azure-npm Network Policy plugin implements the Kubernetes Network Policy
The plugin is available on Linux platform. Windows support is planned.
Azure-NPM serves as a distributed firewall for the Kubernetes cluster, and it can be easily controlled by kubectl.
Running the command below will bring up one azure-npm instance on each Kubernetes node.
kubectl apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/azure-npm.yaml
Now you can secure your Kubernetes cluster with Azure-NPM by applying Kubernetes network policies.
azure-npm can be built directly from the source code in this repository.
make azure-npm
make azure-npm-image
make azure-npm-archive
The first command builds the azure-npm executable.
The second command builds the azure-npm docker image.
The third command builds the azure-npm binary and place it in a tar archive.
The binaries are placed in the output directory.
Microsoft docs has a detailed step by step example on how to use Kubernetes network policy.
- Deny all inbound traffic to a pod
- Allow inbound traffic based on a pod label
- Allow traffic only from within a defined namespace
azure-npm translates Kubernetes network policies into a set of iptables rules under the hood.
When azure-npm isn't working as expected, try to delete all networkpolicies and apply them again.
Also, a good practice is to merge all network policies targeting the same set of pods/labels into one yaml file.
This way, operators can keep the minimum number of network policies and makes it easier for operators to troubleshoot.