-
Notifications
You must be signed in to change notification settings - Fork 4
NPRC Deny all non whitelisted traffic to a namespace
Tanveer Alam edited this page Sep 16, 2019
·
2 revisions
Deny all non-whitelisted traffic to a namespace
-
This Policy blocks all cross-pod networking other than the ones whitelisted via the other Network Policies you deploy.
-
This Policy gives you a default
deny allfunctionality. This way, you can clearly identify which components have dependency on which components and deploy other Network Policies which can be translated to dependency graphs between components.
[tan@kmaster ~]$ cat net_policies/default-deny-all.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all
namespace: default
spec:
podSelector: {}
ingress: []
Note:
-
namespace: default: deploy this policy to the default namespace. -
podSelector: {}: is empty, this means it will match all the pods. Therefore, the policy will be enforced to ALL the pods in thedefaultnamespace. -
ingress: []: There are noingressrules specified. This causes incoming traffic to be dropped to the selected(=all) pods.- In this case, you can also just omit the
ingressfield, or leave empty likeingress:
- In this case, you can also just omit the
[tan@kmaster ~]$ kubectl apply -f net_policies/default-deny-all.yaml
networkpolicy.networking.k8s.io/default-deny-all created
[tan@kmaster ~]$
[tan@kmaster ~]$ kubectl get netpol -n default
NAME POD-SELECTOR AGE
default-deny-all <none> 17sCleanup
[tan@kmaster ~]$ kubectl delete netpol default-deny-all -n default
networkpolicy.extensions "default-deny-all" deleted