652","_type":"block","children":[{"_key":"93d3335b-d53d-4d78-8adf-5f92e9cc8c5c","_type":"span","marks":[],"text":"When our API pod queries the database pod and receives the results, a common mistake is to evaluate the response from the database as egress traffic leaving the database pod, but this isn't the case. The request and reply all happen under the same underlying TCP connection, which counts only as egress traffic from the backend pod and ingress traffic to the database pod. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:28:01Z","_id":"50f82efb-7923-6d5d-7755-42bf2aab5959","_key":"52c63ff5-31fe-47ea-81a7-7b228eb3f0c3","_ref":"50f82efb-7923-6d5d-7755-42bf2aab5959","_rev":"be3C7ysj1QqQyrHsnvtRvw","_type":"mediaImage","_updatedAt":"2024-09-30T11:28:01Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-1cefe5a54c46f56b86de9ddab9646c0327ca1fcd-892x304-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"IXN8W9_hLWYOhCQaAOZatBFbyxn44f8hDl_UF_DJOrDEvDkajMu5evS40fVlTP49XpUu8VZ-06bA591ytAZZdGggO-3bwrILw_FZqqQ_W1vL3r0kpJo0dYXA7VU-_7TZZQxvGIZ7-KuLHxmaYiNj9qE","size":"large","title":"IXN8W9_hLWYOhCQaAOZatBFbyxn44f8hDl_UF_DJOrDEvDkajMu5evS40fVlTP49XpUu8VZ-06bA591ytAZZdGggO-3bwrILw_FZqqQ_W1vL3r0kpJo0dYXA7VU-_7TZZQxvGIZ7-KuLHxmaYiNj9qE - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/1cefe5a54c46f56b86de9ddab9646c0327ca1fcd-892x304.png"},{"_key":"d5309f78-a23a-46d2-a583-5989fb6cae0b","_type":"block","children":[{"_key":"0ea2c2a4-2f39-4261-8c64-f2af86854d50","_type":"span","marks":["strong"],"text":"Writing Cilium Network Policies"}],"markDefs":[],"style":"h2"},{"_key":"65f2c600-29eb-46a1-b480-36b47c64d708","_type":"block","children":[{"_key":"4c39044f-e262-4fcf-afcb-de9ceb93537d","_type":"span","marks":[],"text":"We've been given the requirements of implementing the following traffic rules in our cluster:"}],"markDefs":[],"style":"normal"},{"_key":"de024b7a-56b7-43b4-bcf0-a007c34cfcf4","_type":"block","children":[{"_key":"761093c7-7169-460b-9785-cb0addbd0dc1","_type":"span","marks":["strong"],"text":"User story 1 - Lockdown the Database, Allow Ingress Only From The Backend "}],"markDefs":[],"style":"h2"},{"_key":"edb5f04f-3d52-4f19-9198-d104b9a563b9","_type":"block","children":[{"_key":"f00d1754-c733-4590-be29-f4230d728da1","_type":"span","marks":["em"],"text":"As an administrator, I want to ensure my database pods only receive traffic from the backend pods and can't send traffic anywhere else"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:28:03Z","_id":"13fac510-b559-a03c-2f6c-93265059ec17","_key":"55447f05-50dc-4b43-aec8-05aba70af94c","_ref":"13fac510-b559-a03c-2f6c-93265059ec17","_rev":"CoxtE4vswqQZGyPwAYQ2zx","_type":"mediaImage","_updatedAt":"2025-06-08T23:17:36Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-7f4eb2807aae8e2f79ef50ab3595f0cc9ed8dfb9-792x186-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"3Eg-rQ7Odk8qxtH70_CO41qdh1HKcB-pu8WZ_kPFrSCFa-WgEdxdBnCduUoDVwwGpFuHx0MvgD8rfEgGK3vmLBCxlLKIBSN1iYy7UYQ4rtmp4cPXLFZbmwtLME6dyeFQh7NcxnNWVI33vznfgj_wJhI.png","size":"large","title":"3Eg-rQ7Odk8qxtH70_CO41qdh1HKcB-pu8WZ_kPFrSCFa-WgEdxdBnCduUoDVwwGpFuHx0MvgD8rfEgGK3vmLBCxlLKIBSN1iYy7UYQ4rtmp4cPXLFZbmwtLME6dyeFQh7NcxnNWVI33vznfgj_wJhI - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/7f4eb2807aae8e2f79ef50ab3595f0cc9ed8dfb9-792x186.png"},{"_key":"9437b70b-9591-46d8-855a-28ac993d757a","_type":"block","children":[{"_key":"84585443-8620-432f-992e-f00c11c8f736","_type":"span","marks":[],"text":"This is a common use case, and most managed database providers implement some sort of ingress traffic filtering. To implement this user story, we want our database pods to receive ingress traffic from only the frontend pods, and we also want our database pod to block all egress traffic from leaving the pods. When a Pod is created, Cilium creates an endpoint for the pod(s) and their containers and assigns the endpoint an IP address. We can apply endpoints-based policies using the pod labels. "}],"markDefs":[],"style":"normal"},{"_key":"61635ce4-75b8-46f2-8027-455dbc91a54e","_type":"block","children":[{"_key":"2ac68d26-e2bc-45e6-bb20-8fc993595701","_type":"span","marks":[],"text":"Currently, if we make a request to the database service or pod from any pod, the request goes through. "}],"markDefs":[],"style":"normal"},{"_key":"2ffed76f-97e9-4892-a8dd-e5c69f61b937","_type":"block","children":[{"_key":"4d046d36-718b-48c0-a66e-a485f7def6d6","_type":"span","marks":["strong"],"text":"Sidenote:"},{"_key":"bff92c0e-395c-47aa-a88b-103912205c60","_type":"span","marks":[],"text":" Kubernetes generates unique names for pods. While following along, you should replace our autogenerated Kubernetes pod names with yours."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:35Z","_id":"ad6d2486-4678-f10a-4e76-89713841bcab","_key":"8bd6e8a8-1238-4693-9740-013c07b95d29","_ref":"ad6d2486-4678-f10a-4e76-89713841bcab","_rev":"e9qWp8BVYg77bOSczcivFJ","_type":"codeBlock","_updatedAt":"2025-05-30T13:25:08Z","code":"kubectl exec backend-784c669968-q6w9w -- curl -s database/PING \n\n{\"PING\":[true,\"PONG\"]}\n","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"74939577-502d-46f8-a6e0-c9594fd2dc86","_type":"block","children":[{"_key":"80bbbbd8-aeec-45d2-a975-47b8b752cf71","_type":"span","marks":[],"text":"We can observe the network traffic flow on the backend pods using Hubble. Conveniently, the hubble CLI client allows us to filter the network traffic flow data it gathers by pod labels. Let’s filter network traffic data on the pod with labels "},{"_key":"ccd0f359-cb0b-45d6-a566-a68e7b606c76","_type":"span","marks":["code"],"text":"tier=backend"},{"_key":"858193c9-8649-4e2a-85dc-ea0ce8b55876","_type":"span","marks":[],"text":"."