I have the following pods in the default namespace:
web-test-pod-01 1/1 Running 0 19m app=web-test-pod-01
web-test-pod-02 1/1 Running 0 18m app=web-test-pod-02
And in another namespace called devwebapp I have the following
NAME READY STATUS RESTARTS AGE LABELS
pod/webapp-01 1/1 Running 0 47m run=webapp-01
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE LABELS
service/svc-webapp-01 ClusterIP 10.109.4.169 <none> 80/TCP 46m run=webapp-01
I also have network policy called np-webapp-01 and its yaml descriptor:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-webapp-01
namespace: devwebapp
spec:
podSelector:
matchLabels:
run: webapp-01
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: default
- podSelector:
matchLabels:
app: web-test-pod-01
ports:
- protocol: TCP
port: 80
I am trying to allow only the pod web-test-pod-01 in default namespace to access the svc-webapp-01 service but at the moment all pods in default namespace can access it.
$ k exec web-test-pod-01 -- curl -I svc-webapp-01.devwebapp.svc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0HTTP/1.1 200 OK 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
615 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Server: nginx/1.23.4
Date: Thu, 18 May 2023 08:32:34 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT
Connection: keep-alive
ETag: "64230162-267"
Accept-Ranges: bytes
The following pod should not be able to access the service but as of now it can reach it!
$ k exec web-test-pod-02 -- curl -I svc-webapp-01.devwebapp.svc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/1.1 200 OK
0 615 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Server: nginx/1.23.4
Date: Thu, 18 May 2023 08:33:21 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT
Connection: keep-alive
ETag: "64230162-267"
Accept-Ranges: bytes
I am not sure why podSelector in the network policy is not taking effect.
In network policy for selecting pod and namespace we have two conditions . You can find them in this git link.
This example below is OR condition(policy is enforced based on namespaceSelector or podSelector)
ingress:
- from:
- namespaceSelector:
matchLabels:
team: operations
- podSelector:
matchLabels:
type: monitoring
You have used the above condition.
while this example is AND condition
ingress:
- from:
- namespaceSelector:
matchLabels:
team: operations
podSelector:
matchLabels:
type: monitoring
Can you try the ‘AND’ condition and let me know if this works.
Attaching a blog written by Ashish Choudhary for reference.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-webapp-01
namespace: devwebapp
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: default
podSelector:
matchLabels:
app: web-test-pod-01
ports:
- port: 80