networkpolicy in kubernetes to allow port from namespace

Question

Create a new NetworkPolicy named allow-port-from-namespace in the existing namespace snafu. Ensure that the new NetworkPolicy allows Pods in namespace internal to connect to port 8080 of Pods in namespace snafu.Further ensure that the new NetworkPolicy: does not allow access to Pods, which don't listen on port 8080 does not allow access from Pods,which are not in namespace internal.

Please help me with this question.

Also please verify if the below yaml(in the comment section) is correct and help me understand the second part of question (Further ensure that the new NetworkPolicy: does not allow access to Pods, which don't listen on port 8080 does not allow access from Pods,which are not in namespace internal)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: snafu
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: internal
    ports:
    - protocol: TCP
      port: 8080 
  


 

Answer 1

The second part mean you must isolate all the pods in the namespace snafu by default which mean you need to change your podSelector field to:

...
spec:
  podSelector: {}
...

Answer 2

first check label of your namespace e.g. 

[root@master ~]# kg ns --show-labels
NAME              STATUS   AGE    LABELS
default           Active   54d    kubernetes.io/metadata.name=default
kube-node-lease   Active   54d    kubernetes.io/metadata.name=kube-node-lease
kube-public       Active   54d    kubernetes.io/metadata.name=kube-public
kube-system       Active   54d    kubernetes.io/metadata.name=kube-system
my-app            Active   171m   kubernetes.io/metadata.name=my-app

here my namespace is my-app and I want to allow traffic at port 80 for all the pods in namespace my-app , but don't want to allow any traffic from other namespace (e.g. default) 

so use 
matchLabels
 kubernetes.io/metadata.name: my-app

[root@master ~]# cat networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: my-app
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: my-app
      ports:
        - protocol: TCP
          port: 80
    enter code here

Answer 3

I think it can be sth like this:

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: snafu spec: podSelector: {}
policyTypes:

• Ingress ingress:
• from:
  • namespaceSelector: matchLabels: key: value ports:
  • protocol: TCP port: 8080

Br,

Answer 4

First part seems incorrect, need to create labels for namespace Internal.

- namespaceSelector:
        matchLabels:
          purpose: production

Here, purpose: production is label of namespace Internal https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/06-allow-traffic-from-a-namespace.md