Kubernetes Network Policy: Allow DNS Resolution for Both Internal and External Services, Block All Other Traffic
Allowing DNS resolution for both internal and external services while blocking all other traffic helps secure your Kubernetes environment. This setup ensures that pods can resolve domain names like google.com for external services and kubernetes.default.svc.cluster.local for internal services, but no HTTP, HTTPS, or other non-DNS traffic is allowed.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-only
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53Explanation:
podSelector: Selects all pods in the default namespace.
policyTypes: Specifies that the policy applies only to egress traffic.
egress: Allows traffic to port 53 (DNS) for both UDP and TCP protocols. This ensures DNS resolution for both internal and external domains.
Testing the Policy:
Create a test pod:
kubectl run dns-tester --image=busybox --restart=Never -- sleep 3600
Access the dns-tester pod and test external DNS resolution (e.g., google.com):
kubectl exec -it dns-tester -- sh
nslookup google.com
DNS resolution for external domains (e.g., google.com) should succeed
Test HTTP/HTTPS (Should Fail):
wget http://google.com
Accessing websites over HTTP or HTTPS should fail, as only DNS resolution is allowed, and all other traffic is blocked.Deleting Pod and Network Policy:
kubectl delete pod dns-tester
kubectl delete networkpolicy allow-dns-only -n default