You will expose an app through an Ingress and lock down pod-to-pod traffic with a default-deny NetworkPolicy. By the end external users reach your service while only authorized pods can talk to the backend.

Learning Objectives

  • Compare ClusterIP, NodePort, and Ingress for exposure.
  • Route external traffic via an Ingress controller.
  • Enforce default-deny with NetworkPolicy.
  • Time: ~4 hours · Difficulty: Advanced · Prereqs: a cluster with an Ingress controller and a CNI that supports policy.

Architecture Overview

Environment Setup

You will need: a cluster, an Ingress controller (ingress-nginx), and a policy-capable CNI (Calico/Cilium).

Before you begin: the default cluster allows all pod traffic until you add a policy.

Step-by-Step Execution

01
Expose a service internally
kubectl expose deploy web --port 80 --target-port 80 --name web
02
Route external traffic with Ingress
# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: { name: web }
spec:
  rules:
    - host: web.lab.tyfsadik.org
      http:
        paths:
          - path: /
            pathType: Prefix
            backend: { service: { name: web, port: { number: 80 } } }
03
Apply a default-deny policy

Default-deny then explicit-allow is the zero-trust posture for pod traffic.

kubectl apply -f default-deny.yaml && kubectl apply -f allow-api-to-db.yaml

Progress So Far

Testing & Validation

curl -H 'Host: web.lab.tyfsadik.org' http://INGRESS_IP/ ; kubectl exec other -- nc -zv db 5432 || echo denied

External access through the Ingress should succeed, while a non-authorized pod reaching the DB should print denied. That confirms exposure plus segmentation.

Troubleshooting
  • Ingress 404: the host/path rule must match the request Host header.
  • Policy has no effect: your CNI must support NetworkPolicy (Calico/Cilium), not all do.
  • DNS fails inside pods: check CoreDNS pods are Running in kube-system.

Extension Ideas

  • Add TLS to the Ingress with cert-manager.
  • Move to eBPF policy in the Zero-Trust Hybrid Cloud lab.
  • Deploy this on managed Kubernetes in AKS.

Key Results

  • Exposed an app externally through an Ingress controller.
  • Enforced default-deny pod traffic with explicit allow rules.
  • Verified both external reachability and internal segmentation.
  • Applied a zero-trust posture inside the cluster.