K
Q

Block access between namespaces but allow access for external traffic

5/13/2019

I have two namespaces: prod and default. I want to disable access for resources inside these namespaces (resources from default NS can't get access for resources from prod, and resources from prod can't get access for resources from default) BUT allow the opportunity to access these resources for external traffic (ingresses).

# namespaces.yaml

---
kind: Namespace
apiVersion: v1
metadata:
  name: prod
  labels:
    tier: prod

---
kind: Namespace
apiVersion: v1
metadata:
  name: default
  labels:
    tier: infra
# network-policies.yaml

---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: network
  namespace: prod
spec:
  podSelector: {}
  ingress:
    - from:
      - podSelector: {}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: network
  namespace: default
spec:
  podSelector: {}
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            tier: dev
      - namespaceSelector:
          matchLabels:
            tier: rc
# services.yaml

---
apiVersion: v1
kind: Service
metadata:
  name: {{ include "conference.appService" . }}
  labels:
    app: {{ include "conference.name" . }}
    release: {{ .Release.Name }}
spec:
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: http
      protocol: TCP
  selector:
    app: {{ include "conference.name" . }}
    release: {{ .Release.Name }}
    role: app

Pods from prod have access to the other pods inside given namespace. Pods from default don't have access to the pods inside prod.

When I try to get access to the service from the browser it's blocked. When I try to use port-forwarding to the service inside prod - all works fine.

-- unitto
google-kubernetes-engine
kubernetes
kubernetes-ingress
kubernetes-service

Similar Questions

Why does the logstash pod continually fail for the elastic-stack Helm chart?
Kubernetes Cloud SQL sidecar connection timed out. How to check if credentials work?
GKE - How to use HTTPS on the Gateway in Jhipster 6 Microservice UAA project
Kubernetes cluster on AWS,The connection to the server localhost:8080 was refused

2 Answers

5/13/2019

Define default deny network policy to deny all ingress type traffic.

Deploy another namespace called ingress

Deploy ingress controller in ingress namespace

Then define network policy to allow access from ingress namespace to prod and another one to allow access from ingres to default. You should be able to access both prod and default externally via ingress controller

-- P Ekambaram
Source: StackOverflow
5/13/2019

The problem was in from part in network policy.

---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: network
  namespace: default
spec:
  podSelector: {}
  ingress:
    - from:
      - ipBlock:
          cidr: 0.0.0.0/0
      - podSelector: {}
      - namespaceSelector:
          matchLabels:
            tier: dev
      - namespaceSelector:
          matchLabels:
            tier: rc
  egress:
    - {}

The main idea of this selectors it: podSelector - for selecting the pods IN CURRENT namespace namespaceSelector - for selecting the namespaces namespaceSelector.podSelector - for selecting pods inside given namespace

and my problem:

ipBlock - for selecting EXTERNAL IP addresses

it's doesn't work for internal IPs so in my case 0.0.0.0/0 will be OK. except will not disallow internal traffic.

-- unitto
Source: StackOverflow