0

I have two Kubernetes deployments (DeploymentA and DeploymentB) and I am wondering that is there a way to whitelist all incoming traffic from DeploymentB in DeploymentA? So that DeploymentA can be accessed only via DeploymentB.

ClusterIP service can be used to access deployments for internal communication in Kubernetes but How can I whitelist all the requests coming from a specific deployment(or its pods) in another deployment? Is there a way for example to get all possible ip addresses of the pods of a specific deployment in order to whitelist them?

Edit 1:

I have a web application which is open to Internet but a specific part of it has to be accessible only from a specific deployment. To implement that, I need to specify the IP-addresses or somehow names of the deployments which should have access.

Thank you!

Patric
  • 39
  • 5

2 Answers2

1

You can use Network policy

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.

NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods.

Community
  • 1
  • 1
hoque
  • 5,735
  • 1
  • 19
  • 29
  • Thank you for your answer. This could be a possible solution but not exactly what I am looking for. Please check "edit 1" for more information. – Patric Jun 04 '20 at 09:38
0

The below network policy should help allow traffic only from specific deployment pods( depA) to depB pods since your question is in specific will routing traffic from deployment to deployment or will allow traffic back to the Internet since We have Egress rule that allows traffic out on UDP and TCP

apiVersion: networking.k8s.io/v1
metadata:
  name: foo-allow-to-hello
spec:
  policyTypes:
  - Ingress
  - Egress 
  podSelector:
    matchLabels:
      app: depbB
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: depA
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: depA
    - ports
      - protocol: UDP
        port: 53
     - protocol: TCP 
       port: 53

Please note to enforce the above policy, the pods inside your deployments should be labelled accordingly. The below deployment will work for the above policy, do note the labels on the pod are the same mentioned in the policy.

controllers/nginx-deployment.yaml 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: deploymentA
spec:
  replicas: 3
  selector:
    matchLabels:
      app: depA 
  template:
    metadata:
      labels:
        app: depA 
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
DBSand
  • 670
  • 3
  • 10