Skip to content

NPRC ALLOW all traffic from a Namespace

Jump to bottom
Tanveer Alam edited this page Sep 19, 2019 · 3 revisions

Allow all traffic from a Namespace

Allowing traffic from selective namespaces.

[tan@kmaster ~]$ kubectl run web --image=nginx --labels=app=web --expose --port 80
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
service/web created
deployment.apps/web created

Lets create 2 more namespaces:

  • prod: For production workloads. label purpose=prod.
  • dev: For dev/test. label purpose=test 
[tan@kmaster ~]$ kubectl create namespace dev
namespace/dev created
[tan@kmaster ~]$ kubectl label namespace dev purpose=testing
namespace/dev labeled
[tan@kmaster ~]$ kubectl create namespace prod
namespace/prod created
[tan@kmaster ~]$ kubectl label namespace prod purpose=production
namespace/prod labeled

Now lets allow traffic only from namespace which have label purpose=production. (web-allow-prod.yaml)

[tan@kmaster ~]$ cat net_policies/web-allow-prod.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-allow-prod
spec:
  podSelector:
    matchLabels:
      app: web
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          purpose: production

[tan@kmaster ~]$ kubectl apply -f net_policies/web-allow-prod.yaml
networkpolicy.networking.k8s.io/web-allow-prod created

Try to reach web pod which is in default namespace from dev namespace:

[tan@kmaster ~]$ kubectl run test-$RANDOM --rm -it --namespace=dev --image=alpine -- sh
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
If you don't see a command prompt, try pressing enter.
/ # 
/ # wget -qO- --timeout=2 http://web.default
wget: download timed out
/ # exit
Session ended, resume using 'kubectl attach test-6592-cfb55f88b-pdn27 -c test-6592 -i -t' command when the pod is running
deployment.apps "test-6592" deleted

Now lets try to reach web pod which is in default namespace from prod namespace:

[tan@kmaster ~]$ kubectl run test-$RANDOM --rm -it --namespace=prod --image=alpine -- sh
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
If you don't see a command prompt, try pressing enter.
/ # 
/ # wget -qO- --timeout=2 http://web.default
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

Cleanup:

[tan@kmaster ~]$ kubectl delete deployment,service web
deployment.extensions "web" deleted
service "web" deleted

[tan@kmaster ~]$ kubectl delete namespace {dev,prod}
namespace "dev" deleted
namespace "prod" deleted

[tan@kmaster ~]$ kubectl delete netpol web-allow-prod
networkpolicy.extensions "web-allow-prod" deleted
Clone this wiki locally