I am new to Kubernetes. We have three namespaces (dev, uat, prod).
Our containers have rest services which we want to expose to external world with Ingress (with client authentication). This is working fine.
But right now, we can call our rest service from other containers on other namespace by just using the K8s service name. We want to block such access.
We want to allow access to pods only by their respective k8s Ingress. How can we achieve this?
I tried to create two network policies to achieve this but this does not work..
policy 1
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all
namespace: ns1
spec:
podSelector: {}
ingress: []
policy 2
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-external
spec:
podSelector:
matchLabels:
tier: backend
ingress:
- from: []
After I apply first policy, I cannot access my rest service through Ingress. After I apply second policy, the rest service is again accessible from all the containers just by using k8s service name without going through Ingress.
Is there any way how to achieve this?
(Also, adding labels to namespaces is not an option)