allow-traffic-from-some-pods-in-another-namespace
# ALLOW traffic from some pods in another namespace
Since Kubernetes v1.11, it is possible to combine podSelector and namespaceSelector
with an AND (intersection) operation.
⚠️ This feature is available on Kubernetes v1.11 or after. Most networking plugins do not yet support this feature. Make sure to test this policy after you deploy it to make sure it is working correctly.
# Example
Start a web application:
kubectl run web --image=nginx --labels="app=web" --expose --port=80
Create a other namespace and label it:
kubectl create namespace other
kubectl label namespace/other team=operations
The following manifest restricts traffic to only pods with label type=monitoring in namespaces labelled team=operations. Save it to web-allow-all-ns-monitoring.yaml and apply to the cluster:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: web-allow-all-ns-monitoring
namespace: default
spec:
podSelector:
matchLabels:
app: web
ingress:
- from:
- namespaceSelector: # chooses all pods in namespaces labelled with team=operations
matchLabels:
team: operations
podSelector: # chooses pods with type=monitoring
matchLabels:
type: monitoring
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ kubectl apply -f web-allow-all-ns-monitoring.yaml
networkpolicy.networking.k8s.io/web-allow-all-ns-monitoring created
2
# Try it out
Query this web server from default namespace, without labelling the application type=monitoring, observe it is blocked:
$ kubectl run test-$RANDOM --rm -i -t --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
wget: download timed out
(traffic blocked)
2
3
4
5
6
Query this web server from default namespace, labelling the application type=monitoring, observe it is blocked:
kubectl run test-$RANDOM --labels="type=monitoring" --rm -i -t --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
wget: download timed out
(traffic blocked)
2
3
4
5
6
Query this web server from other namespace, without labelling the application type=monitoring, observe it is blocked:
$ kubectl run test-$RANDOM --namespace=other --rm -i -t --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
wget: download timed out
(traffic blocked)
Note: see remark below how to use OR in the network policy , so this example will work as well
2
3
4
5
6
7
Query this web server from other namespace, labelling the application type=monitoring, observe it is allowed:
kubectl run test-$RANDOM --namespace=other --labels="type=monitoring" --rm -i -t --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
<!DOCTYPE html>
<html>
<head>
...
(traffic allowed)
2
3
4
5
6
7
8
# remarks
Please note that that example below is OR condition
ingress:
- from:
- namespaceSelector: # chooses all pods in namespaces labelled with team=opera
matchLabels:
team: operations
- podSelector: # chooses pods with type=monitoring
matchLabels:
type: monitoring
2
3
4
5
6
7
8
while this example is AND condition
ingress:
- from:
- namespaceSelector: # chooses all pods in namespaces labelled with team=opera
matchLabels:
team: operations
podSelector: # chooses pods with type=monitoring
matchLabels:
type: monitoring
2
3
4
5
6
7
8
# Cleanup
kubectl delete networkpolicy web-allow-all-ns-monitoring
kubectl delete namespace other
kubectl delete pod web
kubectl delete service web