Reputation: 69
How to make a Kubernetes deployment accessible only from a specific deployment?
I have two Kubernetes deployments (DeploymentA and DeploymentB) and I am wondering that is there a way to whitelist all incoming traffic from DeploymentB in DeploymentA? So that DeploymentA can be accessed only via DeploymentB.
ClusterIP service can be used to access deployments for internal communication in Kubernetes but How can I whitelist all the requests coming from a specific deployment(or its pods) in another deployment? Is there a way for example to get all possible ip addresses of the pods of a specific deployment in order to whitelist them?
Edit 1:
I have a web application which is open to Internet but a specific part of it has to be accessible only from a specific deployment. To implement that, I need to specify the IP-addresses or somehow names of the deployments which should have access.
Thank you!
Upvotes: 0
Views: 691
Answers (2)
Reputation: 750
The below network policy should help allow traffic only from specific deployment pods( depA) to depB pods since your question is in specific will routing traffic from deployment to deployment or will allow traffic back to the Internet since We have Egress rule that allows traffic out on UDP and TCP
apiVersion: networking.k8s.io/v1
metadata:
name: foo-allow-to-hello
spec:
policyTypes:
- Ingress
- Egress
podSelector:
matchLabels:
app: depbB
ingress:
- from:
- podSelector:
matchLabels:
app: depA
egress:
- to:
- podSelector:
matchLabels:
app: depA
- ports
- protocol: UDP
port: 53
- protocol: TCP
port: 53
Please note to enforce the above policy, the pods inside your deployments should be labelled accordingly. The below deployment will work for the above policy, do note the labels on the pod are the same mentioned in the policy.
controllers/nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: deploymentA
spec:
replicas: 3
selector:
matchLabels:
app: depA
template:
metadata:
labels:
app: depA
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
Upvotes: 0
Reputation: 6471
You can use Network policy
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.
NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods.
Upvotes: 1
Related Questions
- How to send traffic to only one Pod in a Deployment?
- Restrict access to service to only some pods
- How to apply kubernetes network policies to restrict access of namespace from other namespace?
- Accessing a specific pod in a Kubernetes cluster
- Kubernetes: How To Ensure That Pod A Only Ends Up On Nodes Where Pod B Is Running
- How to disallow access to a container port from the pod ip in Kubernetes
- How do I restrict access to Kubernetes service?
- How to restrict access to some Kubernetes namespace allowing access only by some pods?
- How to have a Kubernetes Pod connect to a destination only reachable by a subset of Nodes?
- Make services accessible only from Private network Kubernetes