Skip to content

NPRC ALLOW traffic to an application from all namespaces

Jump to bottom
Tanveer Alam edited this page Sep 19, 2019 · 3 revisions

ALLOW traffic to an application from all namespaces

This NetworkPolicy will allow traffic from all pods in all namespaces to a particular application.

[tan@kmaster ~]$ kubectl create namespace secondary
namespace/secondary created
[tan@kmaster ~]$ kubectl run web --image=nginx \
> --namespace secondary \
> --labels=app=web --expose --port 80
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
service/web created
deployment.apps/web created
[tan@kmaster ~]$ cat net_policies/web-allow-all-namespaces.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: secondary
  name: web-allow-all-namespaces
spec:
  podSelector:
    matchLabel:
      app: web
  ingress:
    - from:
      - namespaceSelector: {}
[tan@kmaster ~]$ kubectl apply -f net_policies/web-allow-all-namespaces.yaml 
networkpolicy.networking.k8s.io/web-allow-all-namespaces created
[tan@kmaster ~]$ kubectl run test-$RANDOM --namespace=default --rm -it --image=alpine -- sh
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
^C[tan@kmaster ~]$ kubectl run --generator=run-pod/v1 test-$RANDOM --namespace=default --namespace=default --rm -it --image=alpine -- sh

/ # wget -qO- --timeout=2 http://web
wget: bad address 'web'
/ # wget -qO- --timeout=2 http://web.secondary
<!DOCTYPE html>
<html>
  • Applies the policy only on pods with label app: web within secondary namespace.
  • Selects all pods in all namespaces (namespaceSelector: {})
  • By default, if you omit specifying a namespaceSelector it does not select any namespaces, which means it will allow traffic only from the namespace the NetworkPolicy is deployed to.

Note: Dropping all selectors from the spec.ingress.from item has the same effect of matching all pods in all namespaces. e.g:

...
  ingress:
    - from:

But, it is preferred to provide full manifest with clear expression if intent.

Cleanup

[tan@kmaster ~]$ kubectl delete service,deployment web -n secondary
service "web" deleted
deployment.extensions "web" deleted

[tan@kmaster ~]$ kubectl delete namespace secondary
namespace "secondary" deleted
Clone this wiki locally