A Network Policy is a self-service feature for creating Kubernetes Network Policies (Ingress) and Istio Service Entries (Egress).

When the Network Policies Ingress control option is enabled for the team, all traffic to the Pods of the Team (from other Pods within the Team and from Pods in other Teams) will be blocked by default. To allow other Pods to access your Pod you will need to create a Network Policy of type ingress.

When the Network Policies Egress control option is enabled for the team, all traffic to external endpoints (outside of the cluster) is blocked by default. To allow access to external endpoints you will need to create a Network Policy of type egress.

View network policies

To view a list of network policies belonging to your team, click on Network policies in the main menu of the App Platform Console while in the Team view. The resulting table lists each policy alongside the following details:

Create a Network Policy

1. Enter a name for the Network Policy.

2. Select the Rule type.

   • Ingress: Allow other Pods to connect to your Pod
   • Egress: Allow all Pods in the Team to connect an external (outside of the cluster) endpoint (based on a FQDN or an IP address)

3. Steps for Ingress policies:

   1. Add the label name and value of your Pod.
   2. Select the mode.
      • Select AllowAll to allow all Pods in all Teams to connect to your Pod
      • Select AllowOnly to only allow specific Pods in a specific Namespace. When this mode is selected, add the following details:
        • Add the label name (fromLabelName) of the Pod that is allowed to connect
        • Add the label value (fromLabelValue) of the Pod that is allowed to connect
        • Add the namespace (fromNamespace) of the Pod that is allowed to connect

4. Steps for Egress policies:

   1. Add the Fully Qualified Domain Name (FQDN) or the IP address of the external endpoint.
   2. Add the Port number (between 1 and 65535).
   3. Select the Protocol (HTTP, HTTPS or TCP).