We deploy a service to our existing AKS cluster that needs to be isolated as much as possible so it can't access other services or resources in our cluster.
I created a new kubernetes namespace and deployed the service there. Next i would like to lock down the network in this namespace so the service can be reached from the outside world via HTTPS but can not access other services running in the same AKS cluster (but in different namespaces).
For that, i deployed a Network Policy, denying all egress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: namespace-where-service-is-deployed
spec:
podSelector: {}
policyTypes:
- Egress
based on: https://projectcalico.docs.tigera.io/security/kubernetes-network-policy
This works but it totally blocks all egress. I need the service to be able to access it's database (CosmosDB) which is running outside the AKS cluster. Also i would like log transmission via Application Insights to work.
Is there a way to isolate the service without having to figure out all the IP Adresses of CosmosDB and App Insights and allowing them explicitly?
We are running on Kubernetes Version 1.23.8 and using the Network Plugin "kubenet" with the Network Policy "calico".
Thank you very much!
