{"id":14349,"date":"2019-01-10T08:49:56","date_gmt":"2019-01-10T07:49:56","guid":{"rendered":"https:\/\/www.inovex.de\/blog\/?p=14349"},"modified":"2026-03-17T07:59:33","modified_gmt":"2026-03-17T06:59:33","slug":"test-kubernetes-network-policies","status":"publish","type":"post","link":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/","title":{"rendered":"Why You Should Test Your Kubernetes Network Policies"},"content":{"rendered":"<p>Kubernetes Network Policies appear to be a relatively simple solution for controlling traffic in and to a cluster. But after looking more closely we found that they sometimes behave differently than expected. Here&#8217;s what we&#8217;ve learned.<\/p>\n<p><!--more--><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#Kubernetes-Network-Policies\" >Kubernetes Network Policies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#Testing-Suggested-Network-Providers\" >Testing Suggested Network Providers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#Time-for-a-Systematic-Approach\" >Time for a Systematic Approach<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#Calicos-Performance\" >Calico&#8217;s Performance<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#Issues-with-Weave-Net\" >Issues with Weave Net<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#Conclusion\" >Conclusion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#Software-Versions-Used\" >Software Versions Used<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#Read-on\" >Read on<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Kubernetes-Network-Policies\"><\/span>Kubernetes Network Policies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubernetes Network Policies are the firewall rules of a Kubernetes cluster. They isolate all selected pods from all connections except those that are whitelisted through any policies&#8216; ingress and egress rules.<\/p>\n<div class=\"page\" title=\"Page 38\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre class=\"lang:yaml decode:true\" title=\"nginx-policy.yaml \">kind: NetworkPolicy\r\n\r\napiVersion: networking.k8s.io\/v1\r\n\r\nmetadata:\r\n\r\n  name: access-nginx\r\n\r\nspec:\r\n\r\n  podSelector:\r\n\r\n    matchLabels:\r\n\r\n      run: nginx\r\n\r\n  ingress:\r\n\r\n  - from:\r\n\r\n    - podSelector:\r\n\r\n        matchLabels:\r\n\r\n          access: \"true\"<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 24\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>The above example shows a Network Policy which\u00a0by default selects pods in the namespace, labelled <em>run=nginx<\/em>. It also contains a single ingress rule allowing traffic from all pods in the same namespace, labelled <em>access=true<\/em>. When applying this policy to a Kubernetes cluster, it results in all traffic not specified in the ingress rule to <em>run=nginx<\/em> pods in the default namespace being blocked. There are more options when declaring Network Policies, such as specifying namespaces, CIDRs, ports or protocols, but the basic behaviour is always the same.<\/p>\n<p><strong>Except that it isn&#8217;t.<\/strong> This specification is how Network Policies are described by the <a href=\"https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/network-policies\/\" target=\"_blank\" rel=\"noopener\">Kubernetes docs<\/a>, but the documentation also mentions that the default networking plugin does not support Network Policies. Instead, various network providers <a href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/declare-network-policy\/#before-you-begin\" target=\"_blank\" rel=\"noopener\">are suggested<\/a>\u00a0who officially support Network Policies.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Testing-Suggested-Network-Providers\"><\/span>Testing Suggested Network Providers<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>So off we go, testing our Network Policy with some of the suggested plugins. Let&#8217;s start by following the tutorial on\u00a0<a href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/declare-network-policy\/#create-an-nginx-deployment-and-expose-it-via-a-service\" target=\"_blank\" rel=\"noopener\">declaring Network Policies<\/a>\u00a0on a fresh Kubernetes cluster with <a href=\"https:\/\/www.projectcalico.org\/\" target=\"_blank\" rel=\"noopener\">Calico<\/a> installed:<\/p>\n<pre class=\"lang:sh decode:true\">$ kubectl run nginx --image=nginx --replicas=2\r\n\r\ndeployment.apps\/nginx created\r\n\r\n$ kubectl expose deployment nginx --port=80\r\n\r\nservice\/nginx exposed\r\n\r\n$ kubectl run busybox --rm -ti --image=busybox \/bin\/sh\r\n\r\nIf you don't see a command prompt, try pressing enter.\r\n\r\n\/ # wget --spider --timeout=1 nginx\r\n\r\nConnecting to nginx (10.96.54.9:80)\r\n\r\n\/ #<\/pre>\n<p>So far everything works as expected. We started and exposed an nginx deployment with 2 replicas and a busybox for testing. Using <code>wget<\/code> we established that traffic can reach the nginx pods through their service. Now we apply the Network Policy from the tutorial and test the connection again:<\/p>\n<pre class=\"lang:sh decode:true\">$ kubectl create -f nginx-policy.yaml\r\n\r\nnetworkpolicy.networking.k8s.io\/access-nginx created\r\n\r\n$\u00a0kubectl run busybox --rm -ti --image=busybox \/bin\/sh\r\n\r\nIf you don't see a command prompt, try pressing enter.