Pardha:
Hello Guys,
how can we implement network policies on pods that do not have labels/selectors ?
Ashok Kumar:
No i think that is not possible as netpol uses MatchLabels property to scan and assign the policy to the pods
Dragan Pavlovski:
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Pardha:
I got a question on CKA to implement NP on different pods on diff namespaces with pods having no labels
Ashok Kumar:
Then you can add labels to the pod and implement netpol
Pardha:
Thank you @Dragan Pavlovski - but i did practice this i see it has matchLabels - but the pods pre-created had no labels
Dragan Pavlovski:
no labels on pods, that is not what is asked
Ashok Kumar:
Sometimes back even i got a questions on CKAD saying create a pv, pvc and consume in a pod but they didn’t give pod name and image so i used nginx
Dragan Pavlovski:
I try this with pod labels and it worked
Pardha:
@Ashok Kumar - thank you … i was confused i did implement labels on my own but that ate of some time and i am not sure it went right … thank again i will practice that scenario
Dragan Pavlovski:
U should try with namespaces or something I think
Pardha:
there could be N number of pods on namespace so i suppose implementing labels would make sense ?
Dragan Pavlovski:
Or U can always see the solution video to that exercise if it is from course.
Pardha:
i could but this was from the CKA exam
Dragan Pavlovski:
Oh sorry
Pardha:
Thank you tho … that was kinda helpful .
If the pods in a namespace (namespace: blue) are deployed without labels, you can define a network policy for that specific namespace in the following way:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: blue
spec:
podSelector: {}
policyTypes:
- Ingress
ingress: - from:
In this case, all the pods deployed in blue namespace will allow traffic from the pods defined in the ingress - from section.
Blue name space have two pods and Orange name space have one pod. Both the name spaces and pods in these name spaces have no labels set.
Question is how to create a Network policy to allow Blue name space pods accessing from only Orange name space on port 80. They shouldn’t be accessed from other name spaces.
One possible solution could be (excuse the typos and yaml syntax) label Orange namespace and call it in namespace Selector as mentioned below: Any other solutions are welcome.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: blue
spec:
podSelector: {}
ingress:
from:
- nodeSelector:
key:value. # This has to be labelled to Orange Pod.
port: 80
Why not use matchExpression in namespaceselector to let the other namespace ( say blue) pods only
matchExpressions:
{key:namespace, operator:equals value: blue}
( pardon the syntax, but just giving idea)