This page provides an overview of how to use standard Kubernetes network policies to control network traffic within a cluster in Google Distributed Cloud (GDC) air-gapped.
A Kubernetes network policy is a standard, namespaced resource that controls traffic flow at the IP address or port level (Layer 3 or 4). Network policies use pod labels to select pods, and define rules that specify what traffic is allowed to and from those pods.
In GDC, network policy resources created within a cluster are restricted to that cluster's scope only. You can use them to define rules for traffic between pods and namespaces within that same cluster, but you cannot use their label selectors to select pods or namespaces in other clusters. To control traffic between clusters, you must use a ProjectNetworkPolicy. For more information, see PNP Overview. However, you can use network policies for organization-external traffic.
Security and connectivity
The default behavior is inherited from the project. If the base ProjectNetworkPolicy is present, traffic from within the project is allowed by default, and all other traffic is denied. Otherwise, traffic is denied by default.
GDC network policies are additive. When multiple policies select the same pod, their rules are combined. Traffic is allowed if it matches the rules in at least one of the applicable policies.
Prepare predefined roles and access
To configure Kubernetes network policies, you must have the necessary identity and access roles:
- K8s Network Policy Admin: Manages Kubernetes network policies. Ask your Organization IAM Admin to grant you this cluster role.