\r\n\r\n\/ # wget --spider -timeout=1 nginx\r\n\r\nConnecting to nginx (10.96.54.9:80)\r\n\r\nwget:\u00a0download\u00a0timed\u00a0out\r\n\r\n\/\u00a0#<\/pre>\n<p>That worked out well! The download timed out, as our policy only allows connections from pods labelled <em>access=&#8220;true&#8220;<\/em>. Let&#8217;s start another busybox with that label and ensure that its traffic can reach the nginx\u00a0pods through their service:<\/p>\n<pre class=\"lang:sh decode:true\">$ kubectl run busybox --rm -ti --labels=\"access=true\" --image=busybox \/bin\/sh\r\n\r\nIf you don't see a command prompt, try pressing enter.\r\n\r\n\/ # wget --spider --timeout=1 nginx\r\n\r\nConnecting to nginx (10.96.17.194:80)\r\n\r\n\/ #<\/pre>\n<p>This time the busybox&#8217;s download did not timeout, so our Network Policy is in effect as expected. Let&#8217;s try the same with a new cluster using Weave Net:<\/p>\n<pre class=\"lang:sh decode:true\">$ kubectl run nginx --image=nginx --replicas=2\r\n\r\ndeployment.apps\/nginx created\r\n\r\n$ kubectl expose deployment nginx --port=80\r\n\r\nservice\/nginx exposed\r\n\r\n$ kubectl run busybox --rm -ti --image=busybox \/bin\/sh\r\n\r\nIf you don't see a command prompt, try pressing enter.\r\n\r\n\/ # wget --spider --timeout=1 nginx\r\n\r\nConnecting to nginx (10.96.34.126:80)\r\n\r\n\/ #\r\n\r\n$ kubectl create -f nginx-policy.yaml\r\n\r\nnetworkpolicy.networking.k8s.io\/access-nginx created\r\n\r\n$ kubectl run busybox --rm -ti --image=busybox \/bin\/sh\r\n\r\nIf you don't see a command prompt, try pressing enter.\r\n\r\n\/ # wget --spider --timeout=1 nginx\r\n\r\nConnecting to nginx (10.96.34.126:80)\r\n\r\n\/ #<\/pre>\n<p>Huh, looks like Weave does not want to play as nice. We expected the last <code>wget<\/code> above to not go through, as the busybox pod was missing the correct labels. Maybe we missed something when installing it? Looking at the documentation on <a href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/network-policy-provider\/weave-network-policy\/#install-the-weave-net-addon\" target=\"_blank\" rel=\"noopener\">installing the Weave Net addon for Network Policy<\/a>, it states:<\/p>\n<p style=\"padding-left: 30px;\">&#8222;The Weave Net addon for Kubernetes comes with a\u00a0Network Policy Controller\u00a0that automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces and configures\u00a0<code>iptables<\/code>\u00a0rules to allow or block traffic as directed by the policies.&#8220;<\/p>\n<p>This means that no extra installation should be required, but let&#8217;s verify it just to be sure:<\/p>\n<pre class=\"lang:sh decode:true\">$ kubectl get pods --all-namespaces -o=jsonpath=\"{..image}\" -l name=weave-net\r\n\r\ndocker.io\/weaveworks\/weave-kube:2.5.0 docker.io\/weaveworks\/weave-npc:2.5.0 [...]<\/pre>\n<p>The list of images for pods labelled <em>name=weave<\/em> contains weave-npc, the image for the Network Policy Controller, so it is definitely included.<\/p>\n<p>Another thing standing out in above quotation is the mention of &#8222;annotations on namespaces&#8220;. This is not mentioned on the current documentation for Kubernetes Network Policies. Going through another tutorial, this time on Weave&#8217;s website, it seems like this namespace annotation feature does not work (anymore). In that tutorial the policies at least took effect, so maybe it has to do with the policies themselves.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Time-for-a-Systematic-Approach\"><\/span>Time for a Systematic Approach<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To figure out, whether the policies are at fault, we want to test different kinds of policies. For this task we wrote a tool which analyses the Network Policies in the cluster and runs tests against them. These tests are executed by a DaemonSet whose pods hook themselves into the network namespaces of pods affected by Network Policies and then use <code>nmap<\/code> to test the connection to the policies&#8216; selected pods. This approach ensures that our test traffic is identical to production traffic in the cluster, without interfering with it.<\/p>\n<p>To evaluate the functionality of these three plugins we used the example Network Policies from the excellent\u00a0<a href=\"https:\/\/github.com\/ahmetb\/kubernetes-network-policy-recipes\" target=\"_blank\" rel=\"noopener\">Kubernetes Network Policy Recipes<\/a>. This Git Repository contains examples of Network Policies including descriptions of their effects. We extracted the manifests, setup and teardown processes from each recipe and used them as test set. In this evaluation, we skipped the recipes for external traffic as it is not required by our test tool. The table below shows all tests generated for each recipe and the results for each framework over seven test runs. A checkmark (\u2713) indicates that the case always was successful, a cross (\u274c) that it always failed and tilde (~) that it sometimes failed.