K
Q

How to allow/deny http requests from other namespaces of the same cluster?

1/19/2019

In a cluster with 2 namespaces (ns1 and ns2), I deploy the same app (deployment) and expose it with a service.

I thought separate namespaces would prevent from executing curl http://deployment.ns1 from a pod in ns2, but apparently, it's possible.

So my question is, how to allow/deny such cross namespaces operations? For example:

  • pods in ns1 should accept requests from any namespace
  • pods (or service?) in ns2 should deny all requests from other namespaces
-- znat
kubernetes
kubernetes-networkpolicy

Similar Questions

Spring Boot app + Kubernetes liveness/readiness checks
Allow traffic where from-pod label equals to-pod label
Kubernetes stateful apps with bare metal
Suddenly getting "Unable to connect to the server: net/http: TLS handshake timeout" from kubectl
Prometheus scraping logs from another prometheus

2 Answers

1/19/2019

Good that you are working with namespace isolation.

  1. Deploy a new kind Network Policy in your ns1 with ingress all. You can lookup the documentation to define network ingress policy to allow all inbound traffic

  2. Likewise for ns2, you can create a new kind Network Policy and deploy the config in ns2 to deny all ingress. Again the docs will come to rescue to help with you the yaml construct.

It may look something like this:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
 namespace: ns1
 name: web-allow-all-namespaces
spec:
 podSelector:
  matchLabels:
   app: app_name_ns1
 ingress:
 - from:
  - namespaceSelector: {}
-- Raunak Jhawar
Source: StackOverflow
1/19/2019

It would not be answer you want, but I can provide the helpful feature information to implement your requirements.

AFAIK Kubernetes can define network policy to limit the network access.

Refer Declare Network Policy for more details of Network Policy.

-- Daein Park
Source: StackOverflow