Network Policies

Learn about the network policies for the Serverless module.

Overview

The Serverless module defines network policies to ensure communication within the Kubernetes cluster, particularly in environments where a deny-all network policy is applied.

When a cluster-wide deny-all network policy is enforced, which blocks all ingress and egress traffic by default, the Serverless network policies explicitly allow only the necessary communication paths to ensure the module functions correctly.

Policy Name	Description
`kyma-project.io--serverless-allow-egress`	Allows unrestricted outbound traffic from Pods labeled `networking.serverless.kyma-project.io/from-serverless: allowed`. Used by the Serverless controller to fetch Function source code from external Git repositories.
`kyma-project.io--serverless-allow-metrics`	Allows ingress to the metrics endpoint (TCP 8080) from Pods labeled `app.kubernetes.io/instance: rma` or `networking.kyma-project.io/metrics-scraping: allowed` for metrics scraping. Applies to all Pods labeled `kyma-project.io/module: serverless`.
`kyma-project.io--serverless-allow-to-apiserver`	Allows egress from Pods labeled `networking.serverless.kyma-project.io/to-apiserver: allowed` to the Kubernetes API server (TCP 443).
`kyma-project.io--serverless-allow-to-dns`	Allows egress to DNS services for cluster and external DNS resolution. Targets any IP on port 53 and Pods labeled `k8s-app: kube-dns` or `k8s-app: node-local-dns` in the `kube-system` namespace on ports 53 and 8053. Applied to all Pods labeled `kyma-project.io/module: serverless`.
`kyma-project.io--serverless-operator-allow-to-apiserver`	Allows egress from the Serverless Operator Pod to the Kubernetes API server (TCP 443, 6443).
`kyma-project.io--serverless-operator-allow-to-dns`	Allows egress from the Serverless Operator Pod to DNS services for cluster and external resolution. Targets any IP on port 53 and Pods labeled `k8s-app: kube-dns` or `k8s-app: node-local-dns` in the `kube-system` namespace on ports 53 and 8053.

Verify Status

To check if the network policies are active, run the following command:

bash

kubectl get networkpolicies -n kyma-system -l kyma-project.io/module=serverless

Istio Service Mesh

Tutorials

Technical Reference

Troubleshooting

Istio Gateways

Configure an mTLS Gateway

Exposing and Securing Workloads

JWT Validation

External Authorization

noAuth Configuration

Custom Resources

APIRule Migration

Technical Reference

Troubleshooting Guides

Working with Multiple Subaccounts

Resources

Tutorials

Troubleshooting

Technical Reference

Runtime Agent

Tutorials

Resources

Tutorials

Register a Service

VPC Peering

Resources

Tutorials

Tutorials

Resources

Troubleshooting for the Eventing Module

Resources

Troubleshooting

Tutorials

Resources

Technical Reference

Troubleshooting Guides

Telemetry Pipeline API

Collecting Logs

Collecting Traces

Collecting Metrics

Filtering and Processing Data

Transform and Filter with OTTL

Integrate with your OTLP Backend

Architecture

Integration Guides

Resources

Tutorials

Resources

Technical Reference

Troubleshooting Guides

Technical Reference

Tutorials

Commands

Network Policies ​

Overview ​

Verify Status ​

Network Policies

Overview

Verify Status