<\/p>\n\n<table id=\"tablepress-9\" class=\"tablepress tablepress-id-9\">\n<thead>\n<tr class=\"row-1\">\n\t<th class=\"column-1\">Test Case<\/th><th class=\"column-2\">Calico<\/th><th class=\"column-3\">Weave<\/th>\n<\/tr>\n<\/thead>\n<tbody class=\"row-striping row-hover\">\n<tr class=\"row-2\">\n\t<td class=\"column-1\"><strong>01-deny-all-traffic-to-an-application<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-3\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> app=web <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-4\">\n\t<td class=\"column-1\"><strong>02-limit-traffic-to-an-application<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-5\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> app=bookstore <\/em> <strong>can<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=api <\/em> on any port<\/td><td class=\"column-2\">~<\/td><td class=\"column-3\">~<\/td>\n<\/tr>\n<tr class=\"row-6\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> thesis-mbischoff-inverted-app=bookstore <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=api <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">~<\/td>\n<\/tr>\n<tr class=\"row-7\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> app=bookstore <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=api <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">~<\/td>\n<\/tr>\n<tr class=\"row-8\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> thesis-mbischoff-inverted-app=bookstore <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=api <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">~<\/td>\n<\/tr>\n<tr class=\"row-9\">\n\t<td class=\"column-1\"><strong>02a-allow-all-traffic-to-an-application<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-10\">\n\t<td class=\"column-1\">Pods in namespace<em> * <\/em>with labels<em> * <\/em> <strong>can<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-11\">\n\t<td class=\"column-1\"><strong>03-deny-all-non-whitelisted-traffic-in-the-namespace<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-12\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> * <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> * <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">~<\/td>\n<\/tr>\n<tr class=\"row-13\">\n\t<td class=\"column-1\"><strong>04-deny-traffic-from-other-namespaces<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-14\">\n\t<td class=\"column-1\">Pods in namespace<em> secondary <\/em>with labels<em> * <\/em> <strong>can<\/strong> reach pods in namespace<em> secondary <\/em>with labels<em> * <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-15\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-secondary <\/em>with labels<em> * <\/em> <strong>cannot<\/strong> reach pods in namespace<em> secondary <\/em>with labels<em> * <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-16\">\n\t<td class=\"column-1\"><strong>05-allow-traffic-from-all-namespaces<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-17\">\n\t<td class=\"column-1\">Pods in namespace<em> * <\/em>with labels<em> * <\/em> <strong>can<\/strong> reach pods in namespace<em> secondary <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">~<\/td><td class=\"column-3\">~<\/td>\n<\/tr>\n<tr class=\"row-18\">\n\t<td class=\"column-1\"><strong>06-allow-traffic-from-a-namespace<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-19\">\n\t<td class=\"column-1\">Pods in namespace<em> purpose=production <\/em>with labels<em> * <\/em> <strong>can<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-20\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-purpose=production <\/em>with labels<em> * <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-21\">\n\t<td class=\"column-1\"><strong>07-allow-traffic-from-some-pods-in-another-namespace<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-22\">\n\t<td class=\"column-1\">Pods in namespace<em> team=operations <\/em>with labels<em> thesis-mbischoff-inverted-type=monitoring <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-23\">\n\t<td class=\"column-1\">Pods in namespace<em> team=operations <\/em>with labels<em> type=monitoring <\/em> <strong>can<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-24\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-team=operations <\/em>with labels<em> thesis-mbischoff-inverted-type=monitoring <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-25\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-team=operations <\/em>with labels<em> type=monitoring <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-26\">\n\t<td class=\"column-1\"><strong>09-allow-traffic-only-to-a-port<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-27\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> role=monitoring <\/em> <strong>can<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=apiserver <\/em> on port 5000<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-28\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> thesis-mbischoff-inverted-role=monitoring <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=apiserver <\/em> on port 