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:36Z","_id":"77431c58-3d4d-bd68-6ab8-ea17d2fe9765","_key":"f2bcf761-4d8c-4150-a044-5bfc6a9e37b9","_ref":"77431c58-3d4d-bd68-6ab8-ea17d2fe9765","_rev":"PCAo7lqnhsEmi6r6qgKNQ5","_type":"codeBlock","_updatedAt":"2025-05-30T12:51:49Z","code":"Mar 14 13:55:24.606: default/backend-784c669968-srl9z:53200 (ID:40136) -> default/database-6fcd88f48-sr8bz:7379 (ID:29609) to-endpoint FORWARDED (TCP Flags: ACK)\nMar 14 13:55:24.606: default/backend-784c669968-srl9z:53200 (ID:40136) -> default/database-6fcd88f48-sr8bz:7379 (ID:29609) to-endpoint FORWARDED (TCP Flags: ACK, PSH)\nMar 14 13:55:24.606: default/backend-784c669968-srl9z:53200 (ID:40136) -> default/database-6fcd88f48-sr8bz:7379 (ID:29609) to-endpoint FORWARDED (TCP Flags: ACK, FIN)\nMar 14 13:55:24.606: default/backend-784c669968-srl9z:53200 (ID:40136) -> default/database-6fcd88f48-sr8bz:7379 (ID:29609) to-endpoint FORWARDED (TCP Flags: ACK)","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"949ddf73-371f-4aeb-bae0-b1ec30104538","_type":"block","children":[{"_key":"7bb090a0-8e71-47e7-a008-9395e661390c","_type":"span","marks":[],"text":"The resulting data shows network traffic originating from the backend pods and flowing to database pods. "}],"markDefs":[],"style":"normal"},{"_key":"761bf96e-0a3c-405b-a1e2-5ec527f0c1a6","_type":"block","children":[{"_key":"2f809d6b-2410-4ab6-b026-d4b3662d21d8","_type":"span","marks":[],"text":"To implement our network policy, we identify the specific pod(s) to which we want our policy to be applied. In our case, the database pods with the label "},{"_key":"b6268926-1db5-4351-b084-d857c4f0885c","_type":"span","marks":["code"],"text":"tier=database"},{"_key":"d52958d2-cf96-41a6-b0d8-5d1df227bef6","_type":"span","marks":[],"text":". Note that if the endpoint selector field is empty, the policy will be applied to all pods in the namespace."}],"markDefs":[],"style":"normal"},{"_key":"969a7aa8-c778-4256-aef6-734a78b35ca8","_type":"block","children":[{"_key":"d15407a0-dcbe-4e18-a935-be007211b954","_type":"span","marks":[],"text":"The standard network security posture of Kubernetes allows all network traffic. We can restrict all communication by introducing a \"default deny\" posture and allowing only the desired network communication. When a rule selects an endpoint, and we specify the traffic direction(i.e. ingress or egress), the endpoint automatically enters a default deny mode."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:38Z","_id":"c58fc9c1-3790-6357-cabe-2710dcb6c2ea","_key":"51c2e5ee-42ff-4e49-b97d-05d48d7917c8","_ref":"c58fc9c1-3790-6357-cabe-2710dcb6c2ea","_rev":"PCAo7lqnhsEmi6r6qgFk2Z","_type":"codeBlock","_updatedAt":"2025-05-30T12:24:23Z","code":"apiVersion: cilium.io/v2\nkind: CiliumNetworkPolicy\nmetadata:\n name: database-policy\n namespace: default\nspec:\n endpointSelector:\n matchLabels:\n tier: database\n ingress:\n - {}\n egress:\n - {}","language":"yaml","lineNumbers":"show","title":"YAML - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"adbed6ca-5235-403d-a820-01ca8414ebb1","_type":"block","children":[{"_key":"50843354-3b77-47a3-8242-1c7e9eba119f","_type":"span","marks":[],"text":"Let’s create our Cilium Network Policy in a file named "},{"_key":"c9b261bf-eb4e-4b1c-ad6b-79d9621c66a6","_type":"span","marks":["code"],"text":"database-policy.yaml"},{"_key":"014ab22b-e538-4621-8d06-185e1497a5b7","_type":"span","marks":[],"text":"."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:39Z","_id":"2f389c01-e3db-9432-1746-ee4320330c73","_key":"255bbe4a-dd61-4e63-b358-953bb5fabd20","_ref":"2f389c01-e3db-9432-1746-ee4320330c73","_rev":"Ay0qd2uUQtJvWcq7ns8gKo","_type":"codeBlock","_updatedAt":"2025-05-30T13:25:23Z","code":"$$ kubectl apply -f database-policy.yaml \n\n$ kubectl get cnp #cnp is short for the CiliumNetworkPolicy","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"6933160c-0eac-4256-84d6-2e9cebc86c46","_type":"block","children":[{"_key":"59e19d0e-9991-4bc1-9eea-119f8f0ced40","_type":"span","marks":[],"text":"When we try to reach the database pods from any other pods in the cluster or when we try to reach other pods from inside the database pod, we're unable to do so. The default deny posture on the network policy has restricted both ingress and egress traffic on the database pods. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:40Z","_id":"263a89ab-4840-a5d5-2e90-9020085e1b5d","_key":"0c01224d-cfec-4f2b-b043-76187e8e5f1d","_ref":"263a89ab-4840-a5d5-2e90-9020085e1b5d","_rev":"e9qWp8BVYg77bOSczcj7Bd","_type":"codeBlock","_updatedAt":"2025-05-30T13:25:41Z","code":"$$ kubectl exec backend-784c669968-k6m85 -- curl -s database/PING \n\n#kill the request by pressing CTRL + C","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"54cff33d-f429-4d28-a0b8-74c8826a188f","_type":"block","children":[{"_key":"dbd74d47-0ee8-4cf6-8761-893f548ca05a","_type":"span","marks":[],"text":"Observing the network traffic flow using hubble, we see that connections are dropped due to the database policy in place. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:41Z","_id":"7c363dce-a05c-490d-e1ef-95d9c18b9172","_key":"1b54d372-26a8-43ae-b6d4-5028c2a00537","_ref":"7c363dce-a05c-490d-e1ef-95d9c18b9172","_rev":"e9qWp8BVYg77bOSczcj2Bn","_type":"codeBlock","_updatedAt":"2025-05-30T13:25:32Z","code":"Mar 14 14:12:01.154: default/backend-784c669968-srl9z:35866 (ID:40136) <> default/database-6fcd88f48-f9xmg:7379 (ID:29609) Policy denied DROPPED (TCP Flags: SYN)\nMar 14 14:12:34.178: default/backend-784c669968-srl9z:35866 (ID:40136) <> default/database-6fcd88f48-f9xmg:7379 (ID:29609) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)\nMar 14 14:12:34.178: default/backend-784c669968-srl9z:35866 (ID:40136) <> default/database-6fcd88f48-f9xmg:7379 (ID:29609) Policy denied DROPPED (TCP Flags: SYN)","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"b19fddc2-42ab-4cc1-8dd4-81ae3ab9ca3d","_type":"block","children":[{"_key":"34980dca-735e-47be-9090-fe69b08d8284","_type":"span","marks":[],"text":"We now add an ingress rule that allows traffic for the backend pods while leaving the egress rule in its default deny state. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:42Z","_id":"0f14a5f9-6fc6-120e-b107-18d12e55c12a","_key":"b3c40f04-37fb-40bf-9d8f-fc09824da360","_ref":"0f14a5f9-6fc6-120e-b107-18d12e55c12a","_rev":"PCAo7lqnhsEmi6r6qgFjo9","_type":"codeBlock","_updatedAt":"2025-05-30T12:24:15Z","code":"apiVersion: cilium.io/v2\nkind: CiliumNetworkPolicy\nmetadata:\n name: database-policy\n namespace: default\nspec:\n endpointSelector:\n matchLabels:\n tier: database\n ingress:\n - {}\n - fromEndpoints:\n - matchLabels:\n tier: backend\n toPorts:\n - ports:\n - port: \"7379\"\n egress:\n - {}","language":"bash","lineNumbers":"show","lineRestriction":7,"restrictHeight":true,"title":"YAML - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"4a02126a-f253-4fbb-a85b-94b8cad09c00","_type":"block","children":[{"_key":"95d49fa4-169d-4557-b771-28302074c6ed","_type":"span","marks":[],"text":"We can test our ingress traffic ruleset by reaching the database pods from any backend pods. The container image for our database pod uses a minimal image without the curl binary. To test our egress traffic, we’ll use a slight workaround with busybox and wget. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:43Z","_id":"4cda83af-76ae-a8f8-c7bb-4f7089c859b7","_key":"430fa219-1cc0-470d-b4ad-4180d665b0bd","_ref":"4cda83af-76ae-a8f8-c7bb-4f7089c859b7","_rev":"Ay0qd2uUQtJvWcq7ns8k7U","_type":"codeBlock","_updatedAt":"2025-05-30T13:25:50Z","code":"$$ kubectl exec backend-784c669968-vww2g -- curl -s database/PING\n$ kubectl exec database-54dddb86bf-56blf -- busybox wget -O - frontend","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"f884cd49-3d1e-492c-b7e0-580393b45b48","_type":"block","children":[{"_key":"b0fd00fd-37ad-448c-9ef4-e81eb24d950c","_type":"span","marks":[],"text":"Our request from the backend pod to the database pod goes through, while our request from the database pod to the frontend pod fails. If we try to reach any external domains or IP addresses from the database pod, this fails too!"}],"markDefs":[],"style":"normal"},{"_key":"d35e8136-0edf-42a6-8a9a-03c1f776de12","_type":"block","children":[{"_key":"1a924e75-a052-4160-8829-922e8e05c4d5","_type":"span","marks":[],"text":"Observing the network traffic flow with hubble, we see that packets are now being allowed only from the backend pods to the database pods."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:44Z","_id":"70362726-05b5-c492-24ce-6269241cfb44","_key":"738c8241-1cad-4c20-9a78-1a3dabcf52b1","_ref":"70362726-05b5-c492-24ce-6269241cfb44","_rev":"PCAo7lqnhsEmi6r6qgQOql","_type":"codeBlock","_updatedAt":"2025-05-30T13:25:59Z","code":"Mar 14 14:16:07.889: default/backend-784c669968-srl9z:38510 (ID:40136) -> default/database-6fcd88f48-f9xmg:7379 (ID:29609) to-endpoint FORWARDED (TCP Flags: ACK, PSH)\nMar 14 14:16:07.889: default/backend-784c669968-srl9z:38510 (ID:40136) -> default/database-6fcd88f48-f9xmg:7379 (ID:29609) to-endpoint FORWARDED (TCP Flags: ACK, FIN)\nMar 14 14:16:07.889: default/backend-784c669968-srl9z:38510 (ID:40136) -> default/database-6fcd88f48-f9xmg:7379 (ID:29609) to-endpoint FORWARDED (TCP Flags: ACK)","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"f88bedc6-d4cf-44e6-9519-7db0798970fd","_type":"block","children":[{"_key":"48aad1f7-73dd-419b-bfde-454878a0c91a","_type":"span","marks":["strong"],"text":"User Story 2 - IP/CIDR Ingress Traffic Filter for Database Access"}],"markDefs":[],"style":"h2"},{"_key":"655dd05d-35f2-4ac6-9e11-ed3dff0bb20e","_type":"block","children":[{"_key":"efe59168-1341-4fa0-a8c5-95114f92e280","_type":"span","marks":["em"],"text":"We have a team of developers and administrators who need to access the cluster from outside the office, and we’re routing their incoming traffic through a VPN with the IP address "},{"_key":"bb9508536314","_type":"span","marks":["em","code"],"text":"172.27.224.3"},{"_key":"239ac6320b7f","_type":"span","marks":["em"],"text":", as an administrator, I want to ensure all developers and administrators using this VPN can access the database pods."}],"markDefs":[],"style":"normal"},{"_key":"f81c38f2-e42c-4ccf-a102-f0d88d67e797","_type":"block","children":[{"_key":"834e6b73-6109-4935-8c93-05150143b4bc","_type":"span","marks":[],"text":"Since all the incoming external traffic to our database pod is routed through a VPN, this user story entails that the only external IP address that can access our database pods is the IP address of the VPN server. Cilium Network Policy provides CIDR-based policies for controlling traffic to known IP addresses and CIDRs. The "},{"_key":"c696a61b-7974-4321-a1a1-24c5ad6888ee","_type":"span","marks":["code"],"text":"fromCIDR"},{"_key":"2f938de2-d405-4d60-84fd-d135fa41ef47","_type":"span","marks":[],"text":" and "},{"_key":"16f5bbb6-20da-4f40-bc55-4f26adf99cd9","_type":"span","marks":["code"],"text":"fromCIDRSet fields"},{"_key":"3f5f2b5b-e964-4c1e-a559-d3947856a956","_type":"span","marks":[],"text":" in the spec define ingress traffic rules, and "},{"_key":"4503ae98-ac95-4c62-83c1-23df4acfbd09","_type":"span","marks":["code"],"text":"toCIDR"},{"_key":"899a2e8c-bbe9-4776-91cf-d10f7561812d","_type":"span","marks":[],"text":" and "},{"_key":"16271497-901a-4437-b8ec-a67b2f02eac2","_type":"span","marks":["code"],"text":"toCIDRSet"},{"_key":"bad28075-9377-4ff1-8f6f-30991796994c","_type":"span","marks":[],"text":" define egress traffic rules. The toCIDRSet field allows us to define exclusion rules for subnets within a CIDR."}],"markDefs":[],"style":"normal"},{"_key":"c1ba249b-6166-46c4-b1c8-6aff0ca17512","_type":"block","children":[{"_key":"7cd97e34-a222-4a6f-9366-34c53727434d","_type":"span","marks":[],"text":"We can update our database policy to include the ingress rule that implements our user story. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:45Z","_id":"2af495be-61c8-8e4b-a2da-fbf34e23b89c","_key":"2fd0cd00-53a8-4c6f-9ff5-803439e3edcb","_ref":"2af495be-61c8-8e4b-a2da-fbf34e23b89c","_rev":"PCAo7lqnhsEmi6r6qgFjUv","_type":"codeBlock","_updatedAt":"2025-05-30T12:24:06Z","code":"apiVersion: cilium.io/v2\nkind: CiliumNetworkPolicy\nmetadata:\n name: database-policy\n namespace: default\nspec:\n endpointSelector:\n matchLabels:\n tier: database\n ingress:\n - fromEndpoints:\n - matchLabels:\n tier: backend\n toPorts:\n - ports:\n - port: \"7379\"\n - fromCIDRSet:\n - cidr: 102.213.50.174/32\n toPorts:\n - ports:\n - port: \"443\"\n egress:\n - {}","language":"yaml","lineNumbers":"show","lineRestriction":7,"restrictHeight":true,"title":"YAML - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"f3ad85f6-5866-4bba-8899-9c0184cd663b","_type":"block","children":[{"_key":"33e26116-4285-4746-b434-121387a4a944","_type":"span","marks":["strong"],"text":"User Story 3 - Filter Egress Traffic by DNS Name "}],"markDefs":[],"style":"h2"},{"_key":"365ae93c-d810-4824-8144-a46a2d87cbd2","_type":"block","children":[{"_key":"1ea7fd7e-0ae0-4fb3-85fa-fd716129c4a3","_type":"span","marks":["em"],"text":"As an administrator, I want the backend pods to accept ingress traffic only from the frontend pods. I want backend pods to be able to only reach the database pods and also be able to access our external resources on Google Cloud with the domain name wildcard pattern *.cloud.google.com. