Login/Register
How can I isolate pods in namespace using NetworkPolicy without disabling external traffic to Kubernetes pods
Asked Answered
Solved kuberneteskubernetes-ingresskubernetes-networkpolicykubernetes-networking
A

5

6

I am trying to isolate my pods in namespace from other namespaces. I have tried to create a NetworkPolicy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

This NetworkPolicy successfully isolating pods in my namespace from another namespace. But this policy, once applied, disables all external traffic to these pods. Is there any method for only block traffic from other namespaces and allow all external traffic to the pods.

Affinity answered 5/7, 2020 at 16:24 Comment(0)
O
1

Using a kubernetes networkPolicy I don't believe its possible to deny communication between pods while allowing all external traffic. This is because the kubernetes networkPolicy resource doesn't have a concept of explicit Deny rules. I would either adjust your approach or consider another network policy that has Deny rules (such as Calico).

Solution:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-other-namespaces
  namespace: prod
spec:
  selector: all()
  types:
  - Ingress
  - Egress
  ingress:
  - action: Deny
    protocol: TCP
    source:
      namespaceSelector: name == 'dev'
  - action: Allow
  egress:
  - action: Allow
Ordinal answered 5/7, 2020 at 21:1 Comment(3)
@odenSon, I have tried calico network Policy ,but sadly it didn't work for me .Affinity
@Affinity can you share the calico NetworkPolicy resource yaml you used?Ordinal
apiVersion: projectcalico.org/v3 kind: NetworkPolicy metadata: name: allow-ns namespace: dev spec: selector: all() ingress: - action: Allow protocol: TCP source: selector: all() - action: Allow source: nets: - 0.0.0.0/0Affinity
O
1

The NetworkPolicy you applied is blocking the traffic from every source.

You can add authorized CIDR blocks in your definition:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: example-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
Odin answered 5/7, 2020 at 20:47 Comment(2)
Yes i have tried to add a cidr to my policy .But this would allow traffics from that particular cidr and if we give cidr like 0.0.0.0/0 ,all traffics get routed to the pods including traffic from another namespace ..Affinity
0.0.0.0/0 allows traffic from every source, use the CIDR block of your Loadbalancer.Lyricism
O
1

Using a kubernetes networkPolicy I don't believe its possible to deny communication between pods while allowing all external traffic. This is because the kubernetes networkPolicy resource doesn't have a concept of explicit Deny rules. I would either adjust your approach or consider another network policy that has Deny rules (such as Calico).

Solution:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-other-namespaces
  namespace: prod
spec:
  selector: all()
  types:
  - Ingress
  - Egress
  ingress:
  - action: Deny
    protocol: TCP
    source:
      namespaceSelector: name == 'dev'
  - action: Allow
  egress:
  - action: Allow
Ordinal answered 5/7, 2020 at 21:1 Comment(3)
@odenSon, I have tried calico network Policy ,but sadly it didn't work for me .Affinity
@Affinity can you share the calico NetworkPolicy resource yaml you used?Ordinal
apiVersion: projectcalico.org/v3 kind: NetworkPolicy metadata: name: allow-ns namespace: dev spec: selector: all() ingress: - action: Allow protocol: TCP source: selector: all() - action: Allow source: nets: - 0.0.0.0/0Affinity
K
1

You can make sure that you namespace the NetworkPolicy resource and restrict the ingress/egress to just namespace.

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: onlywithinnamespace
  namespace: mynamespace
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          role: mynamespace
    - podSelector: {}
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          role: mynamespace
    - podSelector: {}
  podSelector:
    matchLabels:
  policyTypes:
  - Ingress
  - Egress

Make sure that your namespace has the right labels to match:

apiVersion: v1
kind: Namespace
metadata:
  labels:
    role: mynamespace
  name: mynamespace
Kannada answered 5/7, 2020 at 21:38 Comment(4)
,This would allow traffic from that particular namespace right ? . That is correct as per my first condition . But I am also trying to allow all external traffic .This method is blocking all external trafficsAffinity
External traffic from where?Kannada
External traffic via NodePort . Like if try to expose one of my service using a NodePort ,and try to access the service through nodeport it wont pass that traffic to my serviceAffinity
If that external traffic is coming from a load balancer you can allow ingress on the load balancer's cidr range on the same policy.Kannada
H
1

You can allow all traffic but block the ones from internal network.

The Network Policy below allow access to all, exept internal networks (192.168.0.0/16 and 172.23.40.0/24)

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
   name: allow-external
   namespace: dmz
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 192.168.0.0/16
        - 172.23.42.0/24
    - namespaceSelector:
         matchLabels:
           name: dmz
Hind answered 20/7, 2021 at 11:5 Comment(0)
D
1

In my case I have the same problem and the response in this link https://mcmap.net/q/1778999/-how-to-stop-all-external-traffic-and-allow-only-inter-pod-network-call-within-namespace-using-network-policy is great

Please create 2 network policy:

deny-from-other-namespaces

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

And web-allow-external

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-allow-external
spec:
  podSelector:
    matchLabels:
      app: <label>
  ingress:
  - {}

The Network policy are not excluding.

Demitria answered 2/8, 2022 at 9:8 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.