Skip to content

NPRC Deny traffic from other namespaces

Jump to bottom
Tanveer Alam edited this page Sep 18, 2019 · 4 revisions

DENY all traffic from other namespaces (LIMIT traffic to the current namespace)

Create a new namespace called secondary and start a web service:

[tan@kmaster ~]$ kubectl create namespace secondary
namespace/secondary created

[tan@kmaster ~]$ kubectl get namespaces
NAME              STATUS   AGE
default           Active   40h
kube-node-lease   Active   40h
kube-public       Active   40h
kube-system       Active   40h
secondary         Active   26s
[tan@kmaster ~]$ kubectl run web --namespace secondary --image=nginx --labels=app=web --expose --port 80
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
service/web created
deployment.apps/web created
[tan@kmaster ~]$ 
[tan@kmaster ~]$ 
[tan@kmaster ~]$ kubectl get all -n secondary
NAME                       READY   STATUS    RESTARTS   AGE
pod/web-7bdd685f58-5xgr4   1/1     Running   0          35s


NAME          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/web   ClusterIP   10.103.12.118   <none>        80/TCP    36s


NAME                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/web   1/1     1            1           36s

NAME                             DESIRED   CURRENT   READY   AGE
replicaset.apps/web-7bdd685f58   1         1         1       35s

[tan@kmaster ~]$ cat net_policies/deny-from-other-namespaces.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: secondary
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}
[tan@kmaster ~]$ kubectl apply -f net_policies/deny-from-other-namespaces.yaml 
networkpolicy.networking.k8s.io/deny-from-other-namespaces created

Trying from default namespace:

[tan@kmaster ~]$ kubectl run --generator=run-pod/v1 test-$RANDOM --namespace=default --rm -it --image=alpine -- sh
If you don't see a command prompt, try pressing enter.

/ # wget -qO- --timeout=2 http://web.secondary
wget: download timed out

Tying within secondary namespace:

[tan@kmaster ~]$ kubectl run --generator=run-pod/v1 test-$RANDOM --namespace=secondary --rm -it --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
# web or web.secondary
/ # wget -qO- --timeout=2 http://web.secondary
<!DOCTYPE html>
<html>
<head>

Delete network policy and try again:

[tan@kmaster ~]$ kubectl delete netpol deny-from-other-namespaces -n secondary
networkpolicy.extensions "deny-from-other-namespaces" deleted

To access application from another namespace we will have to use web.secondary as fqdn to reach the pod.

[tan@kmaster ~]$ kubectl run --generator=run-pod/v1 test-$RANDOM --namespace=default --rm -it --image=alpine -- sh
If you don't see a command prompt, try pressing enter.

/ # wget -qO- --timeout=2 http://web
wget: bad address 'web'
/ # wget -qO- --timeout=2 http://web.secondary
<!DOCTYPE html>
<html>
<head>
  • namespace: secondary : deploys it to secondary namespace.
  • It applies the policy to ALL pods in the secondary namespace as the spec.podSelector.matchLabels is empty and therefore selects all the pods.
  • It allows traffic from ALL pods in the secondary namespace, as spec.ingress.from.podSelector is empty and therefore selects all pods.

Cleanup:

[tan@kmaster ~]$ kubectl delete deployment,service web -n secondary
deployment.extensions "web" deleted
service "web" deleted

[tan@kmaster ~]$ kubectl delete namespace secondary
namespace "secondary" deleted
Clone this wiki locally