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:28:04Z","_id":"87033dbe-ebcd-9087-840a-a7f0efb72342","_key":"8251eb1d-15f9-4884-ae62-7493f098748a","_ref":"87033dbe-ebcd-9087-840a-a7f0efb72342","_rev":"P5GVFsWfT1LlxauxU4IaG2","_type":"mediaImage","_updatedAt":"2024-09-30T11:28:04Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-8fb549868e200ff44254e3891fc36f7102575073-652x140-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"8N6Lv6ysaYumMDtmg695p6bSF3kva05ah2z-44bZwubU5jzh-ZRfjB0iJcHOs8tGsl1HFuEg2hIEBgT6YYwzVA9GMkBti1cM53ek4taOzADvSSX5gkzGBYmg1j54cV0ssy30qnpDZ_hJ_9wC0p1NwQk","size":"large","title":"8N6Lv6ysaYumMDtmg695p6bSF3kva05ah2z-44bZwubU5jzh-ZRfjB0iJcHOs8tGsl1HFuEg2hIEBgT6YYwzVA9GMkBti1cM53ek4taOzADvSSX5gkzGBYmg1j54cV0ssy30qnpDZ_hJ_9wC0p1NwQk - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/8fb549868e200ff44254e3891fc36f7102575073-652x140.png"},{"_key":"d79b8d77-b86c-4973-823c-f8722ab24918","_type":"block","children":[{"_key":"fa6b3f6a-3d72-48dc-ba42-7030d1388450","_type":"span","marks":[],"text":"Let's break down what this user story entails. We want to apply a policy on the backend pods that only allows ingress traffic from the frontend pod and egress traffic to the database pods and the external domain name pattern "},{"_key":"6562de38-d4df-4fe5-8bb5-818e0c70d62e","_type":"span","marks":["em"],"text":"*.cloud.google.com"},{"_key":"13dcb369-cca3-4c0c-b44b-d3cdcf75ba25","_type":"span","marks":[],"text":". "}],"markDefs":[],"style":"normal"},{"_key":"9de08cee-56a2-481a-bf02-bfbe764c164a","_type":"block","children":[{"_key":"b033fc7f-1a07-4a19-9eed-6b026f141d65","_type":"span","marks":[],"text":"We've written policy rules based on endpoints using matching pod labels in the previous user story. The wildcard domain requirement of this user story introduces a new type of ruleset, "},{"_key":"c0f113f8-97aa-4987-a9c7-6fa84fceca36","_type":"span","marks":["3f9d56da-d23c-442b-a079-ce5f5b0a2d7f"],"text":"DNS-based "},{"_key":"0d461d54-596d-4ca4-8103-18ceb8aeffe8","_type":"span","marks":[],"text":"policies. The CilumNetworkPolicy allows us to define rules based on DNS names and patterns for endpoints not managed by Cilum. The DNS names get resolved to their IP addresses. DNS-based rules are handy in scenarios where IPs change or are not known beforehand. We define the rules in the "},{"_key":"33f7b6aa-da9a-4486-a22f-af1e634954f3","_type":"span","marks":["code"],"text":"toFQDNs"},{"_key":"c1f00761-54e1-4fbf-b41a-c25fc0840e6a","_type":"span","marks":[],"text":" field of the spec. These rules can be based on DNS names using the "},{"_key":"456ab59a-0deb-4cfb-9766-3a7e84828bb0","_type":"span","marks":["code"],"text":"matchName"},{"_key":"29c3b81b-c739-45d7-8557-133179e6a457","_type":"span","marks":[],"text":" field or DNS wildcard patterns using the "},{"_key":"83d4384f-88ea-4fa0-b682-f85f111c53f2","_type":"span","marks":["code"],"text":"matchPattern"},{"_key":"5e92fcdc-7a44-42ec-9bf2-cc62bf0d334d","_type":"span","marks":[],"text":" field. "}],"markDefs":[{"_key":"3f9d56da-d23c-442b-a079-ce5f5b0a2d7f","_type":"link","href":"https://docs.cilium.io/en/stable/security/policy/language/#dns-based","openInNewTab":false}],"style":"normal"},{"_createdAt":"2024-09-30T11:27:46Z","_id":"7e3f2002-0872-7aea-e5ea-3432bc5c3149","_key":"8a551fe3-331f-490c-a275-f0b4f1623d50","_ref":"7e3f2002-0872-7aea-e5ea-3432bc5c3149","_rev":"PCAo7lqnhsEmi6r6qgFmRZ","_type":"codeBlock","_updatedAt":"2025-05-30T12:24:58Z","code":"apiVersion: cilium.io/v2\nkind: CiliumNetworkPolicy\nmetadata:\n name: backend-policy\nspec:\n endpointSelector: \n matchLabels:\n tier: backend\n ingress:\n - fromEndpoints:\n - matchLabels:\n tier: frontend\n toPorts:\n - ports:\n - port: \"80\"\n egress:\n - toEndpoints:\n - matchLabels:\n tier: database\n toPorts:\n - ports:\n - port: \"7379\"\n - toFQDNs:\n - matchPattern: \"*.cloud.google.com\"\n toPorts:\n - ports:\n - port: \"443\"\n - ports:\n - port: \"80\"\n - toEndpoints:\n - matchLabels:\n io.kubernetes.pod.namespace: kube-system\n k8s-app: kube-dns\n toPorts:\n - ports:\n - port: \"53\"\n protocol: UDP\n rules:\n dns:\n - matchPattern: \"*\"","language":"yaml","lineNumbers":"show","lineRestriction":7,"restrictHeight":true,"title":"YAML - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"dc1c6243-0519-45f4-b406-0be69073b669","_type":"block","children":[{"_key":"e239da40-ec0f-4ae4-a726-efd5153160e0","_type":"span","marks":[],"text":"For egress traffic to internal and external domain names, the pods rely on kube-dns to resolve DNS queries. We need to explicitly allow egress traffic to port 53/UDP only to kube-dns pods in the cluster."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:47Z","_id":"7c2a45d6-948e-e0c5-65c2-d59332407f2e","_key":"9675fb01-fa55-4cc5-8684-392f97d6846a","_ref":"7c2a45d6-948e-e0c5-65c2-d59332407f2e","_rev":"9px8ir0NfLa6aydsXNRdhD","_type":"codeBlock","_updatedAt":"2024-10-01T10:51:59Z","code":"kubectl apply -f backend-policy.yaml \nkubectl get cnp\n\nNAME AGE\nbackend-policy 4h28m\ndatabase-policy 4h28m","language":"bash","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"4ce0258b-074b-46b9-87e0-2bdb3800083b","_type":"block","children":[{"_key":"f1095397-3d9c-4f50-8530-134c1669e7df","_type":"span","marks":[],"text":"When we try to reach our backend pods from the database pod, the request fails because our policy doesn’t allow ingress from any other source except the frontend pods. Our egress policy only allows egress traffic to the database pods and resources in the Google Cloud domain on port 80 for HTTP and port 443 for HTTPS. Suppose a malicious workload in the container tries to exfiltrate data to an external destination, our egress policy now prevents this. