K
Q

Network policy in Kubernetes for access though Ingress only

10/30/2018

I am new to Kubernetes. We have three namespaces (dev, uat, prod).

Our containers have rest services which we want to expose to external world with Ingress (with client authentication). This is working fine.

But right now, we can call our rest service from other containers on other namespace by just using the K8s service name. We want to block such access.

We want to allow access to pods only by their respective k8s Ingress. How can we achieve this?

I tried to create two network policies to achieve this but this does not work..

policy 1

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
  namespace: ns1
spec:
  podSelector: {}
  ingress: []

policy 2

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-external
spec:
  podSelector:
    matchLabels:
      tier: backend
  ingress:
  - from: []

After I apply first policy, I cannot access my rest service through Ingress. After I apply second policy, the rest service is again accessible from all the containers just by using k8s service name without going through Ingress.

Is there any way how to achieve this?

(Also, adding labels to namespaces is not an option)

-- N..
kubernetes
kubernetes-ingress
kubernetes-networkpolicy

Similar Questions

Unexplained outage due to faulty (?) Readiness check results
Kubernetes: How to re-use pvc and pv in another cluster
Exposing a TCP port out of cluster in Kubernetes using nginx-Ingress
Kubernetes dashboard does not respond when number of Pods are high
Querying LOKI using LogCLI in Kubernetes cluster
Envoy External Authorization with OPA - evaluate fail with large JSON body

0 Answers