Kubernetes - Network policy for communication b/w services

6/21/2018

I need help on Network policy for the below requirement.

Is it possible to let Application A in namesapce A connect to only Application B in namesapce B? I want only one application from one namesapce to connect to only one application on another namespace?

I have a network policy at global for default deny all.

Currently, there is only OR for network policy. What I am looking for is AND so that I can say, allow namespace A & pod A. Is there anyway to achieve this?

Thanks

-- user1578872
kubernetes

3 Answers

4/8/2019

Yes, you can do this. For an ingress network policy, you just have to set both namespaceSelector and podSelector in the from section to specify both the namespace and pod labels (of application A and namespace A, in your example) -- the selectors are ANDed together. For the target, use the podSelector field to select application B, and make sure the namespace in the network policy metadata is set to namespace B.

Note that to use namespaceSelector, you will have to label your namespace. Namespaces are not labeled in Kubernetes by default.

Check out the Across Namespaces section in this guide for a more thorough explanation, and an example YAML.

-- viswajithiii
Source: StackOverflow

6/22/2018

How groups of pods are allowed to communicate with each other and other network endpoints is configured with NetworkPolicy resource. Your networking solution (CNI plugin) has to support NetworkPolicy, because you need a controller. Simply creating the resource without a controller to implement it will have no effect.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress

Take a look at https://kubernetes.io/docs/concepts/services-networking/network-policies/ for more examples.

-- Nicola Ben
Source: StackOverflow

6/22/2018

Pods can communicate with each other across the namespaces:

App 1 in namespace 1:

$ kubectl -n namespace1 get po -o wide
NAME                                        READY     STATUS    RESTARTS   AGE       IP              NODE
app1-5d8bb8ffbb-7x74v                       1/1       Running   0          1d        10.233.65.115   node1.example.kz

App 2 in namespace 2:

$ kubectl -n namespace2 get po -o wide
NAME                                        READY     STATUS    RESTARTS   AGE       IP              NODE
app2-569f46b8d5-fz9dw                       1/1       Running   0          1d        10.233.67.80    node2.example.kz

I can connect to the App 2 from the App 1:

kubectl -n namespace1 exec app1-5d8bb8ffbb-7x74v -- ping -c 1 10.233.67.80
PING 10.233.67.80 (10.233.67.80) 56(84) bytes of data.
64 bytes from 10.233.67.80: icmp_seq=1 ttl=62 time=0.917 ms

--- 10.233.67.80 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.917/0.917/0.917/0.000 ms

This example is very simple. Depending on kind of connection and your apps configuration, you might need Service, Ingress resources

More info:

Also, this documentation will be helpful:

-- Konstantin Vustin
Source: StackOverflow