How to allow/deny http requests from other namespaces of the same cluster?












0















In a cluster with 2 namespaces (ns1 and ns2), I deploy the same app (deployment) and expose it with a service.



I thought separate namespaces would prevent from executing curl http://deployment.ns1 from a pod in ns2, but apparently, it's possible.



So my question is, how to allow/deny such cross namespaces operations? For example:




  • pods in ns1 should accept requests from any namespace

  • pods (or service?) in ns2 should deny all requests from other namespaces






kubernetes kubernetes-networkpolicy







share|improve this question

























  • How are you deploying OpenShift? If you are using oc cluster up or minishift, the SDN layer required to provide separation isn't installed. A full OpenShift cluster install should.

    – Graham Dumpleton
    Jan 20 at 19:34











  • @graham Someone edited the question and added the openshift tag, but the question was related to Kubernetes

    – znat
    Jan 21 at 20:15













  • Okay, worth highlighting then, is that one of the things you get with OpenShift is multi tenancy out of the box. This means namespaces (projects) are isolated by default and you don't need to go adding it on top of Kubernetes yourself.

    – Graham Dumpleton
    Jan 22 at 4:00
















0















In a cluster with 2 namespaces (ns1 and ns2), I deploy the same app (deployment) and expose it with a service.



I thought separate namespaces would prevent from executing curl http://deployment.ns1 from a pod in ns2, but apparently, it's possible.



So my question is, how to allow/deny such cross namespaces operations? For example:




  • pods in ns1 should accept requests from any namespace

  • pods (or service?) in ns2 should deny all requests from other namespaces






kubernetes kubernetes-networkpolicy







share|improve this question

























  • How are you deploying OpenShift? If you are using oc cluster up or minishift, the SDN layer required to provide separation isn't installed. A full OpenShift cluster install should.

    – Graham Dumpleton
    Jan 20 at 19:34











  • @graham Someone edited the question and added the openshift tag, but the question was related to Kubernetes

    – znat
    Jan 21 at 20:15













  • Okay, worth highlighting then, is that one of the things you get with OpenShift is multi tenancy out of the box. This means namespaces (projects) are isolated by default and you don't need to go adding it on top of Kubernetes yourself.

    – Graham Dumpleton
    Jan 22 at 4:00














0












0








0








In a cluster with 2 namespaces (ns1 and ns2), I deploy the same app (deployment) and expose it with a service.



I thought separate namespaces would prevent from executing curl http://deployment.ns1 from a pod in ns2, but apparently, it's possible.



So my question is, how to allow/deny such cross namespaces operations? For example:




  • pods in ns1 should accept requests from any namespace

  • pods (or service?) in ns2 should deny all requests from other namespaces






kubernetes kubernetes-networkpolicy







share|improve this question
















In a cluster with 2 namespaces (ns1 and ns2), I deploy the same app (deployment) and expose it with a service.



I thought separate namespaces would prevent from executing curl http://deployment.ns1 from a pod in ns2, but apparently, it's possible.



So my question is, how to allow/deny such cross namespaces operations? For example:




  • pods in ns1 should accept requests from any namespace

  • pods (or service?) in ns2 should deny all requests from other namespaces






kubernetes kubernetes-networkpolicy




kubernetes kubernetes-networkpolicy






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 22 at 4:00









Graham Dumpleton

48.3k680106




48.3k680106










asked Jan 19 at 14:07









znatznat

7,096114880




7,096114880













  • How are you deploying OpenShift? If you are using oc cluster up or minishift, the SDN layer required to provide separation isn't installed. A full OpenShift cluster install should.

    – Graham Dumpleton
    Jan 20 at 19:34











  • @graham Someone edited the question and added the openshift tag, but the question was related to Kubernetes

    – znat
    Jan 21 at 20:15













  • Okay, worth highlighting then, is that one of the things you get with OpenShift is multi tenancy out of the box. This means namespaces (projects) are isolated by default and you don't need to go adding it on top of Kubernetes yourself.

    – Graham Dumpleton
    Jan 22 at 4:00



















  • How are you deploying OpenShift? If you are using oc cluster up or minishift, the SDN layer required to provide separation isn't installed. A full OpenShift cluster install should.

    – Graham Dumpleton
    Jan 20 at 19:34











  • @graham Someone edited the question and added the openshift tag, but the question was related to Kubernetes

    – znat
    Jan 21 at 20:15













  • Okay, worth highlighting then, is that one of the things you get with OpenShift is multi tenancy out of the box. This means namespaces (projects) are isolated by default and you don't need to go adding it on top of Kubernetes yourself.

    – Graham Dumpleton
    Jan 22 at 4:00

















How are you deploying OpenShift? If you are using oc cluster up or minishift, the SDN layer required to provide separation isn't installed. A full OpenShift cluster install should.

– Graham Dumpleton
Jan 20 at 19:34





How are you deploying OpenShift? If you are using oc cluster up or minishift, the SDN layer required to provide separation isn't installed. A full OpenShift cluster install should.

– Graham Dumpleton
Jan 20 at 19:34













@graham Someone edited the question and added the openshift tag, but the question was related to Kubernetes

– znat
Jan 21 at 20:15







@graham Someone edited the question and added the openshift tag, but the question was related to Kubernetes

– znat
Jan 21 at 20:15















Okay, worth highlighting then, is that one of the things you get with OpenShift is multi tenancy out of the box. This means namespaces (projects) are isolated by default and you don't need to go adding it on top of Kubernetes yourself.

– Graham Dumpleton
Jan 22 at 4:00





Okay, worth highlighting then, is that one of the things you get with OpenShift is multi tenancy out of the box. This means namespaces (projects) are isolated by default and you don't need to go adding it on top of Kubernetes yourself.