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:48Z","_id":"e3a0e18d-e8ee-d8f3-3025-3831b4d72d42","_key":"5b492354-0028-40e0-b36a-b3e0837aa00b","_ref":"e3a0e18d-e8ee-d8f3-3025-3831b4d72d42","_rev":"e9qWp8BVYg77bOSczcjGTR","_type":"codeBlock","_updatedAt":"2025-05-30T13:26:12Z","code":"$$ kubectl exec database-54dddb86bf-56blf -- busybox wget -O - backend\n$ kubectl exec database-54dddb86bf-56blf -- busybox wget -O - example.com","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"701fd1c4-c3e3-4ffc-b966-1de496ee566e","_type":"block","children":[{"_key":"b5121ef2-ce89-489d-a954-c94930dea2d7","_type":"span","marks":[],"text":"Our policy now prevents our backend pods from sending egress traffic to unknown destinations while simultaneously accepting traffic from the fronted pods. Let's have a look at the network traffic flow data from Hubble when we filter on the "},{"_key":"e6e799e7-a7eb-4a3d-96fc-142142222667","_type":"span","marks":["code"],"text":"tier=database"},{"_key":"e442db84-b075-4c48-9dc5-50ebb236badf","_type":"span","marks":[],"text":" label."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:49Z","_id":"8f6476fb-3817-5443-70d2-2b05b6a4e8bb","_key":"99aaec99-826b-48f9-91ff-d0d88a148785","_ref":"8f6476fb-3817-5443-70d2-2b05b6a4e8bb","_rev":"e9qWp8BVYg77bOSczcjJOP","_type":"codeBlock","_updatedAt":"2025-05-30T13:26:20Z","code":"$$ hubble observe --from-label tier=database\n\nkube-system/coredns-5d78c9869d-mmxnp:53 (ID:941) policy-verdict:none EGRESS DENIED (UDP)\nMar 14 14:36:51.838: default/database-6fcd88f48-sr8bz:54632 (ID:29609) <> kube-system/coredns-5d78c9869d-mmxnp:53 (ID:941) Policy denied DROPPED (UDP)","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"e14deddc-2916-49af-87aa-b0b40bbd5c87","_type":"block","children":[{"_key":"17d1def4-d1cc-4d62-9c12-8365d9a5db80","_type":"span","marks":[],"text":"We see that our existing database Cilium network policy prevents egress traffic from even leaving the database pods to the backend pods "}],"markDefs":[],"style":"normal"},{"_key":"2882246b-85b3-475d-964b-a18e9484f9c3","_type":"block","children":[{"_key":"e671832a-0cbc-4f80-93fd-5ed331cd33c7","_type":"span","marks":[],"text":"When we filter on the "},{"_key":"5f1a1912-99a9-45d6-a1dc-21aa1ef6f825","_type":"span","marks":["code"],"text":"tier=backend"},{"_key":"47877c4e-4240-468c-b069-7cc671c8c916","_type":"span","marks":[],"text":" label, our backend Cilium network policy prevents egress traffic from leaving the backend pods to any other domain name apart from the one we’ve specified. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:50Z","_id":"ea742639-c606-939a-7bb7-0166eafe0ee2","_key":"15776959-97df-46d7-a561-46a4c02b4007","_ref":"ea742639-c606-939a-7bb7-0166eafe0ee2","_rev":"Ay0qd2uUQtJvWcq7ns8nao","_type":"codeBlock","_updatedAt":"2025-05-30T13:26:29Z","code":"$$ hubble observe --from-label tier=backend\n\nMar 14 14:55:13.538: default/backend-784c669968-srl9z:49770 (ID:40136) <> example.com:80 (world) Policy denied DROPPED (TCP Flags: SYN)\nMar 14 14:55:15.554: default/backend-784c669968-srl9z:49770 (ID:40136) <> example.com:80 (world) policy-verdict:none EGRESS DENIED (TCP Flags: SYN)","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"f6e8a8e7-622b-42f0-a5a4-7d604f4e3fc0","_type":"block","children":[{"_key":"7fa83e20-20e0-4b71-93cf-4c3fef315a1f","_type":"span","marks":["strong"],"text":"User Story 4 - Frontend Accepts World Ingress Traffic via TCP Only"}],"markDefs":[],"style":"h2"},{"_key":"c6d5e26f-fdf7-43e4-9393-a81fbea94ab5","_type":"block","children":[{"_key":"8b38aec0-c1c3-4469-8b88-17f9f2d142eb","_type":"span","marks":["em"],"text":"As an administrator, I want our frontend pods to be accessible from any external IP address but only on ports 80 and 443. The only protocol allowed should be TCP. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:28:02Z","_id":"1d91879e-6010-aaf4-9ba0-452e56f1ac73","_key":"ebea8ad6-2265-4515-916a-6fa78c6a0a21","_ref":"1d91879e-6010-aaf4-9ba0-452e56f1ac73","_rev":"P5GVFsWfT1LlxauxU4IaAK","_type":"mediaImage","_updatedAt":"2024-09-30T11:28:02Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-cdbf067ee56b4c082eddd04427db336f94f14052-630x129-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"Qigqk55_lhjMYlvUKJ_7VIIEf4fnK0ewJ56Oi1nBUc5Ed1yJrHrWk-1XsamRPkiGo0W5w6R7HLGjsff66zHmsYwHdu_M8MMw0TRWB9DJ94oSoZrxgdz3P4lCAavj5Jn_fKNnEouZbDAE9659Alho4Cw","size":"large","title":"Qigqk55_lhjMYlvUKJ_7VIIEf4fnK0ewJ56Oi1nBUc5Ed1yJrHrWk-1XsamRPkiGo0W5w6R7HLGjsff66zHmsYwHdu_M8MMw0TRWB9DJ94oSoZrxgdz3P4lCAavj5Jn_fKNnEouZbDAE9659Alho4Cw - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/cdbf067ee56b4c082eddd04427db336f94f14052-630x129.png"},{"_key":"538da58f-b286-44c3-afc5-2fee56bc99f4","_type":"block","children":[{"_key":"e2b2cfb8-9c71-41c4-8be1-a5a9832ab9a7","_type":"span","marks":[],"text":"For public-facing applications like our frontend pods, we can’t possibly account for every source IP/CIDR range ingress traffic will originate from. To implement the first part of this user story, we want the frontend pods to accept ingress traffic from every external IP address. Entities-based policies offer abstractions for defining rulesets in scenarios like this. Entities are used to describe remote peers which can be categorized without necessarily knowing their IP addresses. The entity that satisfies the requirement of this user story is the world entity. The world entity represents all endpoints outside the cluster. This corresponds to 0.0.0.0/0 in CIDR notation. Cilium also provides Layer 4 policies that can be specified separately or in addition to an existing Layer 3 policy. Next, the protocol requirement of this user story can be implemented with a Layer 4 policy that enforces a rule that only allows connections on the TCP protocol. "}],"markDefs":[],"style":"normal"},{"_key":"2cc45237-1258-47b2-bab0-320ac38e71b0","_type":"block","children":[{"_key":"af36905c-b360-4879-97bc-5cb149413aab","_type":"span","marks":[],"text":"We create a frontend policy file and include an entity-based policy that allows ingress traffic from every external source. