kuberneteskubernetes-ingresskubernetes-networkpolicykubernetes-networking

How can I isolate pods in namespace using NetworkPolicy without disabling external traffic to Kubernetes pods


I am trying to isolate my pods in namespace from other namespaces. I have tried to create a NetworkPolicy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

This NetworkPolicy successfully isolating pods in my namespace from another namespace. But this policy, once applied, disables all external traffic to these pods. Is there any method for only block traffic from other namespaces and allow all external traffic to the pods.


Solution

  • Using a kubernetes networkPolicy I don't believe its possible to deny communication between pods while allowing all external traffic. This is because the kubernetes networkPolicy resource doesn't have a concept of explicit Deny rules. I would either adjust your approach or consider another network policy that has Deny rules (such as Calico).

    Solution:

    apiVersion: projectcalico.org/v3
    kind: NetworkPolicy
    metadata:
      name: deny-other-namespaces
      namespace: prod
    spec:
      selector: all()
      types:
      - Ingress
      - Egress
      ingress:
      - action: Deny
        protocol: TCP
        source:
          namespaceSelector: name == 'dev'
      - action: Allow
      egress:
      - action: Allow