I want to block all traffic from other namespaces with a simple Network Policy. But it doesn't give the result I want. Am I doing something wrong?

k get namespaces
prod              Active   39m
qa                Active   39m

k get networkpolicies.networking.k8s.io -n prod
NAME                         POD-SELECTOR   AGE
block-other-namespace        <none>         25m

k get -o wide pods --all-namespaces
prod          curl-pod    1/1     Running   0          47m   10.244.2.2     minikube-m03
prod          web         1/1     Running   0          47m   10.244.1.3     minikube-m02
qa            curl-pod    1/1     Running   0          47m   10.244.1.2     minikube-m02

The Network Policies yaml file is as follows.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  namespace: prod                         
  name: block-other-namespace
spec:
  podSelector: {}                          
  ingress:
    - from:
        - podSelector: {}

However, I can send requests to the pod in the qa namespace with the pod in the prod namespace.

kubectl -n qa exec curl-pod -- curl -I http://10.244.1.3
0HTTP/1.1 200 OK
Server: nginx/1.23.2
Date: Sun, 13 Nov 2022 08:34:35 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Wed, 19 Oct 2022 07:56:21 GMT
Connection: keep-alive
ETag: "634fada5-267"
Accept-Ranges: bytes

CodePudding user response：

I tried recreating your environment, and the network policy configuration set works for me. Please make sure you have a CNI with support for enforcing network policies installed.

You can check out the calico installation guide or install it in a one liner:

kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.24.1/manifests/calico.yaml

Also, we faced these kinds of issues at Otterize when manually configuring network policies to control access between pods. We ended up building a solution of our own and open-sourced it - https://docs.otterize.com/quick-tutorials/k8s-network-policies