curl testenkubectl create namespace netpol-demo
# netpol-pods.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
namespace: netpol-demo
labels:
role: frontend
spec:
containers:
- name: busybox
image: busybox
command: ["sh", "-c", "while true; do sleep 3600; done"]
---
apiVersion: v1
kind: Pod
metadata:
name: backend
namespace: netpol-demo
labels:
role: backend
spec:
containers:
- name: busybox
image: busybox
command: ["sh", "-c", "while true; do sleep 3600; done"]
---
apiVersion: v1
kind: Pod
metadata:
name: attacker
namespace: netpol-demo
labels:
role: attacker
spec:
containers:
- name: busybox
image: busybox
command: ["sh", "-c", "while true; do sleep 3600; done"]
kubectl apply -f netpol-pods.yaml
kubectl exec -n netpol-demo backend -- sh -c "nohup httpd -f -p 80 &"
kubectl exec -n netpol-demo frontend -- wget -qO- http://backend
kubectl exec -n netpol-demo attacker -- wget -qO- http://backend
✅ Beide Pods können den backend erreichen.
frontend darf backend erreichen# netpol-allow-frontend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend
namespace: netpol-demo
spec:
podSelector:
matchLabels:
role: backend
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
policyTypes:
- Ingress
kubectl apply -f netpol-allow-frontend.yaml
# Darf durch (erlaubt in der Policy)
kubectl exec -n netpol-demo frontend -- wget -qO- http://backend
# Darf NICHT durch (nicht erlaubt)
kubectl exec -n netpol-demo attacker -- wget -qO- http://backend
✅ Der frontend kann weiterhin auf backend zugreifen
❌ Der attacker erhält einen Timeout
kubectl delete ns netpol-demo