I have a Kubernetes cluster setup using kubeadm
I'm trying to define a network policy which restricts access from outside the namespace but doesn't block access from outside (external IP)
to elaborate I want the pods to be accessible from other pods in the namespace and via external IP address but not from other namespaces
any ideas?
Asked
Active
Viewed 1,241 times
1
-
Have you looked into OpenShift? It is a Kubernetes fork with better multitenant support, and does this out of the box. – Michael Hampton Sep 29 '18 at 13:12
1 Answers
2
I used the following network policy and it worked for me
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: policy-test
name: deny-from-other-namespaces
spec:
podSelector:
matchLabels:
ingress:
- from:
- podSelector: {}
- namespaceSelector:
matchLabels:
access: "true"
based on what I know the external access is granted through kube-proxy which is a pod in kube-system namespace. this network policy will allow all the pods from policy-test namespace and any namespace with access=true label
applying this network policy and adding the access=true label to kube-system namespace will solve the issue
adding the label :
kubectl label namespace/kube-system access=true