problem in isolating specific pods using network policy from other namespaces

Question

I have the following pods in the default namespace:

web-test-pod-01             1/1     Running   0              19m   app=web-test-pod-01
web-test-pod-02             1/1     Running   0              18m   app=web-test-pod-02

And in another namespace called devwebapp I have the following

NAME            READY   STATUS    RESTARTS   AGE   LABELS
pod/webapp-01   1/1     Running   0          47m   run=webapp-01

NAME                    TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE   LABELS
service/svc-webapp-01   ClusterIP   10.109.4.169           80/TCP    46m   run=webapp-01

I also have network policy called np-webapp-01 and its yaml descriptor:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np-webapp-01
  namespace: devwebapp
spec:
  podSelector:
    matchLabels:
      run: webapp-01
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: default
        - podSelector:
            matchLabels:
              app: web-test-pod-01
      ports:
        - protocol: TCP
          port: 80

I am trying to allow only the pod web-test-pod-01 in default namespace to access the svc-webapp-01 service but at the moment all pods in default namespace can access it.

$ k exec web-test-pod-01 -- curl -I svc-webapp-01.devwebapp.svc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0HTTP/1.1 200 OK 0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
   615    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Server: nginx/1.23.4
Date: Thu, 18 May 2023 08:32:34 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT
Connection: keep-alive
ETag: "64230162-267"
Accept-Ranges: bytes

The following pod should not be able to access the service but as of now it can reach it!

$ k exec web-test-pod-02 -- curl -I svc-webapp-01.devwebapp.svc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/1.1 200 OK
  0   615    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Server: nginx/1.23.4
Date: Thu, 18 May 2023 08:33:21 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT
Connection: keep-alive
ETag: "64230162-267"
Accept-Ranges: bytes

I am not sure why podSelector in the network policy is not taking effect.

Srividya · Accepted Answer

In network policy for selecting pod and namespace we have two conditions . You can find them in this git link.

This example below is OR condition(policy is enforced based on namespaceSelector or podSelector)

ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            team: operations
      - podSelector:           
          matchLabels:
            type: monitoring

You have used the above condition.

while this example is AND condition

ingress:
    - from:
      - namespaceSelector:     
          matchLabels:
            team: operations
        podSelector:          
          matchLabels:
            type: monitoring

Can you try the ‘AND’ condition and let me know if this works.

Attaching a blog written by Ashish Choudhary for reference.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: np-webapp-01
 namespace: devwebapp
spec:
 podSelector: {}
 policyTypes:
   - Ingress
 ingress:
   - from:
       - namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: default
         podSelector:
           matchLabels:
             app: web-test-pod-01
     ports:
       - port: 80

problem in isolating specific pods using network policy from other namespaces

Answers (2)

Related Questions