website/content/en/docs/tasks/administer-cluster/declare-network-policy.md

---
reviewers:
- caseydavenport
- danwinship
title: Declare Network Policy
min-kubernetes-server-version: v1.8
content_template: templates/task
---
{{% capture overview %}}
This document helps you get started using the Kubernetes [NetworkPolicy API](/docs/concepts/services-networking/network-policies/) to declare network policies that govern how pods communicate with each other.
{{% /capture %}}

{{% capture prerequisites %}}

{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}

Make sure you've configured a network provider with network policy support. There are a number of network providers that support NetworkPolicy, including:

* [Calico](/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy/)
* [Cilium](/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/)
* [Kube-router](/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy/)
* [Romana](/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy/)
* [Weave Net](/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy/)

{{< note >}}
The above list is sorted alphabetically by product name, not by recommendation or preference. This example is valid for a Kubernetes cluster using any of these providers.
{{< /note >}}
{{% /capture %}}

{{% capture steps %}}

## Create an `nginx` deployment and expose it via a service

To see how Kubernetes network policy works, start off by creating an `nginx` Deployment.

```console
kubectl create deployment nginx --image=nginx
```
```none
deployment.apps/nginx created
```

Expose the Deployment through a Service called `nginx`.

```console
kubectl expose deployment nginx --port=80
```

```none
service/nginx exposed
```

The above commands create a Deployment with an nginx Pod and expose the Deployment through a Service named `nginx`. The `nginx` Pod and Deployment are found in the `default` namespace.

```console
kubectl get svc,pod
```

```none
NAME                        CLUSTER-IP    EXTERNAL-IP   PORT(S)    AGE
service/kubernetes          10.100.0.1    <none>        443/TCP    46m
service/nginx               10.100.0.16   <none>        80/TCP     33s

NAME                        READY         STATUS        RESTARTS   AGE
pod/nginx-701339712-e0qfq   1/1           Running       0          35s
```

## Test the service by accessing it from another Pod

You should be able to access the new `nginx` service from other Pods. To access the `nginx` Service from another Pod in the `default` namespace, start a busybox container:

```console
kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/sh
```

In your shell, run the following command:

```shell
wget --spider --timeout=1 nginx
```

```none
Connecting to nginx (10.100.0.16:80)
remote file exists
```

## Limit access to the `nginx` service

To limit the access to the `nginx` service so that only Pods with the label `access: true` can query it, create a NetworkPolicy object as follows:

{{< codenew file="service/networking/nginx-policy.yaml" >}}

The name of a NetworkPolicy object must be a valid
[DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).

{{< note >}}
NetworkPolicy includes a `podSelector` which selects the grouping of Pods to which the policy applies. You can see this policy selects Pods with the label `app=nginx`. The label was automatically added to the Pod in the `nginx` Deployment. An empty `podSelector` selects all pods in the namespace.
{{< /note >}}

## Assign the policy to the service

Use kubectl to create a NetworkPolicy from the above `nginx-policy.yaml` file:

```console
kubectl apply -f https://k8s.io/examples/service/networking/nginx-policy.yaml
```

```none
networkpolicy.networking.k8s.io/access-nginx created
```

## Test access to the service when access label is not defined
When you attempt to access the `nginx` Service from a Pod without the correct labels, the request times out:

```console
kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/sh
```

In your shell, run the command:

```shell
wget --spider --timeout=1 nginx
```

```none
Connecting to nginx (10.100.0.16:80)
wget: download timed out
```

## Define access label and test again

You can create a Pod with the correct labels to see that the request is allowed:

```console
kubectl run --generator=run-pod/v1 busybox --rm -ti --labels="access=true" --image=busybox -- /bin/sh
```

In your shell, run the command:

```shell
wget --spider --timeout=1 nginx
```

```none
Connecting to nginx (10.100.0.16:80)
remote file exists
```

