pod-to-pod communication across namespace in the same cluster

Question

I am confused about some elementary network concept in k8s and can someone kindly explain this to me please? thank you!

as described here:

All ingress Pod-to-Pod communication has been denied across all namespaces. You want to allow the Pod busybox in namespace k1 to communicate with Pod nginx in namespace k2. You'll create a network policy to achieve that.

I create two pods in k1 and k2 separately in KIND cluster, and I didn't create any network policy, so I understand pod in k1 are not allowed to talk to pod in k2; and why am I seeing the wget is successful between the two pods here?

$k get ns k1 k2
NAME   STATUS   AGE
k1     Active   10m
k2     Active   10m

$k get pod -A -o wide
NAMESPACE            NAME                                       READY   STATUS    RESTARTS   AGE   IP              NODE               NOMINATED NODE   READINESS GATES
k1                   busybox                                    1/1     Running   0          11m   10.244.0.5      t1-control-plane   <none>           <none>
k2                   nginx                                      1/1     Running   0          11m   10.244.0.6      t1-control-plane   <none>           <none>

$k get NetworkPolicy -A
No resources found

$k exec -it busybox -n k1 -- wget --timeout=5 10.244.0.6:80
Connecting to 10.244.0.6:80 (10.244.0.6:80)
saving to 'index.html'
index.html           100% |********************************|   615  0:00:00 ETA
'index.html' saved

Answer 1

Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies

By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace.

As in the instructions you linked, you can create a "default" ingress isolation policy for k2 namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.

So traffic will be blocked from k1 to k2 only when this policy will be created in the k2 namespace. It will block all ingress traffic to all pods in k2 namespace.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: k2
spec:
  podSelector: {}
  policyTypes:
  - Ingress

The instruction say that once you create this default policy which blocks everything, you can then further create more network policies to allow traffic say from specific pod in k1 namespace to some specific pod in k2 namespace.

You want to allow the Pod busybox in namespace k1 to communicate with Pod nginx in namespace k2. You'll create a network policy to achieve that

So if you look in the solution folder, this is the policy which does that:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-networkpolicy
  namespace: k2
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              role: consumer
      ports:
        - protocol: TCP
          port: 80

This policy will apply to all pods in namespace k2 which have the label app: backend and will allow ingress traffic (over port 80) to those pods from pods in any namespace, where the namespace has the label role: consumer.

Answer 2

the setup.yaml should create a NetworkPolicy, you also need to install Cilium to achieve the setup before apply the solution

NOTE: Without a network policy controller, network policies won't have any effect. You need to configure a network overlay solution that provides this controller. You'll have to go through some extra steps to install and enable the network provider Cilium. Without adhering to the proper prerequisites, network policies won't have any effect. You can find installation guidance in the file cilium-setup.md. If you do not already have a cluster, you can create one by using minikube or you can use the O'Reilly interactive lab "Creating a Network Policy".

https://github.com/bmuschko/ckad-crash-course/blob/master/exercises/31-networkpolicy/cilium-setup.md