
pod-to-pod communication across namespace in the same cluster

I am confused about some elementary network concept in k8s and can someone kindly explain this to me please? thank you!

as described here:

All ingress Pod-to-Pod communication has been denied across all namespaces. You want to allow the Pod busybox in namespace k1 to communicate with Pod nginx in namespace k2. You'll create a network policy to achieve that.

I create two pods in k1 and k2 separately in KIND cluster, and I didn't create any network policy, so I understand pod in k1 are not allowed to talk to pod in k2; and why am I seeing the wget is successful between the two pods here?

$k get ns k1 k2
k1     Active   10m
k2     Active   10m

$k get pod -A -o wide
NAMESPACE            NAME                                       READY   STATUS    RESTARTS   AGE   IP              NODE               NOMINATED NODE   READINESS GATES
k1                   busybox                                    1/1     Running   0          11m      t1-control-plane   <none>           <none>
k2                   nginx                                      1/1     Running   0          11m      t1-control-plane   <none>           <none>

$k get NetworkPolicy -A
No resources found

$k exec -it busybox -n k1 -- wget --timeout=5
Connecting to (
saving to 'index.html'
index.html           100% |********************************|   615  0:00:00 ETA
'index.html' saved


  • Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies

    By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace.

    As in the instructions you linked, you can create a "default" ingress isolation policy for k2 namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.

    So traffic will be blocked from k1 to k2 only when this policy will be created in the k2 namespace. It will block all ingress traffic to all pods in k2 namespace.

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
      name: default-deny-ingress
      namespace: k2
      podSelector: {}
      - Ingress

    The instruction say that once you create this default policy which blocks everything, you can then further create more network policies to allow traffic say from specific pod in k1 namespace to some specific pod in k2 namespace.

    You want to allow the Pod busybox in namespace k1 to communicate with Pod nginx in namespace k2. You'll create a network policy to achieve that

    So if you look in the solution folder, this is the policy which does that:

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
      name: allow-ingress-networkpolicy
      namespace: k2
          app: backend
        - Ingress
        - from:
            - namespaceSelector:
                  role: consumer
            - protocol: TCP
              port: 80

    This policy will apply to all pods in namespace k2 which have the label app: backend and will allow ingress traffic (over port 80) to those pods from pods in any namespace, where the namespace has the label role: consumer.