5000<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-29\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> role=monitoring <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=apiserver <\/em> on port 5000<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-30\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> thesis-mbischoff-inverted-role=monitoring <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=apiserver <\/em> on port 5000<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-31\">\n\t<td class=\"column-1\"><strong>10-allowing-traffic-with-multiple-selectors<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-32\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=api <\/em> <strong>can<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u274c<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-33\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=search <\/em> <strong>can<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u274c<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-34\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> app=inventory,role=web <\/em> <strong>can<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u274c<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-35\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> thesis-mbischoff-inverted-app=bookstore,thesis-mbischoff-inverted-role=api <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-36\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> thesis-mbischoff-inverted-app=bookstore,thesis-mbischoff-inverted-role=search <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-37\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> thesis-mbischoff-inverted-app=inventory,thesis-mbischoff-inverted-role=web <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-38\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> app=bookstore,role=api <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-39\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> app=bookstore,role=search <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-40\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> app=inventory,role=web <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-41\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> thesis-mbischoff-inverted-app=bookstore,thesis-mbischoff-inverted-role=api <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-42\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> thesis-mbischoff-inverted-app=bookstore,thesis-mbischoff-inverted-role=search <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-43\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-default <\/em>with labels<em> thesis-mbischoff-inverted-app=inventory,thesis-mbischoff-inverted-role=web <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=bookstore,role=db <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-44\">\n\t<td class=\"column-1\"><strong>11-deny-egress-traffic-from-an-application<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-45\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> app=foo <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=foo <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td><td class=\"column-3\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-46\">\n\t<td class=\"column-1\"><strong>12-deny-all-non-whitelisted-traffic-from-the-namespace<\/strong><\/td><td class=\"column-2\"><\/td><td class=\"column-3\"><\/td>\n<\/tr>\n<tr class=\"row-47\">\n\t<td class=\"column-1\">Pods in namespace<em> default <\/em>with labels<em> * <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> * <\/em> on any port<\/td><td class=\"column-2\">\u274c<\/td><td class=\"column-3\">\u274c<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n<h3><span class=\"ez-toc-section\" id=\"Calicos-Performance\"><\/span>Calico&#8217;s Performance<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<\/div>\n<\/div>\n<\/div>\n<p>As you can see, Calico was successfully directing traffic in most cases, with only tests for recipes 10 and 12 failing consistently. Both failures also appear for Weave Net which is caused by implementation errors in our test tool. As recipe 12 demonstrates all egress traffic being blocked, the test application can also not reach the DNS server and therefore fails at name resolution. This in turn means, that all network plugins successfully blocked DNS traffic as intended. In recipe 10, our test container did not respond to the <code>nmap<\/code> scan type we used. This can be fixed by running multiple kinds of scans\u00a0for each test run in the future.<\/p>\n<p>Furthermore there are two test cases where runs sometimes were successful and sometimes failed. This most likely doesn&#8217;t have anything to do with the Network Policies but could rather be attributed to a race condition. Race conditions may occur when the network plugin doesn&#8217;t pick up a new policy before our test traffic is generated.