K
Q

Network policy to deny traffic from a particular namespace

1/9/2020

So let's say I have 5 namespaces - prod, preprod, uat, dev, and test. Each namespace have a different label - ns=prod, ns=preprod, ns=uat, ns=dev, and ns=test.

Question: So I want to create a network policy where, I don't want to send traffic (egress) from ns=test to a particular namespace whose label is ns=prod. But ns=test should able to do egress to all other namespace.

Documentation: https://kubernetes.io/docs/concepts/services-networking/network-policies/ https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/

I tried to create a manifest file from the above documentation but had no luck. I'm able to do this using podSelector (labels of pods, but not using only namespaces as a whole).

-- Ashutosh
kubernetes
kubernetes-networkpolicy
kubernetes-pod
namespaces

Similar Questions

Airflow having subdags stuck when using KubernetesExecutor
How to create an alert with Stackdriver which checks GKE pods/deployments statuses?
Create `/opt` folder in telepresence
How to append kubernetes container id/name to log file in log4j.xml
Ingress taking wrong Ip?

2 Answers

1/9/2020

It would be easier if you could add the code snippet. However, it's not that tough to figure out what is going wrong.

I am thinking something like this might be the issue with your network policy. Your pods might be requiring world wide web connection, so you cannot stop comms from test to prod through egress rule as you might be adding 0.0.0.0/0 to let your pods on any env to communicate to outer world to download external libraries or whatever stuff associated with your application.

Due to this it is slightly difficult to add the egress rule to stop comms to any env. But on the contrary you can add igress rule to prod ns to not let communications from test or dev. Something like this might work, but again, we can change it based on needs.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: prod-network-policy
  namespace: prod
spec:
  podSelector:
    matchLabels:
      ns: prod
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          ns: prod
          ns: dev
          ns: uat
    - podSelector:
        matchLabels:
          ns: prod
          ns: dev
          ns: uat
    - ipBlock:
        cidr: 10.0.1.101/32 #Assuming allow incoming request from ingress controller
  egress:
  - to: []

There are several ways one can achieve this. But, I also sometimes refers to these example recipes on Github.

Edit based on comment Addition of other namespaces to ingress rule to allow traffic from other namespaces except test.

Hope this is helpful.

-- BinaryMonster
Source: StackOverflow
1/10/2020

You can do this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy-example
  namespace: test
spec:
  podSelector:
    matchLabels:
      ns: test
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          ns: preprod
          ns: uat
          ns: dev
          ns: test
    ports:
    - protocol: TCP
      port: 80

...which will prevent any pod in the namespace test and with labels ns=test to talk to anyone except pods in the namespaces listed under matchlabels.

You could also do the other way around; to create a NetworkPolicy in the namespace prod and cut off ingress traffic of the pods with label ns=prod. Same result.

Note: You need NetworkPolicy controller, as it is no in the binaries of kubernetes.

-- suren
Source: StackOverflow