Kubernetes - Network policy for communication between services
Question
I need help on Network policy for the below requirement.
Is it possible to let Application A in namespace A connect to only Application B in namespace B? I want only one application from one namespace to connect to only one application on another namespace?
I have a network policy at global for default deny all.
Currently, there is only OR for network policy. What I am looking for is AND so that I can say, allow namespace A & pod A. Is there anyway to achieve this?
3 answers
solution1
0 2019-04-08 22:19:06
Yes, you can do this. For an ingress network policy, you just have to set both namespaceSelector and podSelector in the from section to specify both the namespace and pod labels (of application A and namespace A, in your example) -- the selectors are ANDed together. For the target, use the podSelector field to select application B, and make sure the namespace in the network policy metadata is set to namespace B.
Note that to use namespaceSelector , you will have to label your namespace. Namespaces are not labeled in Kubernetes by default.
Check out the Across Namespaces section in this guide for a more thorough explanation, and an example YAML.
solution2
-1 2018-06-22 05:07:09
Pods can communicate with each other across the namespaces:
App 1 in namespace 1:
$ kubectl -n namespace1 get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE
app1-5d8bb8ffbb-7x74v 1/1 Running 0 1d 10.233.65.115 node1.example.kz
App 2 in namespace 2:
$ kubectl -n namespace2 get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE
app2-569f46b8d5-fz9dw 1/1 Running 0 1d 10.233.67.80 node2.example.kz
I can connect to the App 2 from the App 1:
kubectl -n namespace1 exec app1-5d8bb8ffbb-7x74v -- ping -c 1 10.233.67.80
PING 10.233.67.80 (10.233.67.80) 56(84) bytes of data.
64 bytes from 10.233.67.80: icmp_seq=1 ttl=62 time=0.917 ms
--- 10.233.67.80 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.917/0.917/0.917/0.000 ms
This example is very simple. Depending on kind of connection and your apps configuration, you might need Service , Ingress resources
More info:
- https://kubernetes.io/docs/concepts/services-networking/service/
- https://kubernetes.io/docs/concepts/services-networking/ingress/
Also, this documentation will be helpful:
solution3
-1 2018-06-22 08:58:20
How groups of pods are allowed to communicate with each other and other network endpoints is configured with NetworkPolicy resource. Your networking solution (CNI plugin) has to support NetworkPolicy, because you need a controller. Simply creating the resource without a controller to implement it will have no effect.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
Take a look at https://kubernetes.io/docs/concepts/services-networking/network-policies/ for more examples.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.