kubernetes V19
Create a new NetworkPolicy named allow-port-from-namespace that allows Pods in the existing namespace internal to connect to port 80 of other Pods in the same namespace.
Ensure that the new NetworkPolicy:
does not allow access to Pods not listening on port 80 does not allow access from Pods not in namespace internal
i need to know if i can do it without adding a labels to namspace and pod or not ?
From the question, i am not getting ... completely confused.
statement 1 --> on same namespace, the pod can communicate with port 80
statement 2 --> does not allow access to Pods not listening on port 80
So, could someone clarify here ?
what exactly they are asking ? do we need to provide the 80 access to pod or not ?
Below yaml will help you to solve your problem, It did work for me. the point is mainly to use only the port section of ingress array.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: network-policy
spec:
podSelector: {} #selects all the pods in the namespace deployed
policyTypes:
- Ingress
ingress:
- ports: #in input traffic allowed only through 80 port only
- protocol: TCP
port: 80
statement 2 --> does not allow access to Pods not listening on port 80
How to not allow when a pod not listening this a TCP state of a server .. You can also have pods not listening on port 80 on same namespace . I don't think this is solved in your above yaml .
In k8s networkpolicy docs you read:
By default, pods are non-isolated; they accept traffic from any source.
Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. (Other pods in the namespace that are not selected by any NetworkPolicy will continue to accept all traffic.)
Network policies do not conflict; they are additive. If any policy or policies select a pod, the pod is restricted to what is allowed by the union of those policies' ingress/egress rules. Thus, order of evaluation does not affect the policy result
This means that once you assign(select) a pod with network policy you never set deny rules because everyting is denied by default. You only specify allow rules.
This beeing explained lets go back to k8s docs where you can read the following:
There are four kinds of selectors that can be specified in an ingress from section or egress to section:
podSelector: This selects particular Pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.
namespaceSelector: This selects particular namespaces for which all Pods should be allowed as ingress sources or egress destinations.
namespaceSelector and podSelector: A single to/from entry that specifies both namespaceSelector and podSelector selects particular Pods within particular namespaces ...
I am not going to paste all docs here, check the rest here.
Now to answer you question: "I need to know if i can do it without adding a labels to namspace and pod or not ?"
What you should notice in the docs metioned above is that you can only target namespace and pods using labels.
And when you don't use namespace label selector, the selector dafaults to the namespace where networkpolicy is deployed.
So, yes, you can do it without adding a labels to a namespace as long as you deploy network policy in the namespace you want to target. And you can also do it without adding labels to a pod as long as this is the only pod in the namespace.
For e.g kubectl label ns namespace-name env: testing
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-from-namespace
namespace: staging
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
env: staging
ports:
- protocol: TCP
port: 80