I'm using 1 service to get pods from 2 different deployments which have just one label equal between them. Then, I want to use CiliumNetworkPolicy and ingress to block all the traffic in all path except the path '/a', and show only the pods from 1 deployment. I'm able to block everthing except the path '/a', but it's accessing the pods from both deployments.
I'm using those two deployment and one service:
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami-deployment-a
spec:
replicas: 2
selector:
matchLabels:
xablau: xablau
app: a
template:
metadata:
name: whoami-pod-a
labels:
xablau: xablau
app: a
spec:
containers:
- name: whoami-a
image: traefik/whoami
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami-deployment-b
spec:
replicas: 2
selector:
matchLabels:
xablau: xablau
app: b
template:
metadata:
name: whoami-pod-b
labels:
xablau: xablau
app: b
spec:
containers:
- name: whoami-b
image: traefik/whoami
---
apiVersion: v1
kind: Service
metadata:
name: whoami-service
spec:
ports:
- port: 80
name: http
targetPort: 80
selector:
xablau: xablau
Now, in the CiliumNetworkPolicy, I'm trying this:
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: whoami-visilibity
namespace: sule-test
specs:
- endpointSelector:
matchLabels:
xablau: xablau
ingress:
- from:
- endpointSelector:
- matchLabels:
app: a
toPorts:
- ports:
- port: '80'
protocol: TCP
rules:
http:
- path: /a
Somehow, I can only access the path '/a', but it's using the pod with the label app: b, instead of just the pod with the label app: a.
