how to isolate kubernetes namespaces but allow access from outside

Question

I have a Kubernetes cluster setup using kubeadm
I'm trying to define a network policy which restricts access from outside the namespace but doesn't block access from outside (external IP)
to elaborate I want the pods to be accessible from other pods in the namespace and via external IP address but not from other namespaces
any ideas?

Have you looked into OpenShift? It is a Kubernetes fork with better multitenant support, and does this out of the box. — Michael Hampton, Sep 29 '18 at 13:12

score 2 · Accepted Answer · edited Oct 02 '18 at 07:07

I used the following network policy and it worked for me

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: policy-test
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}
    - namespaceSelector:
        matchLabels:
          access: "true"

based on what I know the external access is granted through kube-proxy which is a pod in kube-system namespace. this network policy will allow all the pods from policy-test namespace and any namespace with access=true label
applying this network policy and adding the access=true label to kube-system namespace will solve the issue

adding the label :

kubectl label namespace/kube-system access=true

This is tricky, I wish there was a cleaner solution – Elouan Keryell-Even Nov 06 '19 at 14:46 — Elouan Keryell-Even, Nov 06 '19 at 14:46

how to isolate kubernetes namespaces but allow access from outside

1 Answers1