How can I isolate pods in namespace using NetworkPolicy without disabling external traffic to Kubernetes pods

4
votes

I am trying to isolate my pods in namespace from other namespaces. I have tried to create a NetworkPolicy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

This NetworkPolicy successfully isolating pods in my namespace from another namespace. But this policy, once applied, disables all external traffic to these pods. Is there any method for only block traffic from other namespaces and allow all external traffic to the pods.

4
kuberneteskubernetes-ingresskubernetes-networkpolicykubernetes-networking

4 Answers

1
votes

Using a kubernetes networkPolicy I don't believe its possible to deny communication between pods while allowing all external traffic. This is because the kubernetes networkPolicy resource doesn't have a concept of explicit Deny rules. I would either adjust your approach or consider another network policy that has Deny rules (such as Calico).

Solution:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-other-namespaces
  namespace: prod
spec:
  selector: all()
  types:
  - Ingress
  - Egress
  ingress:
  - action: Deny
    protocol: TCP
    source:
      namespaceSelector: name == 'dev'
  - action: Allow
  egress:
  - action: Allow
1
votes

The NetworkPolicy you applied is blocking the traffic from every source.

You can add authorized CIDR blocks in your definition:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: example-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
1
votes

You can make sure that you namespace the NetworkPolicy resource and restrict the ingress/egress to just namespace.

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: onlywithinnamespace
  namespace: mynamespace
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          role: mynamespace
    - podSelector: {}
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          role: mynamespace
    - podSelector: {}
  podSelector:
    matchLabels:
  policyTypes:
  - Ingress
  - Egress

Make sure that your namespace has the right labels to match:

apiVersion: v1
kind: Namespace
metadata:
  labels:
    role: mynamespace
  name: mynamespace
0
votes

You can allow all traffic but block the ones from internal network.

The Network Policy below allow access to all, exept internal networks (192.168.0.0/16 and 172.23.40.0/24)

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
   name: allow-external
   namespace: dmz
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 192.168.0.0/16
        - 172.23.42.0/24
    - namespaceSelector:
         matchLabels:
           name: dmz