In our cluster we're running two versions of an API within separate node pools. For now our microservice traffic in each version routes from pod1 > service1 > service2 > pod2. I want to use a network policy to future proof our APIs against the possibility of pods in one version of the API communicating with the other.
Below is an example of the network policy I've written for version 1.1. However, this seems to be obstructing all traffic in the 1.1 node pool.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-v1-1
namespace: default
spec:
podSelector:
matchLabels:
version: v1-1
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
version: v1-1
egress:
- {}
Here is the output of describe pod <podname>
showing a match for the labels.
Name: adduser-v1-1-696467d46-zkvq9
Namespace: default
Labels: app=adduser-v1-1
pod-template-hash=696467d46
version=v1-1
Just for confirmation I added the following statement into the code running in the pod above. I'm able to see the logging statement without the network policy in place. When the policy is active the request times out and the logging statement is nowhere to be found.
@api.route('/customer/add', methods=['POST'])
def create_customer():
logger.info("inside create customer")
And for good measure here is our service:
apiVersion: v1
kind: Service
metadata:
name: adduser-v1-1
spec:
ports:
- port: 80
targetPort: 8081
protocol: TCP
name: http
selector:
app: adduser-v1-1
type: LoadBalancer
EDIT
Just to clarify: in my above example with pod1 > service1 > service2 > pod2 all pods and services 1 & 2 are in the same node pool and pods 1 & 2 and both contain the label version=v1-1
. Example:
I want these pods to be able to talk to each other:
Pod1
Labels: app=adduser-v1-1
pod-template-hash=687b4f6b8d
version=v1-1
Pod2
Labels: app=authuser-v1-1
pod-template-hash=5449f9bd6d
version=v1-1
While these pods should be blocked by the Network Policy
Pod1
Labels: app=adduser-v1-1
pod-template-hash=687b4f6b8d
version=v1-1
Pod 2
Labels: app=authuser-v2-0
pod-template-hash=bd87f9d55
version=v2-0
The above network policy networkpolicy-v1-1 will allow only ingress traffic from pod1 (version: v1-1) to pod1 (version: v1-1) it wont allow any other ingress traffic but allows all outgoing traffic, is that intentional? if pod1 > service1 > service2 > pod2 is to be implemented then below network policy can help. The below will ensure that that pod2 will only receive traffic from POD1
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-v2-2
namespace: default
spec:
podSelector:
matchLabels:
version: v2-2
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
version: v1-1
egress:
- {}