I currently have multiple NFS server Pods running in different namespaces (1 replica per namespace). I have a Service per namespace to wrap this Pod just to have a fixed endpoint. A Persistent Volume connects to this server with the fixed endpoint, so other Pods in the namespace can mount this as a volume using a PVC. Since I create a PV per NFS server, how can I prevent that a PV not bounded to a PVC that belongs to the same namespace reads from it. I tried using a Network Policy, but it looks like the PV (not tied to a namespace) can go around it. Unfortunately, the application deployed in K8s currently has a field where a user can provide any nfs://
endpoint to instruct the PV where it needs to access the files.
Using GKE 1.17.
I'm trying this NP:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: team1-ns
spec:
podSelector:
matchLabels:
role: nfs-server
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
nfs-server: team1-ns
- podSelector: {}
am I missing something in the NP, or PVs can actually go around NPs?
Help is really appreciated...
I would not say that PVs "can go around" NPs, but rather than are not applicable.
PVs, Volumes and StorageClasses provide a layer of abstraction between your pod(s) and the underlying storage implementation. The actual storage itself is actually attached/mounted to the node and not directly to the container(s) in the pods.
In your case with NFS, the storage driver/plugin attaches the actual NFS share to the node running your pod(s). So NetworkPolicy cannot possible apply.