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:51Z","_id":"263d0ba9-f392-0832-f18c-7e15c6411d81","_key":"aca9b323-ba60-4a72-8003-d5386e4041ff","_ref":"263d0ba9-f392-0832-f18c-7e15c6411d81","_rev":"PCAo7lqnhsEmi6r6qgFnKq","_type":"codeBlock","_updatedAt":"2025-05-30T12:25:08Z","code":"apiVersion: cilium.io/v2\nkind: CiliumNetworkPolicy\nmetadata:\n name: frontend-policy\n namespace: default\nspec:\n endpointSelector:\n matchLabels:\n tier: frontend\n ingress:\n - fromEntities:\n - world\n toPorts:\n - ports:\n - port: \"443\"\n - ports:\n - port: \"80\"\n protocol: TCP\n egress:\n - toEndpoints:\n - matchLabels:\n tier: backend\n toPorts:\n - ports:\n - port: \"80\"\n - toEndpoints:\n - matchLabels:\n io.kubernetes.pod.namespace: kube-system\n k8s-app: kube-dns\n toPorts:\n - ports:\n - port: \"53\"\n protocol: UDP\n rules:\n dns:\n - matchPattern: \"*\" ","language":"yaml","lineNumbers":"show","lineRestriction":7,"restrictHeight":true,"title":"yaml - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"8670f0c8-f22f-43f9-a013-ede9d08e7028","_type":"block","children":[{"_key":"bf3fdd8c-683b-4379-bdf5-c4de2bb94709","_type":"span","marks":[],"text":"Notice that we included an egress rule to allow traffic to the backend pods? This bidirectional rule is important when writing network policies. We allow egress traffic on the source endpoint and allow ingress traffic on the destination endpoint. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:52Z","_id":"1690128c-a1a1-1148-fc54-69f3d4ae4051","_key":"9b6c42ca-e2a4-4093-94e2-eb2c35533a65","_ref":"1690128c-a1a1-1148-fc54-69f3d4ae4051","_rev":"e9qWp8BVYg77bOSczcjLIJ","_type":"codeBlock","_updatedAt":"2025-05-30T13:26:39Z","code":"$$ kubectl apply -f frontend-policy.yaml \n$ kubectl get cnp \n\nNAME AGE\nbackend-policy 22h\ndatabase-policy 22h\nfrotnend-policy 18s","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"1d9ff8e8-f64d-403d-be8b-9000f8f52b49","_type":"block","children":[{"_key":"abc7c639-a315-474f-a9e2-f32943b86d23","_type":"span","marks":[],"text":"We can access our frontend pods externally by using the port forwarding feature from kubectl. We test that our network policy rules work as expected by opening a TCP and UDP connection then seeing if the connection goes through. "}],"markDefs":[],"style":"normal"},{"_key":"a9b81c63-49e7-4cc3-92ad-8a833b78b8a1","_type":"block","children":[{"_key":"33463deb-1d3a-4f58-88b4-1655f27b9db6","_type":"span","marks":[],"text":"To access our frontend pods externally, let's create a port forward from our cluster to our local machine."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:53Z","_id":"7cdc4213-86bd-a655-9704-a554ba9531e9","_key":"3ccb0175-6ab7-4fc0-96b4-f6ada0e40f9c","_ref":"7cdc4213-86bd-a655-9704-a554ba9531e9","_rev":"be3C7ysj1QqQyrHso4dLdd","_type":"codeBlock","_updatedAt":"2024-09-30T11:27:53Z","code":"$$ kubectl port-forward service/frontend 8000:80 ","language":"bash","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"c5a7d2df-10e7-4e9a-ab95-26e735ea5d41","_type":"block","children":[{"_key":"06db03d8-5d42-46b2-9cc5-20161543feb8","_type":"span","marks":[],"text":"We can now access our frontend service locally."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:54Z","_id":"409130f1-1efa-5bbd-4f5c-374d092ce48a","_key":"c8aa601a-2a59-4a1c-b85e-099b0bf8555f","_ref":"409130f1-1efa-5bbd-4f5c-374d092ce48a","_rev":"PCAo7lqnhsEmi6r6qgQiSn","_type":"codeBlock","_updatedAt":"2025-05-30T13:26:54Z","code":"$$ curl localhost:8000\n\n\n\nWelcome to nginx!\n\n\n\n

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and\nworking. Further configuration is required.

\n\n

For online documentation and support please refer to\nnginx.org.
\nCommercial support is available at\nnginx.com.

\n\n

Thank you for using nginx.

\n\n","lineRestriction":7,"restrictHeight":true,"title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"b572a7d0-6444-4fbb-905d-f6f295de1d53","_type":"block","children":[{"_key":"d2b1abd0-f134-4158-8f3d-416a3fdd7c37","_type":"span","marks":[],"text":"We open TCP connection with netcat and send a random message and get a valid reply"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:55Z","_id":"088251cf-53d4-bb2d-d26b-9dcb630daeb9","_key":"9eb04e0b-961b-4025-8629-2ca9550afca3","_ref":"088251cf-53d4-bb2d-d26b-9dcb630daeb9","_rev":"PCAo7lqnhsEmi6r6qgQjM4","_type":"codeBlock","_updatedAt":"2025-05-30T13:27:05Z","code":"nc localhost 8000 #send a random message \n\nHTTP/1.1 400 Bad Request\nServer: nginx/1.25.3\nDate: Wed, 14 Feb 2024 12:22:32 GMT\nContent-Type: text/html\nContent-Length: 157\nConnection: close\n\n\n400 Bad Request\n\n

400 Bad Request

nginx/1.25.3\n\n","lineRestriction":7,"restrictHeight":true,"title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"3597b031-ca69-4861-bfaa-59e3352cd769","_type":"block","children":[{"_key":"0b968333-70ec-455c-9072-23b1dd24d657","_type":"span","marks":[],"text":"When we open a UDP connection our policy prevents this and the connection is abruptly terminated. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:56Z","_id":"4e78e327-009d-d153-a1b8-046db7475293","_key":"199c4a47-6f3b-4eb3-8578-a4ebd0a5bd8d","_ref":"4e78e327-009d-d153-a1b8-046db7475293","_rev":"PCAo7lqnhsEmi6r6qgQo7f","_type":"codeBlock","_updatedAt":"2025-05-30T13:27:16Z","code":"$$ nc -u localhost 8000","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"5239a066-8a67-48c3-9895-04adca7b44f5","_type":"block","children":[{"_key":"c9c1b470-af2d-407f-a5e6-ef6c20b5feed","_type":"span","marks":["strong"],"text":"User Story 5 - Docs HTTP Route Accessible Only From Specific IP Address"}],"markDefs":[],"style":"h2"},{"_key":"0fb47102-5bad-4c1c-ab83-7e3fb7b25f8b","_type":"block","children":[{"_key":"13c21b97-e0e0-44ab-b2a6-5d0063fe08f2","_type":"span","marks":["em"],"text":"We have internal documentation for our backend Rest APIs and we auto-generate the OPEN API spec from our backend codebase and serve the UI via swagger on the "},{"_key":"42ff451888ff","_type":"span","marks":["em","code"],"text":"/docs"},{"_key":"504781526764","_type":"span","marks":["em"],"text":" HTTP route. We want this route to be accessible to developers and administrators as long as they are using our VPN."