allow-traffic-from-all-namespaces
# ALLOW traffic to an application from all namespaces
This NetworkPolicy will allow traffic from all pods in all namespaces to a particular application.
Use Case:
- You have a common service or a database which is used by deployments in different namespaces.
You do not need this policy unless there is already a NetworkPolicy blocking traffic to the application or a NetworkPolicy blocking non-whitelisted traffic to all pods in the namespace.
# Example
Start a web service on default
namespace:
kubectl run web --namespace=default --image=nginx --labels="app=web" --expose --port=80
Save the following manifest to web-allow-all-namespaces.yaml
and apply
to the cluster:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: default
name: web-allow-all-namespaces
spec:
podSelector:
matchLabels:
app: web
ingress:
- from:
- namespaceSelector: {}
2
3
4
5
6
7
8
9
10
11
12
$ kubectl apply -f web-allow-all-namespaces.yaml
networkpolicy "web-allow-all-namespaces" created"
2
Note a few things about this NetworkPolicy manifest:
- Applies the policy only to
app:web
pods indefault
namespace. - Selects all pods in all namespaces (
namespaceSelector: {}
). - By default, if you omit specifying a
namespaceSelector
it does not select any namespaces, which means it will allow traffic only from the namespace the NetworkPolicy is deployed to.
Note: Dropping all selectors from the
spec.ingress.from
item has the same effect of matching all pods in all namespaces. e.g.:... ingress: - from:
However, prefer the syntax in the full manifest clear expression of intent.
# Try it out
Create a new namespace called secondary
and query this web service in the default
namespace:
$ kubectl create namespace secondary
$ kubectl run test-$RANDOM --namespace=secondary --rm -i -t --image=alpine -- sh
/ # wget -qO- --timeout=2 http://web.default
<!DOCTYPE html>
<html>
<head>
2
3
4
5
6
7
Similarly, it also works if you query it from any pod deployed to bar
.
# Cleanup
kubectl delete pod web -n default
kubectl delete service web -n default
kubectl delete networkpolicy web-allow-all-namespaces -n default
kubectl delete namespace secondary