Shane McGovern:
For restricting traffic from a select namespace , if the namespace has no labels in it . Can it be done through
namespaceSelector or matchExpressions
, or would the namespace itself have to be labeled
Shane McGovern:
For restricting traffic from a select namespace , if the namespace has no labels in it . Can it be done through
namespaceSelector or matchExpressions
, or would the namespace itself have to be labeled
Pranay:
Yes - for ingress if you want to block or allow ingress from selected namespace - that namespace will have to be selected via namespaceSelector or matchExpressions
- and for that namespace in question should have label that you can select on (if no label is there than you can add it )
controlplane $ kubectl explain netpol.spec.ingress.from.namespaceSelector
KIND: NetworkPolicy
VERSION: <http://networking.k8s.io/v1|networking.k8s.io/v1>
RESOURCE: namespaceSelector <Object>
DESCRIPTION:
Selects Namespaces using cluster-scoped labels. This field follows standard
label selector semantics; if present but empty, it selects all namespaces.
If PodSelector is also set, then the NetworkPolicyPeer as a whole selects
the Pods matching PodSelector in the Namespaces selected by
NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected
by NamespaceSelector.
A label selector is a label query over a set of resources. The result of
matchLabels and matchExpressions are ANDed. An empty label selector matches
all objects. A null label selector matches no objects.
FIELDS:
matchExpressions <[]Object>
matchExpressions is a list of label selector requirements. The requirements
are ANDed.
matchLabels <map[string]string>
matchLabels is a map of {key,value} pairs. A single {key,value} in the
matchLabels map is equivalent to an element of matchExpressions, whose key
field is "key", the operator is "In", and the values array contains only
"value". The requirements are ANDed.
But on other hand if they ask you to apply policy for all pods in given namespace then there is easy way to do that - see below ( I was caught off-guard on this during exam )
(Read the last line in podSelector
)
Pranay:
controlplane $ kubectl explain netpol.spec
KIND: NetworkPolicy
VERSION: <http://networking.k8s.io/v1|networking.k8s.io/v1>
RESOURCE: spec <Object>
DESCRIPTION:
Specification of the desired behavior for this NetworkPolicy.
NetworkPolicySpec provides the specification of a NetworkPolicy
FIELDS:
egress <[]Object>
List of egress rules to be applied to the selected pods. Outgoing traffic
is allowed if there are no NetworkPolicies selecting the pod (and cluster
policy otherwise allows the traffic), OR if the traffic matches at least
one egress rule across all of the NetworkPolicy objects whose podSelector
matches the pod. If this field is empty then this NetworkPolicy limits all
outgoing traffic (and serves solely to ensure that the pods it selects are
isolated by default). This field is beta-level in 1.8
ingress <[]Object>
List of ingress rules to be applied to the selected pods. Traffic is
allowed to a pod if there are no NetworkPolicies selecting the pod (and
cluster policy otherwise allows the traffic), OR if the traffic source is
the pod's local node, OR if the traffic matches at least one ingress rule
across all of the NetworkPolicy objects whose podSelector matches the pod.
If this field is empty then this NetworkPolicy does not allow any traffic
(and serves solely to ensure that the pods it selects are isolated by
default)
podSelector <Object> -required-
Selects the pods to which this NetworkPolicy object applies. The array of
ingress rules is applied to any pods selected by this field. Multiple
network policies can select the same set of pods. In this case, the ingress
rules for each are combined additively. This field is NOT optional and
follows standard label selector semantics. An empty podSelector matches all
pods in this namespace.
policyTypes <[]string>
List of rule types that the NetworkPolicy relates to. Valid options are
"Ingress", "Egress", or "Ingress,Egress". If this field is not specified,
it will default based on the existence of Ingress or Egress rules; policies
that contain an Egress section are assumed to affect Egress, and all
policies (whether or not they contain an Ingress section) are assumed to
affect Ingress. If you want to write an egress-only policy, you must
explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write
a policy that specifies that no egress is allowed, you must specify a
policyTypes value that include "Egress" (since such a policy would not
include an Egress section and would otherwise default to just [ "Ingress"
]). This field is beta-level in 1.8
Arun Fernandes:
@Pranay so can we use something like this to allow traffic to a specific namespace & all pods within the same namespace
Arun Fernandes:
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-from-other-namespaces
namespace: myns
spec:
podSelector:
matchLabels:
ingress:
AJose:
I believe this should be correct way
AJose:
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-from-other-namespaces
namespace: myns
spec:
podSelector: {}
ingress:
AJose:
@Mumshad Mannambeth please comment
Arun Fernandes:
when I used the above mentioned policy able to access the pods from other namespaces as well.
AJose:
ok i did’nt test it
Arun Fernandes:
can we use the matchLabels field as namespace name itself…
Arun Fernandes:
kind: NetworkPolicy
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
metadata:
name: intra-namespace
namespace: freeforall
spec:
podSelector:
matchLabels:
ingress:
- from:
- namespaceSelector:
matchLabels:
name: freeforall
Arun Fernandes:
Name: intra-namespace
Namespace: freeforall
Created on: 2020-12-07 00:35:58 -0500 EST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: name=freeforall
Not affecting egress traffic
Policy Types: Ingress
Arun Fernandes:
can u give a try to this one:
apiVersion: v1
kind: Namespace
metadata:
name: freeforall
labels:
name: freeforall
Arun Fernandes:
@AJose, my bad. actually both works fine. Difference is one has the label for namespace & other doesn’t.
AJose:
u mean which is send does it work
Arun Fernandes:
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-from-other-namespaces
namespace: myns
spec:
podSelector: {}
ingress:
Arun Fernandes:
this one also works fine