I have a Kubernetes cluster setup using kubeadm
I'm trying to define a network policy which restricts access from outside the namespace but doesn't block access from outside (external IP)
to elaborate I want the pods to be accessible from other pods in the namespace and via external IP address but not from other namespaces
any ideas?
- Have you looked into OpenShift? It is a Kubernetes fork with better multitenant support, and does this out of the box.Michael Hampton– Michael Hampton2018-09-29 13:12:27 +00:00Commented Sep 29, 2018 at 13:12
Add a comment |
1 Answer
I used the following network policy and it worked for me
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: namespace: policy-test name: deny-from-other-namespaces spec: podSelector: matchLabels: ingress: - from: - podSelector: {} - namespaceSelector: matchLabels: access: "true" based on what I know the external access is granted through kube-proxy which is a pod in kube-system namespace. this network policy will allow all the pods from policy-test namespace and any namespace with access=true label
applying this network policy and adding the access=true label to kube-system namespace will solve the issue
adding the label :
kubectl label namespace/kube-system access=true - This is tricky, I wish there was a cleaner solutionElouan Keryell-Even– Elouan Keryell-Even2019-11-06 14:46:35 +00:00Commented Nov 6, 2019 at 14:46