[TC_35] Enforcement of Ingress and Egress Network Policies in Kubernetes

[jchmielewska]

Objective:

• To validate the enforcement of ingress and egress network policies for pods in the Kubernetes environment.

Preconditions:

• NebulOuS core is running.
• Kubernetes cluster with network policies is integrated with NebulOuS.

Steps:

1. Action:

• Define and apply an ingress network policy for a pod (e.g., nginx-pod) that allows traffic only from a certain namespace (e.g., internal) on a specific port (e.g., 80).

Expected result:

• The ingress policy is successfully applied. nginx-pod should only accept traffic on port 80 from pods within the internal namespace.

2. Action:

• Test the ingress policy by sending traffic to nginx-pod from a pod within the internal namespace and then from a pod outside this namespace.

Expected result:

• Traffic from the pod within the internal namespace reaches nginx-pod. Traffic from the pod outside the internal namespace is blocked, and an attempt is logged.

3. Action:

• Define and apply an egress network policy for another pod (e.g., backend-pod) that restricts outbound traffic to a specific external IP address range.

Expected result:

• The egress policy is successfully applied. backend-pod can only initiate outbound traffic to the specified IP address range.

4. Action:

• Test the egress policy by attempting to connect from backend-pod to an allowed external IP address and then to a disallowed IP address.

Expected result:

• Connections to the allowed IP address are successful.
• Attempts to connect to disallowed IP addresses are blocked and logged.

[jchmielewska]

• for automation

[jchmielewska]

for the 2nd release