Block ingress from different Kubernetes Namespaces to Pod running NFS

7/23/2021

I currently have multiple NFS server Pods running in different namespaces (1 replica per namespace). I have a Service per namespace to wrap this Pod just to have a fixed endpoint. A Persistent Volume connects to this server with the fixed endpoint, so other Pods in the namespace can mount this as a volume using a PVC. Since I create a PV per NFS server, how can I prevent that a PV not bounded to a PVC that belongs to the same namespace reads from it. I tried using a Network Policy, but it looks like the PV (not tied to a namespace) can go around it. Unfortunately, the application deployed in K8s currently has a field where a user can provide any nfs:// endpoint to instruct the PV where it needs to access the files.

Using GKE 1.17.

I'm trying this NP:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: team1-ns
spec:
  podSelector:
    matchLabels:
      role: nfs-server
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          nfs-server: team1-ns
    - podSelector: {}

am I missing something in the NP, or PVs can actually go around NPs?

Help is really appreciated...

-- Luis Armando
google-kubernetes-engine
kubernetes
kubernetes-networkpolicy

1 Answer

7/26/2021

I would not say that PVs "can go around" NPs, but rather than are not applicable.

PVs, Volumes and StorageClasses provide a layer of abstraction between your pod(s) and the underlying storage implementation. The actual storage itself is actually attached/mounted to the node and not directly to the container(s) in the pods.

In your case with NFS, the storage driver/plugin attaches the actual NFS share to the node running your pod(s). So NetworkPolicy cannot possible apply.

-- Gari Singh
Source: StackOverflow