Kubernetes networking policy for service restriction

5/15/2018

I have many namespaces and multiple services running on each namespace.

We are using calico plugin in our Kubernetes ckuster.

Looking for a way to restrict access b/w services/ingress.

Say, Service A, Service B and Service C are running in Namespace A.

I want Service B to access Service A, but not Service C. Can this be done with Networking policy in Kubernetes? Any example will be a great help.

Also, I want no services from Namespace B accessing any services in Namepsace A. But, I need some services from Namespace C accessing some services in namespace A. Can this be done using calico?

Thanks

-- user1578872
kubernetes

1 Answer

5/15/2018

Yes this is entirely possible.

Kubernetes network policies support both ingress/egress rules. Also there are three types of traffic selectors:

  • Based on ipBlock
  • Based on namespace selector
  • Based on pod selector

You can create labels on your pods and used those label selectors for identifying the pods to apply the policies.

Here is the link for the K8S api documentation for network policies.

And this github repository has lot of examples.

-- leodotcloud
Source: StackOverflow