K
Q

Kubernetes network policy to filter on both namespaces and pod's labels

2/14/2017

Is there any ability to filter by both namespace and pod's labels at the same time?

The example present in documentation at https://kubernetes.io/docs/user-guide/networkpolicies/#the-networkpolicy-resource

 - from:
 - namespaceSelector:
    matchLabels:
     project: myproject
 - podSelector:
    matchLabels:
     role: frontend

means that communication is allowed for pods with role=frontend or from namespace myproject.

Is there any way to change that "or" into an "and"?

-- Adam Kotwasinski
kubernetes

Similar Questions

Any way to achieve google appengine multi-region serving?
Kubernetes kube-dns pod is pending
How to turn on the alpha component
How do you fix a kubernetes node if it refusing connections to a NodePort's port?

4 Answers

3/28/2018

This statement will not work:

- from:
- namespaceSelector:
   matchLabels:
    project: myproject
- podSelector:
  matchLabels:
    role: frontend

What happens there, if you choose the namespace selector and you put a specific pod to connect to your pod, will not work. Because just specifying the namespace already you opened the whole namespace to connect to your pod. It's useless to put the podSelector. An alternative would be to use ipBlock but again is not recommended in large clusters because the IP might change.

There is an update on GitHub to fix this problem.

-- Kern
Source: StackOverflow
3/1/2019

Kubernetes 1.11 and above supports combining podSelector and namespaceSelector with a logical AND:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database.postgres
  namespace: database
spec:
  podSelector:
    matchLabels:
      app: postgres
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          namespace: default
      podSelector:
        matchLabels:
          app: admin
  policyTypes:
  - Ingress

See more details in here: https://medium.com/@reuvenharrison/an-introduction-to-kubernetes-network-policies-for-security-people-ba92dd4c809d/#f416

-- Mark
Source: StackOverflow
12/14/2017

Edit: This has been implemented here: https://github.com/kubernetes/kubernetes/pull/60452

Currently, there is not yet a way to select certain pod from another namespace. There is an open issue for that https://github.com/kubernetes/kubernetes/issues/50451

-- Rafaesp
Source: StackOverflow
2/14/2017

I think you misunderstand the selectors. Within the API docs for the NetworkPolicyPeer you'll find these descriptions:

namespaceSelector

Selects Namespaces using cluster scoped-labels. This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If omitted, this selector selects no namespaces. If present but empty, this selector selects all namespaces.

podSelector

This is a label selector which selects Pods in this namespace. This field follows standard label selector semantics. If not provided, this selector selects no pods. If present but empty, this selector selects all pods in this namespace.

Therefore the combinations out of both selectors doesn't really implement a boolean operation and they aim for different scopes (current namespace vs. all other namespaces).

So the only solution for your problem would be to label each pod also with a namespace related label which you could select within the namespaceSelector

-- pagid
Source: StackOverflow