Home > database >  Kubernetes Network Policy, allow communication within namespace
Kubernetes Network Policy, allow communication within namespace

Time:01-20

On an Azure AKS cluster with the Calico network policies plugin enabled, I want to:

  1. by default block all incoming traffic.
  2. allow all traffic within a namespace (from a pod in a namespace, to another pod in the same namespace.

I tried something like:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny.all
  namespace: test
spec:
  podSelector: {}
  policyTypes:
  - Ingress

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow.same.namespace
  namespace: test
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}
  policyTypes:
  - Ingress

But is seems to block traffic between two deployments/pods in the same namespace. What am I doing wrong, am I misreading the documentation?

Perhaps it is good to mention that the above setup seems to work on an AWS EKS based Kubernetes cluster.

CodePudding user response:

You can label the Namespace first like

kubectl label ns <Namespace name> env: test

and apply the policy like

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-labled-namespace
spec:
  podSelector: {} 
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          env: test
    ports:
    - protocol: TCP
      port: 80

so this network policy will allow traffic only from that namespace which has a specific label test.

CodePudding user response:

If you are using Calico, you can apply one GlobalNetworkPolicy to deny Ingress that is valid for all existing and future Namespaces:

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: default-global-deny-all-ingress
spec:
  namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "tigera-operator"}
  order: 3000 # normal NPs (order: 1000) should have higher order
  types:
    - Ingress
  ingress:
    # allow collect metrics from Kubernetes Metrics Server
    - action: Allow
      protocol: TCP
      destination:
        selector: 'k8s-app == "metrics-server"'
        ports:
          - 443
    # Deny all ingress
    - action: Deny
      source:
        nets:
          - 0.0.0.0/0

Important is that the order is above 1000 as this is the default order for NetworkPolicies. Now you can use Kuberentes 1.21 default Namespaces labels for your policy per Namespace(Example for ingress-nginx) :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-allow-ingress-nginx
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx
          podSelector: {}

Page link:https//www.codepudding.com/database/269352.html

Prev:Google App Script unable to send notification only for specific sheet and previously empty cell
Next:Helm Install from DockerHub image - DockerHub Image download fails
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding