Login/Register
Prevent inter-namespace communication in Kubernetes
Asked Answered
Solved networkingkuberneteskubernetes-networkpolicy
V

1

16

I am new to Kubernetes networking.

We have separated a Kubernetes cluster into a set of namespaces (e.g. namespace-a, namespace-b). Every namespace has a set of Kubernetes pods. Every pod has a service that is available at my-svc.namespace-x.svc.cluster.local.

Now, we want to prevent pods of namespace namespace-a to talk with services or pods that are part of namespace-b and vice versa. Communication within a namespace should be unrestricted.

This is what I found as an example in the network policies documentation: https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

As far as I understand, this prevents network communication completely, for all pods across a namespace.

  • How can I allow all network traffic, but only within a particular namespace?
  • Do I need a networking plugin, such as Calico, Flannel or Weave? Which one should I choose?
Vantage answered 20/2, 2018 at 21:51 Comment(1)
You can find many examples of network policies here: github.com/ahmetb/kubernetes-network-policy-recipesSomewise
Y
20

Do I need a networking plugin, such as Calico, Flannel or Weave?

No matter what you need a networking plugin, but not all plugins support the NetworkPolicy API object. According to the Declare Network Policy walkthrough, the following is a (probably non-exhaustive) list of plugins that do support NetworkPolicy:

Without a plugin that supports NetworkPolicy, creating the resource would have no effect.

Which one should I choose?

As for which one you should choose, stackoverflow is not the place for soliciting that kind of advice. What I can recommend is reading the overview/features documentation for the various options available. Maybe try one or two different plugins in a local development cluster to get a feel for how difficult or easy they are to install, maintain, and update.

How can I allow all network traffic, but only within a particular namespace?

Given your example setup, I think the following NetworkPolicy resources would address your need:

For pods in namespace-a, only allow ingress from namspace-a pods, denying ingress from any other source. Egress is unrestricted:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: namespace-a
spec:
  policyTypes:
  - Ingress
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: namespace-a

For pods in namespace-b, only allow ingress from namspace-b pods, denying ingress from any other source. Egress is unrestricted:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: namespace-b
spec:
  policyTypes:
  - Ingress
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: namespace-b

Note that this assumes you have set the name: namespace-a and name: namespace-b labels on your namespaces, similar to this:

apiVersion: v1
kind: Namespace
metadata:
  name: namespace-a
  labels:
    name: namespace-a
    other: labelname

I only point this out to avoid confusing you with regard to the fact that the labels I showed above happen to match up with your hypothetical namespace names. The labels can be arbitrary and potentially inclusive of mulitple namespaces -- for example you might have namespace-a and namespace-c both with a label called other: labelname which would allow you to select multiple namespaces using a single namespaceSelector in your NetworkPolicy resource.

Yokoyama answered 21/2, 2018 at 13:58 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.