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T12:27:47Z","_id":"ec2f8b8f-85aa-407a-b1cc-88e9c5e192dd","_key":"9155a11e8e3d","_ref":"ec2f8b8f-85aa-407a-b1cc-88e9c5e192dd","_rev":"Ay0qd2uUQtJvWcq7ns3jT0","_type":"mediaImage","_updatedAt":"2025-05-30T12:28:39Z","alignment":"center","altText":{"en":"A simple graphic showing incoming traffic from the left, through a firewall to the backend on the right"},"clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-72af3d25d09b7b8813937e1a175f055485e6d3a7-642x186-png","_type":"reference"}},"languages":["en"],"offset":0,"rounded":false,"scale":0,"size":"medium","title":"Docs HTTP Route Accessible Only From Specific IP Address","url":"https://cdn.sanity.io/images/xinsvxfu/production/72af3d25d09b7b8813937e1a175f055485e6d3a7-642x186.png"},{"_key":"7ba7624c-c599-4f84-94af-04a5fb17e991","_type":"block","children":[{"_key":"af7c7633-66f2-4b42-976a-b143083cf932","_type":"span","marks":[],"text":"In addition to the CIDR-based policies we’ve seen in the previous user story, this user story introduces Layer 7 policies to satisfy the HTTP route requirement. On Layer 3, we need a CIDR rule to allow ingress traffic from 172.224.3/32 (i.e the IP address of the VPN server), and on the Layer 7 side, we need a rule that allows access to the HTTP route "},{"_key":"737fa578-1101-4b99-b0aa-afad203499d1","_type":"span","marks":["em"],"text":"/docs"},{"_key":"5ef08b64-dbff-4100-a1b8-abdf7cd5a5ca","_type":"span","marks":[],"text":" only. "}],"markDefs":[],"style":"normal"},{"_key":"cc8eb159-bff2-4683-96bc-63343d9f84cc","_type":"block","children":[{"_key":"8db2ed5a-f54b-4b00-bd6e-b99de740e33c","_type":"span","marks":[],"text":"Let’s update our existing backend policy file to include these new rulesets "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:57Z","_id":"3906e6f2-dd65-0f8a-d34b-993043e6ca83","_key":"32b22daa-c0fa-447b-9104-86f5f1307a7e","_ref":"3906e6f2-dd65-0f8a-d34b-993043e6ca83","_rev":"Ay0qd2uUQtJvWcq7ns3Xnc","_type":"codeBlock","_updatedAt":"2025-05-30T12:25:26Z","code":"$1d","language":"yaml","lineNumbers":"show","lineRestriction":7,"restrictHeight":true,"title":"yaml - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"88988cc9-9259-4749-8d0d-5cdd7d2de9da","_type":"block","children":[{"_key":"812b2227-725e-4fd5-8a4b-722f7314cb45","_type":"span","marks":["strong"],"text":"Combining Policies "}],"markDefs":[],"style":"normal"},{"_key":"967ff044-e7c6-455c-bcc6-140c536d1929","_type":"block","children":[{"_key":"d86c646a-ca7f-4370-87d9-fe7d0263203d","_type":"span","marks":[],"text":"The network policy specification dictates that the rules are logically OR'ed (not AND'ed). Following the YAML syntax, when we place rules as separate sequences(arrays/lists) indicated with the “-” symbol, they are evaluated individually as different rules. "}],"markDefs":[],"style":"normal"},{"_key":"644323e2-186c-4e0a-b515-15ee432715f0","_type":"block","children":[{"_key":"956c9884-8a34-44a2-b42f-ec17350804eb","_type":"span","marks":[],"text":"Suppose we want a policy that accepts ingress traffic from the CIDR range"},{"_key":"ffb46c10-758d-4c0b-9eba-48ee27ee0417","_type":"span","marks":["em"],"text":" 172.17.0.0/16"},{"_key":"19325635-2b2a-4425-8d77-440e931960bd","_type":"span","marks":[],"text":" on port "},{"_key":"7ecb5039-f609-4fee-ad2d-58dd552f8f4d","_type":"span","marks":["em"],"text":"443"},{"_key":"e0028321-a0b2-4323-9fa5-41d15d4223fd","_type":"span","marks":[],"text":" only. "}],"markDefs":[],"style":"normal"},{"_key":"8754430e-b309-4b8b-8c43-169d7ecba1e6","_type":"block","children":[{"_key":"a8535f8e-1a6d-4256-bdd5-06492ba5bdf8","_type":"span","marks":[],"text":"The policy below actually allows ingress traffic from the CIDR range 172.17.0.0/16 and also allows ingress traffic from any endpoints to 443. This is different from what we originally intended. By specifying the port rule with a “-” in front of it, we now have a rule that allows ingress traffic from any endpoint to our pod using port "},{"_key":"9d22257c-8c83-400c-84b1-c789ae59fe66","_type":"span","marks":["em"],"text":"443."},{"_key":"244293c6-f0ac-4e8b-abf7-feeba80cafe3","_type":"span","marks":[],"text":" "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:58Z","_id":"32f90d9a-dfa5-248f-97b1-7c95c98b75b4","_key":"654ec37c-a1dc-4428-bb9d-db0288cc5eb7","_ref":"32f90d9a-dfa5-248f-97b1-7c95c98b75b4","_rev":"e9qWp8BVYg77bOSczcW1Dh","_type":"codeBlock","_updatedAt":"2025-05-30T12:17:18Z","code":"metadata:\n name: egress-to-private-vm-443\nspec:\n endpointSelector:\n matchLabels:\n app: foo\n egress:\n - toCIDRSet:\n - cidr: 192.168.1.22/32\n - toPorts:\n - ports:\n - port: 443","language":"yaml","title":"yaml - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"10e8482b-cfbd-40ab-bccb-51e297b93210","_type":"block","children":[{"_key":"8c6760a3-8a1f-49f3-8d1e-fc85c76e649a","_type":"span","marks":[],"text":"Notice how a single extra character entirely changes how our policy is interpreted? Our policy now allows more connectivity than we originally intended. To fix this remove the “-” character in front of the port rule and nest the port rule under the toCIDRSet rule. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:27:59Z","_id":"6ad57b13-6e3b-505e-64d7-9cd2d9dcd6a9","_key":"a46557ea-c9b2-4bf0-9afb-7e4b11650074","_ref":"6ad57b13-6e3b-505e-64d7-9cd2d9dcd6a9","_rev":"Ay0qd2uUQtJvWcq7ns30BL","_type":"codeBlock","_updatedAt":"2025-05-30T12:17:25Z","code":"metadata:\n name: egress-to-private-vm-443\nspec:\n endpointSelector:\n matchLabels:\n app: foo\n egress:\n - toCIDRSet:\n - cidr: 192.168.1.22/32\n toPorts:\n - ports:\n - port: 443","language":"yaml","title":"yaml - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"28ff7fe2-cb24-4e67-9212-3c6d5fa1fd41","_type":"block","children":[{"_key":"3fe7b6b7-6d90-4d80-bf5e-679d5322bb51","_type":"span","marks":["strong"],"text":"Cleaning Up "}],"markDefs":[],"style":"normal"},{"_key":"e6bbd824-18ef-4bd0-bb96-17ca4bf9e120","_type":"block","children":[{"_key":"b2c10829-aaba-42e7-9b14-52228a953635","_type":"span","marks":[],"text":"Let's delete all the resources we’ve created so far."