I can't find in the official docs whether NetworkPolicy
block NodePort
ingress traffic.
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
Considering the NetworkPolicy above - is it expected that it'll block any ingress traffic to NodePort
-type services within my namespace?
If so, how do I allow such traffic into my namespace? Will ipBlock
solve it?
Do Kubernetes NetworkPolicies block NodePort traffic?
Not really.
As it says in the docs: "is a specification of how groups of pods...". Basically, they are applied to pods or group of pods. NodePort
is defined in Kubernetes as a type of Service.
You can restrict traffic applying the Network Policy to your namespace and specifying ipBlock as you mentioned. This will specifically restrict traffic to your pods but not the NodePort. (It may be all that you need)
To restrict traffic to NodePorts you will have to use an alternative external solution and it will really depend on your setup. For example, if you are using a cloud provider like AWS you could use security groups.
Alternatively, GCP provides Google Cloud Armor with a Backend Config that allows you to control traffic to a service/ingress.