cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
ClaudioSequeira
Cadet
Cadet
‎09-25-2023 04:00 PM
  • 1,003 Views

Network Policy - Allow traffic from any namespace

Jump to solution

Hello,

On course DO280 Chapter 04, Section 03 - Configure Network Policies, there is the following example:

##################################################################################

"By changing the podSelector field in the previous example to be an item in the from list, all pods in namespaces with the network=dev label and all pods from any namespaces with the app=mobile label can reach the pods that match the top-level podSelector field. This sample shows a logical OR statement.

...output omitted...
ingress:
- from:
  - namespaceSelector:
       matchLabels:
           network: dev
  - podSelector:
      matchLabels:
         app: mobile 

##################################################################################

On the other documentation (https://kubernetes.io/docs/concepts/services-networking/network-policies/), there is a similliar example (see below), it says that it only allows traffic from local namespace.

##################################################################################

...
ingress:
- from:
  - namespaceSelector:
      matchLabels:
        user: alice
  - podSelector:
      matchLabels:
        role: client
...

It contains two elements in the from array, and allows connections from Pods in the local Namespace with the label role=client, or from any Pod in any namespace with the label user=alice.

##################################################################################

I tested this configuration and it seems when there is only ingress.from.podSelector it only accepts traffic from local namespace. Can someone clarify this behaviour?

Thank you,

Claudio Sequeira

Join the discussion
1 Solution

Accepted Solutions
Chetan_Tiwary_
Moderator
Moderator
‎09-25-2023 08:07 PM
  • 947 Views

Jump to solution

Hi @laurpaum !

Ah right ! It should be something like "It allows connections from Pods in the local Namespace with the label app=mobile, or from any Pod in any namespace with the label network=dev

Flagging this with the course development team. Thanks for specifying it explicitly.

View solution in original post

6 Replies
laurpaum
Flight Engineer
Flight Engineer
‎09-25-2023 06:31 PM
  • 979 Views

Jump to solution

Multiple entries in the "from" (or "to") rules list are combined using logical OR.

Each entry MAY have a podSelector and a namespaceSelector.

If the namespaceSelector is absent, only the local namespace containing the policy is matched.

If the namespaceSelector is present with empty value, all namespaces are matched.

If the podSelector is absent or empty, all pods from the matched namespace(s) are matched.

You can't have an empty rule, so all pods in the policy namespace must be matched using an explicit empty podSelector.

The quoted explanation from DO280 is wrong.

Mordonez
Cadet
Cadet
‎09-25-2023 06:32 PM
  • 979 Views

Jump to solution

As explained from the documentation, the namespaceSelector block allows you to specify one or more namespaces that meet the desired characteristics through labels, something that the podSelector block doesn't, potining by default to the current namespace that you're using.

0 Kudos
Chetan_Tiwary_
Moderator
Moderator
‎09-25-2023 06:32 PM
  • 979 Views

Jump to solution

Hello @ClaudioSequeira !

Thanks for reaching out !

I think you are right.

When you have only -

podSelector:
  matchLabels:
    role: client

  then it only accepts traffic from pods in the local namespace as per the Network Policy.

Whereas if you have - 

from:
- namespaceSelector:
    matchLabels:
      user: alice
- podSelector:
    matchLabels:
      role: client

This policy will allow traffic from pods in the local namespace with label role: client, or from pods in any namespace with the label user: alice

But this is not the same as this :

ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          user: alice
      podSelector:
        matchLabels:
          role: client

 

This is AND operation : It selects particular pods within particular namespace. It is a single from entry.

 

I guess we can check the policy rule using oc describe networkpolicy <policyname> 

0 Kudos
Chetan_Tiwary_
Moderator
Moderator
‎09-25-2023 07:17 PM
  • 968 Views

Jump to solution

Chetan_Tiwary__0-1695664501021.png

The explanation in DO280v4.12 ch04s03  seems right : Two different policies are shown with AND & OR rule.

0 Kudos
laurpaum
Flight Engineer
Flight Engineer
‎09-25-2023 07:43 PM
  • 950 Views

Jump to solution

The AND vs OR part is correct. What's not is stating that the rule with a podSelector and no namespaceSelector will match "all pods from any namespaces with the app=mobile label".

Chetan_Tiwary_
Moderator
Moderator
‎09-25-2023 08:07 PM
  • 948 Views

Jump to solution

Hi @laurpaum !

Ah right ! It should be something like "It allows connections from Pods in the local Namespace with the label app=mobile, or from any Pod in any namespace with the label network=dev

Flagging this with the course development team. Thanks for specifying it explicitly.

Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2024 Red Hat, Inc. Privacy policy Terms of use