allow-traffic-from-a-namespace
# ALLOW all traffic from a namespace
This policy is similar to allowing traffic from all namespaces but shows how you can choose particular namespaces.
Use Case:
- Restrict traffic to a production database only to namespaces where production workloads are deployed.
- Enable monitoring tools deployed to a particular namespace to scrape metrics from the current namespace.
# Example
Run a web server in the default
namespace:
kubectl run web --image=nginx --labels="app=web" --expose --port=80
Now, suppose you have these three namespaces:
default
: (installed by Kubernetes) This is where your API is deployed.prod
: Other production workloads run here. This has labelpurpose=production
.dev
: This is your dev/test area. This has labelpurpose=testing
.
Create the prod
and dev
namespaces:
kubectl create namespace dev
kubectl label namespace/dev purpose=testing
1
2
2
kubectl create namespace prod
kubectl label namespace/prod purpose=production
1
2
2
The following manifest restricts traffic to only pods in namespaces
that has label purpose=production
. Save it to web-allow-prod.yaml
and apply to the cluster:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: web-allow-prod
spec:
podSelector:
matchLabels:
app: web
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: production
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
$ kubectl apply -f web-allow-prod.yaml
networkpolicy "web-allow-prod" created
1
2
2
# Try it out
Query this web server from dev
namespace, observe it is blocked:
$ kubectl run test-$RANDOM --namespace=dev --rm -i -t --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
wget: download timed out
(traffic blocked)
1
2
3
4
5
6
2
3
4
5
6
Query it from prod
namespace, observe it is allowed:
$ kubectl run test-$RANDOM --namespace=prod --rm -i -t --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
<!DOCTYPE html>
<html>
<head>
...
(traffic allowed)
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# Cleanup
kubectl delete networkpolicy web-allow-prod
kubectl delete pod web
kubectl delete service web
kubectl delete namespace {prod,dev}
上次更新: 2024/02/26, 10:14:04