How to block traffic from specific namespace in kubernetes

0
votes

I have multiple namespaces in my k8 cluster. All I want is that pods in development namespace can communicate with all other pods in other namespaces but should not be able to communicate with resources in production namespace.

I was not able to find a document for this scenario. There is a deny all policy like this

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress

but it applies at pod level in the same namespace. How can I modify the same to meet my requirements?

1
kuberneteskubernetes-networkpolicy

1 Answers

2
votes

Referring from the docs here

  1. Label all namespaces in development environment with environment=dev

  2. Label all namespaces in production environment with environment=prod

Then you can have network policy as below

  1. Default deny policy as you have already
  2. Have a policy to whitelist traffic to pods from namespaces with label environment=prod

As below

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          environment: "prod"