End-to-End Kubernetes with Rancher, RKE2, K3s, Fleet, Longhorn, and NeuVector

Network Policies using Rancher

We are deploying our services using public IPs. For example, Harbor, Gitea, and Rancher Manager are accessible using their public IPs and a domain using sslip. This is not, for security reasons, the best practice. In a production environment, you would use a private network and expose only the necessary services to the public. At this level and with this setup, we have the choice of using Kubernetes Network Policies to restrict the traffic to the services.

ℹ️ To control traffic flow at the IP address or port level using NetworkPolicies, Kubernetes provides a way to specify rules for traffic flow within the cluster, between Pods, and the outside world.

NetworkPolicies allow you to define rules for TCP, UDP, and SCTP protocols, specifying how pods are allowed to communicate with various network entities using selectors like podSelector, namespaceSelector, and IP blocks. These policies apply to both egress and ingress traffic, and they are additive, with no policy conflicts in Kubernetes.

Let's see an example. This is what we want to achieve:

• Allow external traffic to gitea pods from your personal local computer (to use web UI) and from the workspace server (to use the SSH service).
• Same thing for harbor pods.
• Same thing for Rancher Manager UI.

Since we are accessing our services using their public IPs, the traffic is considered external and is routed through the Ingress Controller, therefore at the Traefik level. The NetworkPolicy should be also applied at the same level (Traefik) to allow or block the incoming traffic.

Let's start by following these steps:

• Select the local cluster.
• Click on More Resources and then Network Policies.
• Click on Create to add a new NetworkPolicy.
• Fill in the following details:
  • Namespace: kube-system.
  • Name: traefik-external-traffic.
    • In the Ingress Rules section, tick the Configure ingress rules to restrict incoming traffic checkbox.
    • Add a new rule (Source -> Add allowed traffic source)
      • IP block: Here you need to add the list of allowed CIDRs. In our case, we need to add the following:
        • Your local machine IP CIDR to access the Gitea service (curl -s ifconfig.me).
        • The workspace server IP CIDR.
        • Each node IP in our RKE2 cluster (optional at this level).
  • In the Selectors section, add the following labels:
    • app.kubernetes.io/name -> in list -> traefik. The selector should match the pod of the Ingress Controller (traefik-xxxxxxxxx-xxxx).
• Click on Create to create the NetworkPolicy.

Note that you should use a valid CIDR format when adding the IP addresses. For example, if your local machine public IP is w.x.y.z, you should add w.x.y.z/32 to allow only that specific IP address.

A faster way to get the same result is to use YAML definition directly and bypass the UI. You can run this command from the workspace machine after replacing the variables with the correct values/variables (we will use the UI, this is just for demonstration purposes):

SSH into the workspace server:

ssh root@$WORKSPACE_PUBLIC_IP

Export the public IP address of your local machine:

export LOCAL_MACHINE_PUBLIC_IP=

Run this from the workspace server:

cat <
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: traefik-external-traffic
  namespace: kube-system
spec:
  podSelector:
    matchLabels