networkpolicy to isolate namespace and pod with port

Question

kubernetes V19

Create a new NetworkPolicy named allow-port-from-namespace that allows Pods in the existing namespace internal to connect to port 80 of other Pods in the same namespace.

Ensure that the new NetworkPolicy:

does not allow access to Pods not listening on port 80 does not allow access from Pods not in namespace internal

i need to know if i can do it without adding a labels to namspace and pod or not ?

Answer 1

In k8s networkpolicy docs you read:

By default, pods are non-isolated; they accept traffic from any source.

Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. (Other pods in the namespace that are not selected by any NetworkPolicy will continue to accept all traffic.)

Network policies do not conflict; they are additive. If any policy or policies select a pod, the pod is restricted to what is allowed by the union of those policies' ingress/egress rules. Thus, order of evaluation does not affect the policy result

This means that once you assign(select) a pod with network policy you never set deny rules because everyting is denied by default. You only specify allow rules.

This beeing explained lets go back to k8s docs where you can read the following:

There are four kinds of selectors that can be specified in an ingress from section or egress to section:

podSelector: This selects particular Pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.

namespaceSelector: This selects particular namespaces for which all Pods should be allowed as ingress sources or egress destinations.

namespaceSelector and podSelector: A single to/from entry that specifies both namespaceSelector and podSelector selects particular Pods within particular namespaces [...]

I am not going to paste all docs here, check the rest here.

---

Now to answer you question: "I need to know if i can do it without adding a labels to namspace and pod or not ?"

What you should notice in the docs metioned above is that you can only target namespace and pods using labels.

And when you don't use namespace label selector, the selector dafaults to the namespace where networkpolicy is deployed.

So, yes, you can do it without adding a labels to a namespace as long as you deploy network policy in the namespace you want to target. And you can also do it without adding labels to a pod as long as this is the only pod in the namespace.

Answer 2

From the question, i am not getting ... completely confused.

statement 1 --> on same namespace, the pod can communicate with port 80

statement 2 --> does not allow access to Pods not listening on port 80

So, could someone clarify here ?

what exactly they are asking ? do we need to provide the 80 access to pod or not ?

Answer 3

1. You need to label the namespace first

For e.g kubectl label ns namespace-name env: testing

2.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: staging
spec:
  podSelector: {} 
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          env: staging
    ports:
    - protocol: TCP
      port: 80

Answer 4

statement 2 --> does not allow access to Pods not listening on port 80

How to not allow when a pod not listening this a TCP state of a server .. You can also have pods not listening on port 80 on same namespace . I don't think this is solved in your above yaml .

Answer 5

Below yaml will help you to solve your problem, It did work for me. the point is mainly to use only the port section of ingress array.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy
spec:
  podSelector: {}   #selects all the pods in the namespace deployed
  policyTypes:
  - Ingress
  ingress:
  - ports:          #in input traffic allowed only through 80 port only
    - protocol: TCP
      port: 80