OpenShift NetworkPolicies
Restrict Pod-to-Pod traffic so only approved services can communicate.
Why This Matters
Restrict Pod-to-Pod traffic so only approved services can communicate.
In real projects, OpenShift is not only a place where containers run. It is the platform where developers, DevOps engineers, security teams, and operations teams collaborate around one application lifecycle. This lesson explains the concept, shows the practical commands, and gives you a production checklist you can reuse.
Where It Fits In The Learning Path
| Area | Details |
|---|---|
| Module | Security and RBAC |
| Primary user | Java developer, backend engineer, DevOps engineer |
| Main outcome | You can explain and apply OpenShift NetworkPolicies in an OpenShift project |
| Example app | Spring Boot payments-api service |
Data Flow
flowchart LR
Dev[Developer] --> Git[Git Repository]
Git --> Build[OpenShift Build or CI Pipeline]
Build --> Image[Container Image]
Image --> Deploy[Deployment]
Deploy --> Pod[Running Pods]
Pod --> Service[Service]
Service --> Route[Route or Internal DNS]
Route --> User[Client or Consumer]
Step By Step Implementation
- Select the correct OpenShift project for the application.
- Prepare the Spring Boot artifact, container image, or deployment manifest.
- Apply the OpenShift resource.
- Verify Pods, Services, Routes, logs, and health checks.
- Promote the same pattern through dev, test, staging, and production.
Commands You Can Copy
oc apply -f network-policy.yaml
oc get networkpolicy
oc describe networkpolicy allow-api-to-db
Example Configuration
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-api-to-db
spec:
podSelector:
matchLabels:
app: database
ingress:
- from:
- podSelector:
matchLabels:
app: payments-api
Input And Output Example
| Input | Expected output |
|---|---|
| Application source code or manifest | OpenShift resource is created or updated |
oc get pods |
Pods show Running or a clear failure reason |
oc logs deployment/payments-api |
Spring Boot startup logs and request logs are visible |
| Route or service URL | API returns a successful response or health status |
Production Checklist
- Use clear naming for project, app, service, and route resources.
- Keep environment-specific values outside the application jar.
- Configure readiness and liveness probes for every service.
- Set CPU and memory requests before moving to production.
- Store passwords, tokens, and keys in Secrets, not ConfigMaps.
- Use least privilege RBAC for users, pipelines, and ServiceAccounts.
- Validate logs, metrics, alerts, and rollback steps before release.
Common Mistakes
| Mistake | Better approach |
|---|---|
| Hard-coding environment values | Use ConfigMaps, Secrets, and environment variables |
| Deploying without probes | Add readiness, liveness, and startup probes |
| Running one replica in production | Use multiple replicas and anti-affinity when needed |
| Giving broad permissions | Use namespace-scoped roles and least privilege |
| Ignoring resource limits | Define requests and limits based on load testing |
Interview Notes
When explaining OpenShift NetworkPolicies, connect the concept to operational value: faster releases, safer configuration, better security, and easier troubleshooting. Strong answers usually include both the OpenShift resource name and the runtime behavior it creates.
Quick Recap
- OpenShift NetworkPolicies belongs to the Security and RBAC part of the OpenShift platform.
- The practical workflow is create, deploy, expose, observe, and improve.
- For Spring Boot applications, always think about configuration, security, health checks, scaling, and logs together.
Comments
Share a question, correction, or practical insight about this article.
Checking login status...
Loading approved comments...