6

I am trying to isolate my pods in namespace from other namespaces. I have tried to create a NetworkPolicy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

This NetworkPolicy successfully isolating pods in my namespace from another namespace. But this policy, once applied, disables all external traffic to these pods. Is there any method for only block traffic from other namespaces and allow all external traffic to the pods.

Rico
  • 58,485
  • 12
  • 111
  • 141
Pratheesh
  • 565
  • 4
  • 19

5 Answers5

1

The NetworkPolicy you applied is blocking the traffic from every source.

You can add authorized CIDR blocks in your definition:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: example-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
Rémi F
  • 101
  • 1
  • 5
  • Yes i have tried to add a cidr to my policy .But this would allow traffics from that particular cidr and if we give cidr like 0.0.0.0/0 ,all traffics get routed to the pods including traffic from another namespace .. – Pratheesh Jul 06 '20 at 04:06
  • 0.0.0.0/0 allows traffic from every source, use the CIDR block of your Loadbalancer. – Rémi F Jul 06 '20 at 08:15
1

Using a kubernetes networkPolicy I don't believe its possible to deny communication between pods while allowing all external traffic. This is because the kubernetes networkPolicy resource doesn't have a concept of explicit Deny rules. I would either adjust your approach or consider another network policy that has Deny rules (such as Calico).

Solution:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-other-namespaces
  namespace: prod
spec:
  selector: all()
  types:
  - Ingress
  - Egress
  ingress:
  - action: Deny
    protocol: TCP
    source:
      namespaceSelector: name == 'dev'
  - action: Allow
  egress:
  - action: Allow
odenS0n
  • 189
  • 5
  • @odenSon, I have tried calico network Policy ,but sadly it didn't work for me . – Pratheesh Jul 09 '20 at 07:12
  • @Pratheesh can you share the calico NetworkPolicy resource yaml you used? – odenS0n Jul 09 '20 at 09:22
  • apiVersion: projectcalico.org/v3 kind: NetworkPolicy metadata: name: allow-ns namespace: dev spec: selector: all() ingress: - action: Allow protocol: TCP source: selector: all() - action: Allow source: nets: - 0.0.0.0/0 – Pratheesh Jul 09 '20 at 09:42
1

You can make sure that you namespace the NetworkPolicy resource and restrict the ingress/egress to just namespace.

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: onlywithinnamespace
  namespace: mynamespace
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          role: mynamespace
    - podSelector: {}
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          role: mynamespace
    - podSelector: {}
  podSelector:
    matchLabels:
  policyTypes:
  - Ingress
  - Egress

Make sure that your namespace has the right labels to match:

apiVersion: v1
kind: Namespace
metadata:
  labels:
    role: mynamespace
  name: mynamespace
Rico
  • 58,485
  • 12
  • 111
  • 141
  • ,This would allow traffic from that particular namespace right ? . That is correct as per my first condition . But I am also trying to allow all external traffic .This method is blocking all external traffics – Pratheesh Jul 06 '20 at 04:03
  • External traffic from where? – Rico Jul 07 '20 at 00:54
  • External traffic via NodePort . Like if try to expose one of my service using a NodePort ,and try to access the service through nodeport it wont pass that traffic to my service – Pratheesh Jul 07 '20 at 07:21
  • If that external traffic is coming from a load balancer you can allow ingress on the load balancer's cidr range on the same policy. – Rico Jul 10 '20 at 02:11
1

You can allow all traffic but block the ones from internal network.

The Network Policy below allow access to all, exept internal networks (192.168.0.0/16 and 172.23.40.0/24)

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
   name: allow-external
   namespace: dmz
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 192.168.0.0/16
        - 172.23.42.0/24
    - namespaceSelector:
         matchLabels:
           name: dmz
Samrakshak Karki
  • 11
  • 1
1

In my case I have the same problem and the response in this link https://stackoverflow.com/a/56860217/7324872 is great

Please create 2 network policy:

deny-from-other-namespaces

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

And web-allow-external

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-allow-external
spec:
  podSelector:
    matchLabels:
      app: <label>
  ingress:
  - {}

The Network policy are not excluding.

Roberto Ramos
  • 553
  • 6
  • 16