ingress and egress traffic between pods in different namespaces

Question

I was trying to test Pod network policies between different kubernetes namespaces . By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace. Does this apply between namespace also ?

I created a Pod in default namespace using below command

kubectl run myhttpd --image="docker.io/library/nginx:latest" --restart=Never --port 80

Now from a different namespace, I was trying to access the port 80 , but it is timing out.

kubectl config set-context --current --namespace=mywebapp
kubectl run myhttpd --rm -it --image=busybox --restart=Never -- /bin/sh
If you don't see a command prompt, try pressing enter.
# wget --spider --timeout=1 100.64.9.198
Connecting to 100.64.9.198 (100.64.9.198:80)
wget: download timed out

Even ping was not responding

 $ kubectl run myhttpd --rm -it --image=busybox --restart=Never -- /bin/sh
 If you don't see a command prompt, try pressing enter.
 / # ping 100.64.9.198
  PING 100.64.9.198 (100.64.9.198): 56 data bytes
  ^C
  --- 100.64.9.198 ping statistics ---
  11 packets transmitted, 0 packets received, 100% packet loss

So it looks by default all ingress and egress traffic is not allowed between pods in different namespaces .

Can somebody please confirm if my understanding is correct ?

Answer 1

No, that is not correct. By default, if no policies exist, you should be able to communicate between namespaces as they are just meant to group resources and do not enforce any traffic management by themselves.

Are you sure you are pinging the correct IP address? You can get the IP address of the Pod using the command:

kubectl get po -o wide 

Take in consideration that you have changed the namespace for the current context. In this case, you would need to run the command:

kubectl get po -o wide -n default

Also, make sure you do not have any policy in either namespace with the command:

kubectl get networkpolicy