In order to provide an additional layer of security from issues like T362525, we should check if we can use network policies to only permit incoming traffic to the backends from the api-gateway namespace.
Description
Description
Related Objects
Related Objects
Event Timeline
Comment Actions
In this scenario, your Egress NetworkPolicy targets more than one namespace using their label names. For this to work, you need to label the target namespaces. For example:
kubectl label namespace frontend namespace=frontend
kubectl label namespace backend namespace=backendAdd the labels under namespaceSelector in your NetworkPolicy document. For example:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress-namespaces spec: podSelector: matchLabels: app: myapp policyTypes: - Egress egress: - to: - namespaceSelector: matchExpressions: - key: namespace operator: In values: ["frontend", "backend"]
The Kubernetes control plane sets an immutable label kubernetes.io/metadata.name on all namespaces, the value of the label is the namespace name.
While NetworkPolicy cannot target a namespace by its name with some object field, you can use the standardized label to target a specific namespace.