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Issues-with-Weave-Net\"><\/span>Issues with Weave Net<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The picture for Weave Net is very suspicious. Besides the two failures caused by our implementation, most cases for blocking traffic seem to fail consistently. There are also more cases in which Weave Net sometimes failed. This prompted us to investigate our configuration only to find an <a href=\"https:\/\/github.com\/weaveworks\/weave\/issues\/3452\" target=\"_blank\" rel=\"noopener\">issue<\/a> with our cluster setup and Weave. In another setup we re-ran the tests and found that only one recipes&#8216; test cases behave unexpected:<\/p>\n\n<table id=\"tablepress-11\" class=\"tablepress tablepress-id-11\">\n<thead>\n<tr class=\"row-1\">\n\t<th class=\"column-1\">Test Case<\/th><th class=\"column-2\">Weave<\/th>\n<\/tr>\n<\/thead>\n<tbody class=\"row-striping row-hover\">\n<tr class=\"row-2\">\n\t<td class=\"column-1\"><strong>07-allow-traffic-from-some-pods-in-another-namespace<\/strong><\/td><td class=\"column-2\"><\/td>\n<\/tr>\n<tr class=\"row-3\">\n\t<td class=\"column-1\">Pods in namespace<em> team=operations <\/em>with labels<em> thesis-mbischoff-inverted-type=monitoring <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-4\">\n\t<td class=\"column-1\">Pods in namespace<em> team=operations <\/em>with labels<em> type=monitoring <\/em> <strong>can<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u274c<\/td>\n<\/tr>\n<tr class=\"row-5\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-team=operations <\/em>with labels<em> thesis-mbischoff-inverted-type=monitoring <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td>\n<\/tr>\n<tr class=\"row-6\">\n\t<td class=\"column-1\">Pods in namespace<em> thesis-mbischoff-inverted-team=operations <\/em>with labels<em> type=monitoring <\/em> <strong>cannot<\/strong> reach pods in namespace<em> default <\/em>with labels<em> app=web <\/em> on any port<\/td><td class=\"column-2\">\u2713<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n<p>The selector in that recipe&#8217;s Network Policy addresses ingress pods both by namespace and pod labels, but traffic from a matching pod is blocked by Weave Net.\u00a0This feature was recently introduced to Kubernetes Network Policies, and is <a href=\"https:\/\/github.com\/weaveworks\/weave\/issues\/3312\" target=\"_blank\" rel=\"noopener\">currently still being implemented<\/a>\u00a0in Weave Net. Besides this small issue, both networking solutions support the policies we tested well.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The enforcement of Kubernetes Network Policies through plugins doesn&#8217;t prevent problems in general. While installation of both Weave Net and Calico is usually straightforward there might be issues that cause them to not constrain traffic as described by the policies. The way network policy API is described by Kubernetes and implemented in these plugins, gaps between specification and implementation aren&#8217;t out of the question. If you rely on Network Policies for securing your cluster network, you might wanna be sceptic about their functionality and test them yourself.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Software-Versions-Used\"><\/span>Software Versions Used<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The following versions of software were used for testing:<\/p>\n<ul>\n<li>Kubernetes: v1.11.3<\/li>\n<li>Calico v3.2<\/li>\n<li>Weave Net:\n<ul>\n<li>weave-kube:2.5.0<\/li>\n<li>\n<div>\n<div>weave-npc:2.5.0<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>If the manual way of using <code>wget<\/code>\u00a0seems too costly to you, stay tuned for our follow up blog post introducing and publishing our tool for automatic Kubernetes Network Policy checking.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Read-on\"><\/span>Read on<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Looking for a job as Cloud Platform Engineer, Systems Engineer or something similar? Have a look at our current offerings! You can also find out more about the technologies we use on <a href=\"https:\/\/www.inovex.de\/de\/leistungen\/cloud\/\">our website<\/a>.<\/p>\n<p>This article is based on the findings of my Master&#8217;s Thesis\u00a0<em>Design and Implementation of a Framework for Validating Kubernetes Policies through Automatic Test Generation<\/em>. It is available for download on <a href=\"https:\/\/www.inovex.de\/de\/ueber-uns\/inovex-lab\/design-and-implementation-of-a-framework-for-validating-kubernetes-policies-through-automatic-test-generation\/\">inovex.de<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kubernetes Network Policies appear to be a relatively simple solution for controlling traffic in and to a cluster. But after looking more closely we found that they sometimes behave differently than expected. Here&#8217;s what we&#8217;ve learned.<\/p>\n","protected":false},"author":93,"featured_media":14902,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"ep_exclude_from_search":false,"footnotes":""},"tags":[71],"service":[423,879],"coauthors":[{"id":93,"display_name":"Maximilian Bischoff","user_nicename":"mbischoff"}],"class_list":["post-14349","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-cloud","service-kubernetes","service-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Why You Should Test Your Kubernetes Network Policies - inovex GmbH<\/title>\n<meta name=\"description\" content=\"Kubernetes Network Policies appear to be a relatively simple solution for controlling traffic in and to a cluster. But after looking more closely we found that they sometimes behave differently than expected. Here&#039;s what we&#039;ve learned.