K
Q

Kubernetes networking policy for service restriction

5/15/2018

I have many namespaces and multiple services running on each namespace.

We are using calico plugin in our Kubernetes ckuster.

Looking for a way to restrict access b/w services/ingress.

Say, Service A, Service B and Service C are running in Namespace A.

I want Service B to access Service A, but not Service C. Can this be done with Networking policy in Kubernetes? Any example will be a great help.

Also, I want no services from Namespace B accessing any services in Namepsace A. But, I need some services from Namespace C accessing some services in namespace A. Can this be done using calico?

Thanks

-- user1578872
kubernetes

Similar Questions

Kubernetes: configmaps is forbidden: User "kube" cannot list configmaps in the namespace "default"
google cloud - kubectl - ingress - "default backend - 404"
How to inject Maps using Spring @Value
Kubernetes oc rsync does not work due server gave HTTP response to HTTPS client
Disable Spring boot application from reconnecting when Redis is disconnected
Is it possible to pass arguments to kubernetes cron job when invoking it manually?
Serve RSA & EC certificate in same istio gateway

1 Answer

5/15/2018

Yes this is entirely possible.

Kubernetes network policies support both ingress/egress rules. Also there are three types of traffic selectors:

  • Based on ipBlock
  • Based on namespace selector
  • Based on pod selector

You can create labels on your pods and used those label selectors for identifying the pods to apply the policies.

Here is the link for the K8S api documentation for network policies.

And this github repository has lot of examples.

-- leodotcloud
Source: StackOverflow