The problem:
I'm trying to enable my API to ingress with my external managed database, while requiring whitelist for everything else.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: server-allow-external
spec:
podSelector:
matchLabels:
component: api
ingress:
- from:
- namespaceSelector: {}
- podSelector:
matchLabels: frontend
- ipBlock:
cidr: 172.17.0.0/16
I've tried all sorts of combinations here. Network plugin policies, mapping the external DB to a cluster based service, etc. and I haven't had luck.
Note: Yup, I'm allowing all namespace communication.
The code above is where I've arrived logically to fix the problem...but it still doesn't work. I also have a load balancer that sits outside of this if that might have an effect?
Code:
I have a frontend that relies on a backend API (all within the default namespace). Then an external DB. I've implemented a default deny policy:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all
namespace: default
spec:
podSelector: {}
ingress: []
Then I allowed access to the frontend from the web:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-external
spec:
podSelector:
matchLabels:
component: frontend
ingress:
- from: []
Configure your network policy for external serwer. You have to fix section which define ingress.
Just add subsection to matchLabels - component: frontend
:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: server-allow-external
spec:
podSelector:
matchLabels:
component: api
ingress:
- from:
- namespaceSelector: {}
- podSelector:
matchLabels:
component: frontend
- ipBlock:
cidr: 172.17.0.0/16
I hope it helps.