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Why You Should Test Your Kubernetes Network Policies - inovex GmbH\" \/>\n<meta property=\"og:description\" content=\"Kubernetes Network Policies appear to be a relatively simple solution for controlling traffic in and to a cluster. But after looking more closely we found that they sometimes behave differently than expected. Here&#039;s what we&#039;ve learned.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/\" \/>\n<meta property=\"og:site_name\" content=\"inovex GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inovexde\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-10T07:49:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-17T06:59:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/kubernetes-network-policies.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Maximilian Bischoff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/kubernetes-network-policies-1024x576.png\" \/>\n<meta name=\"twitter:creator\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:site\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Maximilian Bischoff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"8\u00a0Minuten\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"Maximilian Bischoff\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/\"},\"author\":{\"name\":\"Maximilian Bischoff\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/7237fd7d2332686529c05a68d3bb5e86\"},\"headline\":\"Why You Should Test Your Kubernetes Network Policies\",\"datePublished\":\"2019-01-10T07:49:56+00:00\",\"dateModified\":\"2026-03-17T06:59:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/\"},\"wordCount\":1280,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2018\\\/11\\\/kubernetes-network-policies.png\",\"keywords\":[\"Cloud\"],\"articleSection\":[\"English Content\",\"General\",\"Infrastructure\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/\",\"name\":\"Why You Should Test Your Kubernetes Network Policies - inovex GmbH\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2018\\\/11\\\/kubernetes-network-policies.png\",\"datePublished\":\"2019-01-10T07:49:56+00:00\",\"dateModified\":\"2026-03-17T06:59:33+00:00\",\"description\":\"Kubernetes Network Policies appear to be a relatively simple solution for controlling traffic in and to a cluster. But after looking more closely we found that they sometimes behave differently than expected. Here's what we've learned.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2018\\\/11\\\/kubernetes-network-policies.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2018\\\/11\\\/kubernetes-network-policies.png\",\"width\":1920,\"height\":1080,\"caption\":\"An old-timey scroll on a cyber background representing Kubernetes Network Policies\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/test-kubernetes-network-policies\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Why You Should Test Your Kubernetes Network Policies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"name\":\"inovex GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\",\"name\":\"inovex GmbH\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"width\":1921,\"height\":1081,\"caption\":\"inovex GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/inovexde\",\"https:\\\/\\\/x.com\\\/inovexgmbh\",\"https:\\\/\\\/www.instagram.com\\\/inovexlife\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/inovex\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC7r66GT14hROB_RQsQBAQUQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/7237fd7d2332686529c05a68d3bb5e86\",\"name\":\"Maximilian Bischoff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/maxi-bischoff-w-96x96.pnge53c8b418fd0f6a97848f757b9c91dc2\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/maxi-bischoff-w-96x96.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/maxi-bischoff-w-96x96.png\",\"caption\":\"Maximilian Bischoff\"},\"description\":\"Als Cloud Platform Engineer baut Maximilian Bischoff Infrastruktur f\u00fcr verteilte Applikationen und automatisiert deren Deployment und Operations.\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/author\\\/mbischoff\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Why You Should Test Your Kubernetes Network Policies - inovex GmbH","description":"Kubernetes Network Policies appear to be a relatively simple solution for controlling traffic in and to a cluster. But after looking more closely we found that they sometimes behave differently than expected. Here's what we've learned.