I am trying to isolate my pods in namespace from other namespaces. I have tried to create a NetworkPolicy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-from-other-namespaces
spec:
podSelector:
matchLabels:
ingress:
- from:
- podSelector: {}
This NetworkPolicy successfully isolating pods in my namespace from another namespace. But this policy, once applied, disables all external traffic to these pods. Is there any method for only block traffic from other namespaces and allow all external traffic to the pods.
Using a kubernetes networkPolicy I don't believe its possible to deny communication between pods while allowing all external traffic. This is because the kubernetes networkPolicy resource doesn't have a concept of explicit Deny rules. I would either adjust your approach or consider another network policy that has Deny rules (such as Calico).
Solution:
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: deny-other-namespaces
namespace: prod
spec:
selector: all()
types:
- Ingress
- Egress
ingress:
- action: Deny
protocol: TCP
source:
namespaceSelector: name == 'dev'
- action: Allow
egress:
- action: Allow