How do I restrict connections to a service to a list of pods in Kubernetes?
Question
I have a namespace with three pods (deployments) app01 , app02 , and db . db is exposed within the cluster via a ClusterIP service with name dbsvc . I connect to the service from app01 and app02 using the cluster DNS like dbsvc.namespace.svc.cluster.local . However, I do not want anyone to access dbsvc from outside my namespace. (Since it's ClusterIP, it's not going to be accessible outside the cluster anyways).
In other words, I want to restrict access to dbsvc.namespace.svc.cluster.local only from app01 and app02 .
How do I achieve this?
1 answers
solution1
3 ACCPTED 2020-10-22 13:04:51
Network traffic can be restricted with a Network Policy on a cluster using a network plugin (CNI) that supports them, like calico .
The policy selectors are deployment specific so here are some example values:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-network-policy
namespace: namespace
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: app
ports:
- protocol: TCP
port: 3306
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.