I need help on Network policy for the below requirement.
Is it possible to let Application A in namesapce A connect to only Application B in namesapce B? I want only one application from one namesapce to connect to only one application on another namespace?
I have a network policy at global for default deny all.
Currently, there is only OR for network policy. What I am looking for is AND so that I can say, allow namespace A & pod A. Is there anyway to achieve this?
Thanks
Yes, you can do this. For an ingress network policy, you just have to set both namespaceSelector
and podSelector
in the from
section to specify both the namespace and pod labels (of application A and namespace A, in your example) -- the selectors are ANDed together. For the target, use the podSelector
field to select application B, and make sure the namespace
in the network policy metadata is set to namespace B.
Note that to use namespaceSelector
, you will have to label your namespace. Namespaces are not labeled in Kubernetes by default.
Check out the Across Namespaces section in this guide for a more thorough explanation, and an example YAML.
How groups of pods are allowed to communicate with each other and other network endpoints is configured with NetworkPolicy
resource. Your networking solution (CNI plugin) has to support NetworkPolicy, because you need a controller. Simply creating the resource without a controller to implement it will have no effect.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
Take a look at https://kubernetes.io/docs/concepts/services-networking/network-policies/ for more examples.
Pods can communicate with each other across the namespaces:
App 1 in namespace 1:
$ kubectl -n namespace1 get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE
app1-5d8bb8ffbb-7x74v 1/1 Running 0 1d 10.233.65.115 node1.example.kz
App 2 in namespace 2:
$ kubectl -n namespace2 get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE
app2-569f46b8d5-fz9dw 1/1 Running 0 1d 10.233.67.80 node2.example.kz
I can connect to the App 2 from the App 1:
kubectl -n namespace1 exec app1-5d8bb8ffbb-7x74v -- ping -c 1 10.233.67.80
PING 10.233.67.80 (10.233.67.80) 56(84) bytes of data.
64 bytes from 10.233.67.80: icmp_seq=1 ttl=62 time=0.917 ms
--- 10.233.67.80 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.917/0.917/0.917/0.000 ms
This example is very simple. Depending on kind of connection and your apps configuration, you might need Service
, Ingress
resources
More info:
Also, this documentation will be helpful: