Network Policy Management for EKS

Kubernetes has a "Flat Network" structure by default. That is, any Pod in a Namespace can talk to any Pod in another Namespace. While this is convenient for development environments, it is unacceptable for security (Zero Trust).

You must use Network Policy resources to control traffic between pods on Amazon EKS.

How Network Policy Works?

Network Policy acts like a firewall for pods. You define where traffic can come from (Ingress) and where it can go (Egress) using labels.

Network Policy Support in EKS

EKS did not support Network Policy by default (with VPC CNI). However, AWS recently added this feature to the VPC CNI plugin. Alternatively, the industry standard Calico can be used.

Example Scenario: Frontend -> Backend Access

Let's allow traffic to Backend pods only from Frontend pods and deny others.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-only
  namespace: my-app
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

Default Deny

To tighten security, first apply a "Default Deny" policy that denies all traffic, then open only necessary permissions (Allow).

Network Policy is the first security layer we check for our customers receiving Kubernetes Consultancy.