{{% /capture %}}
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			`---`
In front matter, change approvers to reviewers. (#7433) 2018-02-18 19:29:37 +00:00			`reviewers:`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			`- caseydavenport`
Update NetworkPolicy docs for v1 2017-05-11 15:08:55 +00:00			`- danwinship`
Change Task titles to imperative: Admin. (#4033) 2017-06-08 22:13:29 +00:00			`title: Declare Network Policy`
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`min-kubernetes-server-version: v1.8`
Convert site to Hugo (#8316) This commit converts content and layout to use Hugo. 2018-05-05 16:00:51 +00:00			`content_template: templates/task`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			`---`
Convert site to Hugo (#8316) This commit converts content and layout to use Hugo. 2018-05-05 16:00:51 +00:00			`{{% capture overview %}}`
Update declare-network-policy.md modify the double "using" of sentence 2017-08-16 13:09:07 +00:00			`This document helps you get started using the Kubernetes [NetworkPolicy API](/docs/concepts/services-networking/network-policies/) to declare network policies that govern how pods communicate with each other.`
Convert site to Hugo (#8316) This commit converts content and layout to use Hugo. 2018-05-05 16:00:51 +00:00			`{{% /capture %}}`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Convert site to Hugo (#8316) This commit converts content and layout to use Hugo. 2018-05-05 16:00:51 +00:00			`{{% capture prerequisites %}}`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Fix some "capture prerequisites" errors in docs/tasks. (#10270) Multiple "capture prerequisites" can only display the last one, so we need to merge multiple "capture prerequisites". 2018-10-11 21:21:04 +00:00			`{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Fix some "capture prerequisites" errors in docs/tasks. (#10270) Multiple "capture prerequisites" can only display the last one, so we need to merge multiple "capture prerequisites". 2018-10-11 21:21:04 +00:00			`Make sure you've configured a network provider with network policy support. There are a number of network providers that support NetworkPolicy, including:`
WTD (#3757) Edits from genwhitt in Portland at WTD conference. Apply template, copyedit, apply style guide. 2017-05-14 22:10:50 +00:00
Fix some "capture prerequisites" errors in docs/tasks. (#10270) Multiple "capture prerequisites" can only display the last one, so we need to merge multiple "capture prerequisites". 2018-10-11 21:21:04 +00:00			`* [Calico](/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy/)`
			`* [Cilium](/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/)`
			`* [Kube-router](/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy/)`
			`* [Romana](/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy/)`
			`* [Weave Net](/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy/)`
Apply templates to all concepts and tasks to fix double bullets in TOC (#9149) * Apply concept template to fix double bullet issue. * Apply concept template * Apply templates to tasks 2018-06-22 18:20:04 +00:00
Add admonition type to shortcode (#9482) * Change existing admon blocks * Fix includes issue 2018-11-06 19:33:04 +00:00			`{{< note >}}`
			`The above list is sorted alphabetically by product name, not by recommendation or preference. This example is valid for a Kubernetes cluster using any of these providers.`
			`{{< /note >}}`
Apply templates to all concepts and tasks to fix double bullets in TOC (#9149) * Apply concept template to fix double bullet issue. * Apply concept template * Apply templates to tasks 2018-06-22 18:20:04 +00:00			`{{% /capture %}}`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Convert site to Hugo (#8316) This commit converts content and layout to use Hugo. 2018-05-05 16:00:51 +00:00			`{{% capture steps %}}`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
WTD (#3757) Edits from genwhitt in Portland at WTD conference. Apply template, copyedit, apply style guide. 2017-05-14 22:10:50 +00:00			## Create an `nginx` deployment and expose it via a service
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			To see how Kubernetes network policy works, start off by creating an `nginx` Deployment.
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
			```console
replace depercated commands with new commands (#16610) 2019-10-09 20:25:49 +00:00			`kubectl create deployment nginx --image=nginx`
remove command prompts and separate commands from output (#11847) 2018-12-23 01:20:33 +00:00			```
			```none
fix the command output (#9777) I have verified on version v1.11 2018-08-08 22:10:30 +00:00			`deployment.apps/nginx created`
remove command prompts and separate commands from output (#11847) 2018-12-23 01:20:33 +00:00			```

Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			Expose the Deployment through a Service called `nginx`.
remove command prompts and separate commands from output (#11847) 2018-12-23 01:20:33 +00:00
			```console
			`kubectl expose deployment nginx --port=80`
			```

			```none
fix the command output (#9777) I have verified on version v1.11 2018-08-08 22:10:30 +00:00			`service/nginx exposed`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			```

Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			The above commands create a Deployment with an nginx Pod and expose the Deployment through a Service named `nginx`. The `nginx` Pod and Deployment are found in the `default` namespace.
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
			```console
remove command prompts and separate commands from output (#11847) 2018-12-23 01:20:33 +00:00			`kubectl get svc,pod`
			```

			```none
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			`NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE`
fix the command output (#9777) I have verified on version v1.11 2018-08-08 22:10:30 +00:00			`service/kubernetes 10.100.0.1 <none> 443/TCP 46m`
			`service/nginx 10.100.0.16 <none> 80/TCP 33s`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
			`NAME READY STATUS RESTARTS AGE`
fix the command output (#9777) I have verified on version v1.11 2018-08-08 22:10:30 +00:00			`pod/nginx-701339712-e0qfq 1/1 Running 0 35s`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			```

Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`## Test the service by accessing it from another Pod`
WTD (#3757) Edits from genwhitt in Portland at WTD conference. Apply template, copyedit, apply style guide. 2017-05-14 22:10:50 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			You should be able to access the new `nginx` service from other Pods. To access the `nginx` Service from another Pod in the `default` namespace, start a busybox container:
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
			```console
replace depercated commands with new commands (#16610) 2019-10-09 20:25:49 +00:00			`kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/sh`
remove command prompts and separate commands from output (#11847) 2018-12-23 01:20:33 +00:00			```

Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`In your shell, run the following command:`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			```shell
			`wget --spider --timeout=1 nginx`
			```
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			```none
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			`Connecting to nginx (10.100.0.16:80)`
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`remote file exists`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			```

WTD (#3757) Edits from genwhitt in Portland at WTD conference. Apply template, copyedit, apply style guide. 2017-05-14 22:10:50 +00:00			## Limit access to the `nginx` service

Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			To limit the access to the `nginx` service so that only Pods with the label `access: true` can query it, create a NetworkPolicy object as follows:
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`{{< codenew file="service/networking/nginx-policy.yaml" >}}`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Resource name constraints (4) (#19121) xref: #17969, #19099, #18746 2020-03-05 19:28:38 +00:00			`The name of a NetworkPolicy object must be a valid`
			`[DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).`
replace depercated commands with new commands (#16610) 2019-10-09 20:25:49 +00:00
Resource name constraints (4) (#19121) xref: #17969, #19099, #18746 2020-03-05 19:28:38 +00:00			`{{< note >}}`
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			NetworkPolicy includes a `podSelector` which selects the grouping of Pods to which the policy applies. You can see this policy selects Pods with the label `app=nginx`. The label was automatically added to the Pod in the `nginx` Deployment. An empty `podSelector` selects all pods in the namespace.
replace depercated commands with new commands (#16610) 2019-10-09 20:25:49 +00:00			`{{< /note >}}`

WTD (#3757) Edits from genwhitt in Portland at WTD conference. Apply template, copyedit, apply style guide. 2017-05-14 22:10:50 +00:00			`## Assign the policy to the service`

Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			Use kubectl to create a NetworkPolicy from the above `nginx-policy.yaml` file:
Update declare-network-policy.md Fix the format. The format in orginal web page is confusion. 2017-08-22 12:37:50 +00:00
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			```console
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`kubectl apply -f https://k8s.io/examples/service/networking/nginx-policy.yaml`
remove command prompts and separate commands from output (#11847) 2018-12-23 01:20:33 +00:00			```

			```none
fix the command output (#9777) I have verified on version v1.11 2018-08-08 22:10:30 +00:00			`networkpolicy.networking.k8s.io/access-nginx created`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			```

WTD (#3757) Edits from genwhitt in Portland at WTD conference. Apply template, copyedit, apply style guide. 2017-05-14 22:10:50 +00:00			`## Test access to the service when access label is not defined`
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			When you attempt to access the `nginx` Service from a Pod without the correct labels, the request times out:
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
			```console
replace depercated commands with new commands (#16610) 2019-10-09 20:25:49 +00:00			`kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/sh`
remove command prompts and separate commands from output (#11847) 2018-12-23 01:20:33 +00:00			```

Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`In your shell, run the command:`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			```shell
			`wget --spider --timeout=1 nginx`
			```
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			```none
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			`Connecting to nginx (10.100.0.16:80)`
			`wget: download timed out`
			```

WTD (#3757) Edits from genwhitt in Portland at WTD conference. Apply template, copyedit, apply style guide. 2017-05-14 22:10:50 +00:00			`## Define access label and test again`

Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`You can create a Pod with the correct labels to see that the request is allowed:`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
			```console
replace depercated commands with new commands (#16610) 2019-10-09 20:25:49 +00:00			`kubectl run --generator=run-pod/v1 busybox --rm -ti --labels="access=true" --image=busybox -- /bin/sh`
remove command prompts and separate commands from output (#11847) 2018-12-23 01:20:33 +00:00			```

Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`In your shell, run the command:`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			```shell
			`wget --spider --timeout=1 nginx`
			```
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			```none
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			`Connecting to nginx (10.100.0.16:80)`
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`remote file exists`
Move Guide topics: NetworkPolicy. (#3298) 2017-04-10 17:26:28 +00:00			```
WTD (#3757) Edits from genwhitt in Portland at WTD conference. Apply template, copyedit, apply style guide. 2017-05-14 22:10:50 +00:00
Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. 2020-02-12 19:06:51 +00:00			`{{% /capture %}}`