ALLOW traffic inside the namespace and the LoadBalancer
ehernandez-xk opened this issue · comments
Hi everyone
Im trying to config the networkpolicy(cies) to allow traffic only in the same namespace and access from the LoadBalancer
- AWS cluster
- Calico 2.4.1
- K8s 1.7.4
I tried many approaches for example:
kind: Namespace
apiVersion: v1
metadata:
name: nginx-test
labels:
role: nginx-test
---
apiVersion: v1
kind: Pod
metadata:
name : nginx-server
namespace: nginx-test
labels:
app: nginx-server
spec:
containers:
- name: nginx-server
image: nginx:1.12-alpine
ports:
- containerPort: 80
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
namespace: nginx-test
labels:
app: nginx-server
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx-server
type: LoadBalancer
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nginx-allow
namespace: nginx-test
spec:
podSelector:
matchLabels:
app: nginx-server
ingress:
- from:
- namespaceSelector:
matchLabels:
role: nginx-test
- podSelector:
matchLabels:
app: nginx-server
ports:
- protocol: TCP
port: 80
After the above config the load balancer is OutOfService
It seems that I need to add external access to the pod, and this means access from other namespaces.
Any idea?
btw, thanks for this awesome tutorial.
According to my understanding you want to allow only (1) external traffic (2) traffic from the same namespace.
You can't allow external traffic while restricting SOME internal traffic.
ingress:
- from: []will allow you to accept all internal/external to the pod and you only need this if there's another NetworkPolicy denying such traffic to the pod.
Does this help?
I understood I think. That means this is not possible! :\
My idea was to isolate each namespace, but a namespace contains services (type=LoadBalancer)
Yeah I found out about while developing it.
If you think about it, allowing public access while restricting internal access doesn't make much sense. ¯_(ツ)_/¯