Kubernetes network policy wtih external services

6/15/2019

The problem:

I'm trying to enable my API to ingress with my external managed database, while requiring whitelist for everything else.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: server-allow-external
spec:
  podSelector:
    matchLabels:
      component: api
  ingress:
    - from:
        - namespaceSelector: {}
        - podSelector:
            matchLabels: frontend
        - ipBlock:
            cidr: 172.17.0.0/16

I've tried all sorts of combinations here. Network plugin policies, mapping the external DB to a cluster based service, etc. and I haven't had luck.

Note: Yup, I'm allowing all namespace communication.

The code above is where I've arrived logically to fix the problem...but it still doesn't work. I also have a load balancer that sits outside of this if that might have an effect?

Code:

I have a frontend that relies on a backend API (all within the default namespace). Then an external DB. I've implemented a default deny policy:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
  namespace: default
spec:
  podSelector: {}
  ingress: []

Then I allowed access to the frontend from the web:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-external
spec:
  podSelector:
    matchLabels:
      component: frontend
  ingress:
    - from: []
-- dizzy
kubernetes
kubernetes-networkpolicy

1 Answer

6/26/2019

Configure your network policy for external serwer. You have to fix section which define ingress.

Just add subsection to matchLabels - component: frontend:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: server-allow-external
spec:
  podSelector:
    matchLabels:
      component: api
  ingress:
    - from:
        - namespaceSelector: {}
        - podSelector:
            matchLabels:
              component: frontend
        - ipBlock:
            cidr: 172.17.0.0/16

I hope it helps.

-- MaggieO
Source: StackOverflow