This policy is similar to allowing traffic from all namespaces but shows how you can choose particular namespaces.
Use Case:
- Restrict traffic to a production database only to namespaces where production workloads are deployed.
- Enable monitoring tools deployed to a particular namespace to scrape metrics from the current namespace.
Run a web server in the default
namespace:
kubectl run web --image=nginx --labels=app=web --expose --port 80
Now, suppose you have these three namespaces:
default
: (installed by Kubernetes) This is where your API is deployed.prod
: Other production workloads run here. This has labelpurpose=prod
.dev
: This is your dev/test area. This has labelpurpose=testing
.
Create the prod
and dev
namespaces:
kubectl create namespace dev
kubectl label namespace/dev purpose=testing
kubectl create namespace prod
kubectl label namespace/prod purpose=production
The following manifest restricts traffic to only pods in namespaces
that has label purpose=production
. Save it to web-allow-prod.yaml
and apply to the cluster:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: web-allow-prod
spec:
podSelector:
matchLabels:
app: web
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: production
$ kubectl apply -f web-allow-prod.yaml
networkpolicy "web-allow-prod" created
Query this web server from dev
namespace, observe it is blocked:
$ kubectl run test-$RANDOM --namespace=dev --rm -i -t --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
wget: download timed out
(traffic blocked)
Query it from prod
namespace, observe it is allowed:
$ kubectl run test-$RANDOM --namespace=prod --rm -i -t --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
<!DOCTYPE html>
<html>
<head>
...
(traffic allowed)
kubectl delete networkpolicy web-allow-prod
kubectl delete pod web
kubectl delete service web
kubectl delete namespace {prod,dev}