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/","og_locale":"de_DE","og_type":"article","og_title":"Why You Should Test Your Kubernetes Network Policies - inovex GmbH","og_description":"Kubernetes Network Policies appear to be a relatively simple solution for controlling traffic in and to a cluster. But after looking more closely we found that they sometimes behave differently than expected. Here's what we've learned.","og_url":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/","og_site_name":"inovex GmbH","article_publisher":"https:\/\/www.facebook.com\/inovexde","article_published_time":"2019-01-10T07:49:56+00:00","article_modified_time":"2026-03-17T06:59:33+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/kubernetes-network-policies.png","type":"image\/png"}],"author":"Maximilian Bischoff","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/kubernetes-network-policies-1024x576.png","twitter_creator":"@inovexgmbh","twitter_site":"@inovexgmbh","twitter_misc":{"Verfasst von":"Maximilian Bischoff","Gesch\u00e4tzte Lesezeit":"8\u00a0Minuten","Written by":"Maximilian Bischoff"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#article","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/"},"author":{"name":"Maximilian Bischoff","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/7237fd7d2332686529c05a68d3bb5e86"},"headline":"Why You Should Test Your Kubernetes Network Policies","datePublished":"2019-01-10T07:49:56+00:00","dateModified":"2026-03-17T06:59:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/"},"wordCount":1280,"commentCount":1,"publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/kubernetes-network-policies.png","keywords":["Cloud"],"articleSection":["English Content","General","Infrastructure"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/","url":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/","name":"Why You Should Test Your Kubernetes Network Policies - inovex GmbH","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#primaryimage"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/kubernetes-network-policies.png","datePublished":"2019-01-10T07:49:56+00:00","dateModified":"2026-03-17T06:59:33+00:00","description":"Kubernetes Network Policies appear to be a relatively simple solution for controlling traffic in and to a cluster. But after looking more closely we found that they sometimes behave differently than expected. Here's what we've learned.","breadcrumb":{"@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#primaryimage","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/kubernetes-network-policies.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/kubernetes-network-policies.png","width":1920,"height":1080,"caption":"An old-timey scroll on a cyber background representing Kubernetes Network Policies"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inovex.de\/de\/blog\/test-kubernetes-network-policies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inovex.de\/de\/"},{"@type":"ListItem","position":2,"name":"Why You Should Test Your Kubernetes Network Policies"}]},{"@type":"WebSite","@id":"https:\/\/www.inovex.de\/de\/#website","url":"https:\/\/www.inovex.de\/de\/","name":"inovex GmbH","description":"","publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inovex.de\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.inovex.de\/de\/#organization","name":"inovex GmbH","url":"https:\/\/www.inovex.de\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","width":1921,"height":1081,"caption":"inovex GmbH"},"image":{"@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inovexde","https:\/\/x.com\/inovexgmbh","https:\/\/www.instagram.com\/inovexlife\/","https:\/\/www.linkedin.com\/company\/inovex","https:\/\/www.youtube.com\/channel\/UC7r66GT14hROB_RQsQBAQUQ"]},{"@type":"Person","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/7237fd7d2332686529c05a68d3bb5e86","name":"Maximilian Bischoff","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/04\/maxi-bischoff-w-96x96.pnge53c8b418fd0f6a97848f757b9c91dc2","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/04\/maxi-bischoff-w-96x96.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/04\/maxi-bischoff-w-96x96.png","caption":"Maximilian Bischoff"},"description":"Als Cloud Platform Engineer baut Maximilian Bischoff Infrastruktur f\u00fcr verteilte Applikationen und automatisiert deren Deployment und Operations.","url":"https:\/\/www.inovex.de\/de\/blog\/author\/mbischoff\/"}]}},"_links":{"self":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/14349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/users\/93"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/comments?post=14349"}],"version-history":[{"count":3,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/14349\/revisions"}],"predecessor-version":[{"id":66528,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/14349\/revisions\/66528"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media\/14902"}],"wp:attachment":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media?parent=14349"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/tags?post=14349"},{"taxonomy":"service","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/service?post=14349"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/coauthors?post=14349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}