Kubernetes pod to pod cluster Network Policy

0
votes

Using k8s network policy or calico, can I only use these tools for pod to pod cluster network policies. I already have network rules for external cluster policies.

For example if I apply this calico rule:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-b
  namespace: app
spec:
  selector: app == 'a'
  ingress:
  - action: Allow
    protocol: TCP
    source:
      selector: app == 'b'
    destination:
      ports:
        - 80

In this example I allow traffic coming from app B to app A. But this will disallow every other ingress traffic going to A. Would it be possible to only apply this rule from pod to pod ?

1
kuberneteskubernetes-networkpolicy
Google East-West traffic. North-South is called from outside-inside cluster, and east-west is intra clusterCarlos Garcia
@carlosGarcia sorry if my question was not clear I've updated it.nono

1 Answers

2
votes

You should read The NetworkPolicy resource, it provides an example NetworkPolicy with Ingress and Egress.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978

The explanation is as following:

  1. isolates “role=db” pods in the “default” namespace for both ingress and egress traffic (if they weren’t already isolated)

  2. (Ingress rules) allows connections to all pods in the “default” namespace with the label “role=db” on TCP port 6379 from:

    • any pod in the “default” namespace with the label “role=frontend”
    • any pod in a namespace with the label “project=myproject”
    • IP addresses in the ranges 172.17.0.0–172.17.0.255 and 172.17.2.0–172.17.255.255 (ie, all of 172.17.0.0/16 except 172.17.1.0/24)
  3. (Egress rules) allows connections from any pod in the “default” namespace with the label “role=db” to CIDR 10.0.0.0/24 on TCP port 5978

See the Declare Network Policy walkthrough for further examples.

So if you use a podSelector, you will be able to select pods for this Network Policy to apply to.