Creating a Cluster Network Policy

This page explains how to configure network policies in Kubernetes Engine.

Overview

You can use Kubernetes Engine's network policy enforcement to control the communication between your cluster's Pods and Services. To define a network policy on Kubernetes Engine, you can use the Kubernetes Network Policy API to create Pod-level firewall rules. These firewall rules determine which Pods and Services can access one another inside your cluster.

Defining network policy helps you enable things like defense in depth when your cluster is serving a multi-level application. For example, you can create a network policy to ensure that a compromised front-end service in your application cannot communicate directly with a billing or accounting service several levels down.

Network policy can also make it easier for your application to host data from multiple users simultaneously. For example, you can provide secure multi-tenancy by defining a tenant-per-namespace model. In such a model, network policy rules can ensure that Pods and Services in a given namespace cannot access other Pods or Services in a different namespace.

Using network policy enforcement

To enable or disable network policy enforcement, you can use the gcloud command-line tool, the Kubernetes Engine REST API, or the Google Cloud Platform Console.

Once you have enabled network policy in your cluster, you can create a network policy using the Kubernetes Network Policy API.

You can enable network policy enforcement when you create a Kubernetes Engine cluster or enable it for an existing cluster. You can also disable network policy for an existing cluster.

Enabling network policy enforcement

Console

  1. Visit the Kubernetes Engine menu in the Google Cloud Platform Console.

    Visit the Kubernetes Engine menu

  2. Click Create cluster.

  3. Configure your cluster as desired. Then, from the Network policy drop-down menu, select Enabled.
  4. Click Create.

gcloud

To enable network policy enforcement when creating a new cluster using the gcloud command-line tool, run the gcloud beta container clusters create command with the --enable-network-policy flag:

gcloud beta container clusters create [CLUSTER] --project=[PROJECT-ID]
--zone=[ZONE] --enable-network-policy

Enabling network policy enforcement for an existing cluster with the gcloud command-line tool is a two-step process. First, run the gcloud beta container clusters update command with the --update-addons flag:

gcloud beta container clusters update [CLUSTER] --project=[PROJECT-ID]
--zone=[ZONE] --update-addons=NetworkPolicy=ENABLED

Then, run the gcloud beta container clusters update command with the --enable-network-policy flag. This command causes your cluster's node pools to be recreated with network policy enabled:

gcloud beta container clusters update [CLUSTER] --project=[PROJECT-ID]
--zone=[ZONE] --enable-network-policy

API

To enable network policy using the Kubernetes Engine API, specify the networkPolicy object inside the cluster object that you provide to projects.zones.clusters.create or projects.zones.clusters.update.

The networkPolicy object requires an enum that specifies which network policy provider to use, and a boolean that specifies whether to enable network policy. If you enable network policy but do not set the provider, the create and update commands return an error. Currently, the only valid provider value is CALICO.

Disabling network policy enforcement

Console

  1. Visit the Kubernetes Engine menu in the Google Cloud Platform Console.

    Visit the Kubernetes Engine menu

  2. Select the desired cluster.

  3. Click Edit.
  4. From the Network policy for nodes drop-down menu, select Disabled.
  5. Click Save. Then, click Edit again.
  6. From the Network policy for master drop-down menu, select Disabled.
  7. Click Save.

gcloud

To disable network policy enforcement for an existing cluster using the gcloud command-line tool, run the gcloud beta container clusters update command with the --no-enable-network-policy flag.

gcloud beta container clusters update [CLUSTER] --project=[PROJECT-ID]
--zone=[ZONE] --no-enable-network-policy

API

To disable network policy enforcement for an existing cluster using the Kubernetes Engine API, specify the networkPolicy object inside your cluster object you provide to projects.zones.clusters.update. Inside the networkPolicy object, set the boolean enabled value to false.

Creating a network policy

Once you have enabled network policy enforcement for your cluster, you'll need to define the actual network policy. You define the network policy using the Kubernetes Network Policy API. This API is a Beta feature in Kubernetes versions 1.7 and higher.

For further details on creating a network policy, see the following topics in the Kubernetes documentation:

Temporarily overriding network policy

You can temporarily disable network policy enforcement on your cluster in case of issues or extraordinary circumstances. For more information, refer to Tigera's documentation on overriding Calico policy.

Overhead, limitations, and caveats

Enabling network policy enforcement consumes additional resources on your cluster nodes. Specifically, it increases the memory footprint of the kube-system process by approximately 128 MB, and requires approximately 300 millicores of CPU.

Limitations and Requirements

  • Your cluster must have at least 2 nodes of type n1-standard-1 or higher. The recommended minimum size cluster to run network policy enforcement is 3 n1-standard-1 instances.
  • Network policy is not supported for clusters whose nodes are f1-micro or g1-small instances, as the resource requirements are too high for instances of that size.

For more information about node machine types and allocatable resources, refer to Cluster Architecture - Nodes

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Kubernetes Engine