Network Policy Pods with label on all namespaces vs single namespaces

Kubernetes
#1

As per my understanding the podSelector alone restricted inside a namespace.

  1. The below policy will allow connection from namespace default and pods with label app: admin

on database namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:

  • from:
    • namespaceSelector:
      matchLabels:
      namespace: default
  • podSelector:
    matchLabels:
    app: admin
    policyTypes:
  • Ingress
  1. The below one will allow allow all pods with label app: admin across all namespaces.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:

  • from:
    • namespaceSelector: {}
      podSelector:
      matchLabels:
      app: admin
      policyTypes:
  • Ingress

Please correct me if i am wrong.

#2

Hi @lalvinu,

  1. => No
  2. => Yes

The format is important is this case, let assume that the first case the format is below :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: database.postgres
    namespace: database
spec:
    podSelector:
        matchLabels:
            app: postgres
    ingress:
    - from:
        - namespaceSelector:
            matchLabels:
                namespace: default
        - podSelector:
            matchLabels:
                app: admin
    policyTypes:
        - Ingress

You can see here that in the from Array, we have two element namespaceSelector and podSelector. It’s means that he allows connections from :

  • any Pod in a namespace with the label namespace: default
    OR
  • any Pod with labels app: admin in namespace database (namespace of the network policy)

Sample :

  • A pod in namespace with label default will be authorized whatever the label of the pod.
  • A pod with labels app:admin in namespace database will be allowed
  • A pod with labels app:dev in namespace database will be not allowed
  • A pod in namespace with the label production will be not allowed

On the second case :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database.postgres
  namespace: database
spec:
  podSelector:
    matchLabels:
      app: postgres
  ingress:
    - from:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              app: admin
  policyTypes:
    - Ingress

In this case, we have a different scenario on the from Array. We have only one element. It means you need to use an and instead of or.

  • Any pod from any namespace is authorized if the pod’s label is app: admin

but if the from block is a little different, for example :

ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              namespace: default 
          podSelector:
            matchLabels:
              app: admin
  • Any pod with the label app: admin and in namespace with the label namespace: default

I hope that my response will help you can check the official documentation of kubernetes :

Regard

1 Like
#3

Thank you @mmkmou for the detailed explanation. This is what I need. I was aware of the AND / OR operations in an array but confused when it comes in all namespace situation. Once again thanks for the quick response. Happy weekends.

1 Like