Skip to content

Latest commit

 

History

History
86 lines (66 loc) · 2.33 KB

04-deny-traffic-from-other-namespaces.md

File metadata and controls

86 lines (66 loc) · 2.33 KB

DENY all traffic from other namespaces

(a.k.a LIMIT access to the current namespace)

You can configure a NetworkPolicy to deny all the traffic from other namespaces while allowing all the traffic coming from the same namespace the pod deployed to.

Use Cases

  • You do not want deployments in test namespace to accidentally send traffic to other services or databases in prod namespace.
  • You host applications from different customers in separate Kubernetes namespaces and you would like to block traffic coming from outside a namespace.

Diagram of DENY all traffic from other namespaces policy

Example

Start a web service in namespace default:

$ kubectl run --generator=run-pod/v1 web --namespace default --image=nginx \
--labels=app=web --expose --port 80

Save the following manifest to deny-from-other-namespaces.yaml and apply to the cluster:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: default
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}
$ kubectl apply -f deny-from-other-namespaces.yaml
networkpolicy "deny-from-other-namespaces" created"

Note a few things about this manifest:

  • namespace: default deploys it to the default namespace.
  • it applies the policy to ALL pods in default namespace as the spec.podSelector.matchLabels is empty and therefore selects all pods.
  • it allows traffic from ALL pods in the default namespace, as spec.ingress.from.podSelector is empty and therefore selects all pods.

Try it out

Query this web service from the foo namespace:

$ kubectl create namespace foo
$ kubectl run --generator=run-pod/v1 test-$RANDOM --namespace=foo --rm -i -t --image=alpine -- sh
/ # wget -qO- --timeout=2 http://web.secondary
wget: download timed out

It blocks the traffic from foo namespace!

Any pod in default namespace should work fine:

$ kubectl run --generator=run-pod/v1 test-$RANDOM --namespace=default --rm -i -t --image=alpine -- sh
/ # wget -qO- --timeout=2 http://web.secondary
<!DOCTYPE html>
<html>

Cleanup

$ kubectl delete pod web -n secondary
$ kubectl delete service web -n secondary
$ kubectl delete networkpolicy deny-from-other-namespaces -n secondary
$ kubectl delete namespace secondary