Srinivas Padala:
Hello, How can we put default-deny ingress policy for particular namespace ? Say I have namespace ns1 for which I want to block the ingress traffic .
Only block from specific namespace, not all namespaces
Ansuman Roy:
yes a network policy is a namespaced resource. Its deployed to your namespace. For your situation deploy the netpol into namespace ns1
Srinivas Padala:
Yes… It will apply to pods in the specific namespace.
But here my Q, I want to block traffic for a namespace, Not allow
Do you have any spec that answer my Q
Srinivas Padala:
This is allowing traffic for all pods in the default namespace and expecting default-deny-all policy right ? like default-deny-all-namespaces
https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
mjv:
check that repo for more info and examples
also, keep in mind that there are no deny rules only allow but if you specify empty rules which are mapped to specific pods you are emulating deny rule
mjv:
Here are some NetworkPolicies gotcha's:
- An empty selector will match everything. For example spec.podSelector: {} will apply the policy to all pods in the current namespace.
- Selectors can only select Pods that are in the same namespace as the NetworkPolicies. Eg. spec.podSelector of an ingress rule can only select pods in the same namespace the NetworkPolicy is deployed to.
- If no NetworkPolicies targets a pod, all traffic to and from the pod is allowed. In other words all traffic are allowed until a policy is applied.
- There are no deny rules in NetworkPolicies. NetworkPolicies are deny by default allow explicitly. It's the same as saying "If you're not on the list you can't get in."
- If a NetworkPolicies matches a pod but has a null rule, all traffic is blocked. Example of this is a "Deny all traffic policy".
spec:
podSelector:
matchLabels:
...
ingress: []
- Rules are chained together. NetworkPolicy are additive. If multiple NetworkPolicies are selecting a pod, their union is evaluated and applied to that pod.
from https://github.com/ahmetb/kubernetes-network-policy-recipes#networkpolicy-crash-course
Srinivas Padala:
Yeah, Thanks!. I looked at all the policies there… Just checking if there is any straightforward policy for deny specific namespace
Ansuman Roy:
this is a deny all policy
---
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
Ansuman Roy:
from the link: https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
Note that the ingress doesnt have any rules, hence its a deny all policy
Srinivas Padala:
This will deny from all namespaces, not just single namespace
Srinivas Padala:
https://kodekloud.slack.com/archives/C01CWHSPLQ5/p1669806733903629?thread_ts=1669805580.690819&cid=C01CWHSPLQ5
Ansuman Roy:
this will deny all ingress calls to “this namespace” pods
Ansuman Roy:
why dont you spin a few pods and try this out yourself?
Srinivas Padala:
I did know above policy works for all namespaces.( Denies from all namespaces ). My Question, how can we deny particular namespace
Ansuman Roy:
you just allow all the namespaces you want in the ingress rules and exclude the namespace you dont want
Srinivas Padala:
Okay
Srinivas Padala:
Thanks
Ansuman Roy:
@Srinivas Padala, I have created a netpol for you to test out. This policy allows only the namespaces you have mentioned here. Don’t forget to label your namespaces before applying this
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: allow-selected-network-policy
namespace: ns1
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: ns2
- namespaceSelector:
matchLabels:
namespace: ns3
- namespaceSelector:
matchLabels:
namespace: ns4
- namespaceSelector:
matchLabels:
namespace: ns5
Ansuman Roy:
, this will disallow other namespaces which dont match the label. Example default