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:28:00Z","_id":"19d01cee-01af-7557-033d-4dcb98c01f88","_key":"d6b60474-5ccd-4ac8-8b12-4ff76406d822","_ref":"19d01cee-01af-7557-033d-4dcb98c01f88","_rev":"PCAo7lqnhsEmi6r6qgQoov","_type":"codeBlock","_updatedAt":"2025-05-30T13:27:27Z","code":"$$ kubectl delete -f https://raw.githubusercontent.com/networkpolicy/demos/main/blog-1/demo.yaml\n\n$ kubectl delete cnp frontend-policy backend-policy database-policy","title":"bash - \"Tutorial: Cilium Network Policy in Practice (Part 2)\" Code Block"},{"_key":"81a0cf63-423f-4808-ae1c-99beee072798","_type":"block","children":[{"_key":"39d459d8-a8d5-413e-9547-bd19d9693583","_type":"span","marks":["strong"],"text":"Summary"}],"markDefs":[],"style":"h2"},{"_key":"9235161d-6c9f-414d-8053-9d60cde43f62","_type":"block","children":[{"_key":"dba7959d-13db-4c85-8810-c5d9a0c9819a","_type":"span","marks":[],"text":"$1e"},{"_key":"56ee2414-e7a2-484a-a10d-887e72d25966","_type":"span","marks":["ab03dca4-a6f1-4928-8085-86adb3bff39d"],"text":"host firewall lab"},{"_key":"9382bb0b-ec20-4ba7-b1d7-a5fe88ac9bf0","_type":"span","marks":[],"text":" if you would like to learn more about this feature. "}],"markDefs":[{"_key":"ab03dca4-a6f1-4928-8085-86adb3bff39d","_type":"link","href":"/labs/cilium-host-firewall/","openInNewTab":true}],"style":"normal"},{"_key":"c9924b2b-3c2e-49b7-948c-384d5927a0d7","_type":"block","children":[{"_key":"8ea299b8-c37d-47de-b223-6d114b026b1e","_type":"span","marks":[],"text":"All the YAML manifest files used in the tutorial can be found here on "},{"_key":"9b87d4c9-307e-4dbf-8d3c-9358ab04aa77","_type":"span","marks":["a5000f99-7fb0-4f71-b696-e457102e2740"],"text":"GitHub"},{"_key":"7db6c6c0-3194-419a-9942-82f4bea93228","_type":"span","marks":[],"text":". "}],"markDefs":[{"_key":"a5000f99-7fb0-4f71-b696-e457102e2740","_type":"link","href":"https://github.com/networkpolicy/demos","openInNewTab":true}],"style":"normal"},{"_key":"d38b2009-6022-4572-bb03-a114885ef046","_type":"block","children":[{"_key":"af77dea1-f661-4759-b39f-f37e07f7d31b","_type":"span","marks":[],"text":"If you have questions or feedback:"}],"markDefs":[],"style":"normal"},{"_key":"329d52e698d5","_type":"block","children":[{"_key":"43cd8f5d545f","_type":"span","marks":[],"text":"Reach out via the network policy channel in the "},{"_key":"f4041b27dc28","_type":"span","marks":["b73dbffc42eb"],"text":"Cilium Slack"},{"_key":"9e5687325580","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"b73dbffc42eb","_type":"link","href":"https://slack.cilium.io/","isLink":false,"openInNewTab":true}],"style":"normal"},{"_key":"c5d70a20c990","_type":"block","children":[{"_key":"74e099c4e7a3","_type":"span","marks":[],"text":"Dive into Cilium using the hands-on lab, "},{"_key":"d06b1701790f","_type":"span","marks":["25fa1c8322ed"],"text":"Getting Started with Cilium"},{"_key":"b09abfcb6f5c","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"25fa1c8322ed","_type":"link","href":"/labs/getting-started-with-cilium/","openInNewTab":true}],"style":"normal"},{"_key":"f20099fa63c2","_type":"block","children":[{"_key":"95097e4d60cd","_type":"span","marks":[],"text":"Get hands-on practice with the "},{"_key":"521b294099da","_type":"span","marks":["476fba3c8564"],"text":"Network policy"},{"_key":"6251c0d9a305","_type":"span","marks":[],"text":" lab."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"476fba3c8564","_type":"link","href":"/labs/isovalent-cilium-enterprise-network-policies/?journey=security","openInNewTab":true}],"style":"normal"},{"_key":"46b6710d6138","_type":"block","children":[{"_key":"84ca3d0e4d4d","_type":"span","marks":[],"text":"Try out the host policy feature with the "},{"_key":"8deb8fb239bc","_type":"span","marks":["5f0005f5443d"],"text":"Cilium Host Firewall"},{"_key":"9625bd1a49bb","_type":"span","marks":[],"text":" lab. "}],"level":1,"listItem":"bullet","markDefs":[{"_key":"5f0005f5443d","_type":"link","href":"/labs/cilium-host-firewall/","openInNewTab":true}],"style":"normal"}],"featuredImage":["$","$L19",null,{"src":"https://cdn.sanity.io/images/xinsvxfu/production/318b3bae3f021fbe4cf348a758f4e1b96433f1e4-1200x800.png?auto=format&q=80&fit=clip&w=1080","alt":"hero.png","className":"mx-auto mb-10 w-full max-w-[72.75]","placeholder":"blur","blurDataURL":"data:image/svg+xml;base64,CiAgICA8c3ZnIHdpZHRoPSIxMDgwIiBoZWlnaHQ9IjEwODAiIHZlcnNpb249IjEuMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KICAgICAgICA8ZGVmcz4KICAgICAgICAgICAgPGxpbmVhckdyYWRpZW50IGlkPSJnIj4KICAgICAgICAgICAgPHN0b3Agc3RvcC1jb2xvcj0iI0Y2RjhGRSIgb2Zmc2V0PSIyMCUiIC8+CiAgICAgICAgICAgIDxzdG9wIHN0b3AtY29sb3I9IiNFRkY1RkYiIG9mZnNldD0iNTAlIiAvPgogICAgICAgICAgICA8c3RvcCBzdG9wLWNvbG9yPSIjRjZGOEZFIiBvZmZzZXQ9IjcwJSIgLz4KICAgICAgICAgICAgPC9saW5lYXJHcmFkaWVudD4KICAgICAgICA8L2RlZnM+CiAgICAgICAgPHJlY3Qgd2lkdGg9IjEwODAiIGhlaWdodD0iMTA4MCIgZmlsbD0iI0Y2RjhGRSIgLz4KICAgICAgICA8cmVjdCBpZD0iciIgd2lkdGg9IjEwODAiIGhlaWdodD0iMTA4MCIgZmlsbD0idXJsKCNnKSIgLz4KICAgICAgICA8YW5pbWF0ZSBocmVmPSIjciIgYXR0cmlidXRlTmFtZT0ieCIgZnJvbT0iLTEwODAiIHRvPSIxMDgwIiBkdXI9IjFzIiByZXBlYXRDb3VudD0iaW5kZWZpbml0ZSIgIC8+CiAgICA8L3N2Zz4=","width":1080,"height":1080,"priority":true}],"articleData":{"title":"Tutorial: Cilium Network Policy in Practice (Part 2)","description":"Learn how to build and deploy network policies for Kubernetes in this deep dive guide on Cilium Network Policy Tutorial.","url":"https://isovalent.com/blog/post/tutorial-cilium-network-policy","download":"$undefined","authors":[{"_createdAt":"2024-09-27T10:03:09Z","_id":"6a971ce6-ad13-a880-60fb-449643f28150","_rev":"VBrtyokWUXRuGM21ng9jyp","_type":"person","_updatedAt":"2024-09-27T12:06:52Z","bio":{"en":[{"_key":"03fdcab1-9ed4-4ec2-886a-f741547d13be","_type":"block","children":[{"_key":"69ede1ca-d53d-4c81-9035-33cf979cd551","_type":"span","marks":[],"text":"Paul is a security-focused community builder at Isovalent – the company behind Cilium & Tetragon. Before joining Isovalent, Paul worked in the startup world as a backend and infrastructure-focused software engineer using various cloud-native technologies, including Kubernetes. Paul has also worked as a software engineering trainer, designing curriculum and content to train budding software engineers.\n\nYou can find Paul hanging out in various open-source communities and speaking at conferences like the Open Source Festival. Paul enjoys swimming, cycling, and mountain biking."}],"markDefs":[],"style":"normal"}]},"company":{"_ref":"35073912-4894-4a13-89f6-caa5d58ff52d","_type":"reference"},"firstName":{"en":"Paul"},"fullName":{"en":"Paul Arah"},"headshot":{"_type":"image","asset":{"_ref":"image-bcbfb734967bb8224be8ba791efcb849bb298bd2-288x288-jpg","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"image":"https://cdn.sanity.io/images/xinsvxfu/production/bcbfb734967bb8224be8ba791efcb849bb298bd2-288x288.jpg","languages":["en"],"lastName":{"en":"Arah"},"title":{"en":"Community Builder, Security"}}]}}]}]}]}],"$undefined"]}]]