Network Policies
Overview
Network Policies are used to regulate connectivity between Kubernetes namespaces.
Every namespace in the cluster has network policies which only allow inbound traffic from the ingress controllers namespace (so that incoming requests can be routed to your web applications).
A network policy allows connection based on PodSelector
and/or NamespaceSelector
. The policy will then filter requests based on namespace or pod labels.
Namespace Label
This example demonstrates using a namespaceSelector
to route traffic based on a namespace label.
Any namespace label can be used in the network policy.
For clarity, and to avoid overlap with other namespaces, let’s make our label key:
cloud-platform.justice.gov.uk/namespace
# 00-namepace.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: source-namespace
labels:
cloud-platform.justice.gov.uk/namespace: "source-namespace" # this is the label
cloud-platform.justice.gov.uk/is-production: "false"
cloud-platform.justice.gov.uk/environment-name: "dev"
annotations:
cloud-platform.justice.gov.uk/business-unit: "HMPPS"
cloud-platform.justice.gov.uk/application: "court-probation"
cloud-platform.justice.gov.uk/owner: "andy.marke@digital.justice.gov.uk: andy.marke@digital.justice.gov.uk"
cloud-platform.justice.gov.uk/source-code: "https://github.com/ministryofjustice/court-probation-service"
Network Policy
Once the relevant label has been added to the namespace, the policy can be created.
The policy below allows all traffic from namespaces which have a label called cloud-platform.justice.gov.uk/namespace
with the the value source-namespace
to route to the namespace called target-namespace
.
# 04-networkpolicy.yaml
# allow-source-namespace.yaml
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-source-namespace
namespace: target-namespace
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
cloud-platform.justice.gov.uk/namespace: "source-namespace'
Note: For more complex use-cases, or if the policy is going to be specific to a Pod, see here
Accessing the service
To access a service in the target namespace from the source namespace we need to add the target namespace name to the domain name of the service, e.g:
curl myservice.target-namespace