Hello Guys, how can we implement network policies on pods that do not have label . . .

Pardha:
Hello Guys,
how can we implement network policies on pods that do not have labels/selectors ?

Ashok Kumar:
No i think that is not possible as netpol uses MatchLabels property to scan and assign the policy to the pods

Dragan Pavlovski:

apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978
1 Like

Pardha:
I got a question on CKA to implement NP on different pods on diff namespaces with pods having no labels

Ashok Kumar:
Then you can add labels to the pod and implement netpol

Pardha:
Thank you @Dragan Pavlovski - but i did practice this i see it has matchLabels - but the pods pre-created had no labels

Dragan Pavlovski:
no labels on pods, that is not what is asked

Ashok Kumar:
Sometimes back even i got a questions on CKAD saying create a pv, pvc and consume in a pod but they didn’t give pod name and image so i used nginx

Dragan Pavlovski:
I try this with pod labels and it worked

Pardha:
@Ashok Kumar - thank you … i was confused i did implement labels on my own but that ate of some time and i am not sure it went right … thank again i will practice that scenario

Dragan Pavlovski:
U should try with namespaces or something I think

Pardha:
there could be N number of pods on namespace so i suppose implementing labels would make sense ?

Dragan Pavlovski:
Or U can always see the solution video to that exercise if it is from course.

Pardha:
i could but this was from the CKA exam :sweat_smile:

Dragan Pavlovski:
Oh sorry

Pardha:
Thank you tho … that was kinda helpful .

If the pods in a namespace (namespace: blue) are deployed without labels, you can define a network policy for that specific namespace in the following way:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: blue
spec:
podSelector: {}
policyTypes:

  • Ingress
    ingress:
  • from:

In this case, all the pods deployed in blue namespace will allow traffic from the pods defined in the ingress - from section.

Blue name space have two pods and Orange name space have one pod. Both the name spaces and pods in these name spaces have no labels set.

Question is how to create a Network policy to allow Blue name space pods accessing from only Orange name space on port 80. They shouldn’t be accessed from other name spaces.

One possible solution could be (excuse the typos and yaml syntax) label Orange namespace and call it in namespace Selector as mentioned below: Any other solutions are welcome.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: blue
spec:
podSelector: {}
ingress:
from:
- nodeSelector:
key:value. # This has to be labelled to Orange Pod.
port: 80

Why not use matchExpression in namespaceselector to let the other namespace ( say blue) pods only

matchExpressions:
{key:namespace, operator:equals value: blue}

( pardon the syntax, but just giving idea)