– Graham Dumpleton
Jan 22 at 4:00












2 Answers
2






active

oldest

votes


















3














Good that you are working with namespace isolation.




  1. Deploy a new kind Network Policy in your ns1 with ingress all. You can lookup the documentation to define network ingress policy to allow all inbound traffic


  2. Likewise for ns2, you can create a new kind Network Policy and deploy the config in ns2 to deny all ingress. Again the docs will come to rescue to help with you the yaml construct.



It may look something like this:



kind: NetworkPolicy

apiVersion: networking.k8s.io/v1

metadata:

 namespace: ns1

 name: web-allow-all-namespaces

spec:

 podSelector:

  matchLabels:

   app: app_name_ns1

 ingress:

 - from:

  - namespaceSelector: {}





share|improve this answer
























  • Thanks for pointing me to network policies

    – znat
    Jan 20 at 17:59



















1














It would not be answer you want, but I can provide the helpful feature information to implement your requirements.



AFAIK Kubernetes can define network policy to limit the network access.



Refer Declare Network Policy for more details of Network Policy.




  • Default policies


  • Setting a Default NetworkPolicy for New Projects in case OpenShift.






share|improve this answer

























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54267922%2fhow-to-allow-deny-http-requests-from-other-namespaces-of-the-same-cluster%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3














    Good that you are working with namespace isolation.




    1. Deploy a new kind Network Policy in your ns1 with ingress all. You can lookup the documentation to define network ingress policy to allow all inbound traffic


    2. Likewise for ns2, you can create a new kind Network Policy and deploy the config in ns2 to deny all ingress. Again the docs will come to rescue to help with you the yaml construct.



    It may look something like this:



    kind: NetworkPolicy
    
apiVersion: networking.k8s.io/v1
    
metadata:
    
 namespace: ns1
    
 name: web-allow-all-namespaces
    
spec:
    
 podSelector:
    
  matchLabels:
    
   app: app_name_ns1
    
 ingress:
    
 - from:
    
  - namespaceSelector: {}





    share|improve this answer
























    • Thanks for pointing me to network policies

      – znat
      Jan 20 at 17:59
















    3














    Good that you are working with namespace isolation.




    1. Deploy a new kind Network Policy in your ns1 with ingress all. You can lookup the documentation to define network ingress policy to allow all inbound traffic


    2. Likewise for ns2, you can create a new kind Network Policy and deploy the config in ns2 to deny all ingress. Again the docs will come to rescue to help with you the yaml construct.



    It may look something like this:



    kind: NetworkPolicy
    
apiVersion: networking.k8s.io/v1
    
metadata:
    
 namespace: ns1
    
 name: web-allow-all-namespaces
    
spec:
    
 podSelector:
    
  matchLabels:
    
   app: app_name_ns1
    
 ingress:
    
 - from:
    
  - namespaceSelector: {}





    share|improve this answer
























    • Thanks for pointing me to network policies

      – znat
      Jan 20 at 17:59














    3












    3








    3







    Good that you are working with namespace isolation.




    1. Deploy a new kind Network Policy in your ns1 with ingress all. You can lookup the documentation to define network ingress policy to allow all inbound traffic


    2. Likewise for ns2, you can create a new kind Network Policy and deploy the config in ns2 to deny all ingress. Again the docs will come to rescue to help with you the yaml construct.



    It may look something like this:



    kind: NetworkPolicy
    
apiVersion: networking.k8s.io/v1
    
metadata:
    
 namespace: ns1
    
 name: web-allow-all-namespaces
    
spec:
    
 podSelector:
    
  matchLabels:
    
   app: app_name_ns1
    
 ingress:
    
 - from:
    
  - namespaceSelector: {}





    share|improve this answer













    Good that you are working with namespace isolation.




    1. Deploy a new kind Network Policy in your ns1 with ingress all. You can lookup the documentation to define network ingress policy to allow all inbound traffic


    2. Likewise for ns2, you can create a new kind Network Policy and deploy the config in ns2 to deny all ingress. Again the docs will come to rescue to help with you the yaml construct.



    It may look something like this:



    kind: NetworkPolicy
    
apiVersion: networking.k8s.io/v1
    
metadata:
    
 namespace: ns1
    
 name: web-allow-all-namespaces
    
spec:
    
 podSelector:
    
  matchLabels:
    
   app: app_name_ns1
    
 ingress:
    
 - from:
    
  - namespaceSelector: {}






    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Jan 19 at 20:53









    Raunak JhawarRaunak Jhawar

    4501412




    4501412













    • Thanks for pointing me to network policies

      – znat
      Jan 20 at 17:59



















    • Thanks for pointing me to network policies

      – znat
      Jan 20 at 17:59

















    Thanks for pointing me to network policies

    – znat
    Jan 20 at 17:59





    Thanks for pointing me to network policies

    – znat
    Jan 20 at 17:59













    1














    It would not be answer you want, but I can provide the helpful feature information to implement your requirements.



    AFAIK Kubernetes can define network policy to limit the network access.



    Refer Declare Network Policy for more details of Network Policy.




    • Default policies


    • Setting a Default NetworkPolicy for New Projects in case OpenShift.






    share|improve this answer






























      1














      It would not be answer you want, but I can provide the helpful feature information to implement your requirements.



      AFAIK Kubernetes can define network policy to limit the network access.



      Refer Declare Network Policy for more details of Network Policy.




      • Default policies


      • Setting a Default NetworkPolicy for New Projects in case OpenShift.






      share|improve this answer




























        1












        1








        1







        It would not be answer you want, but I can provide the helpful feature information to implement your requirements.



        AFAIK Kubernetes can define network policy to limit the network access.



        Refer Declare Network Policy for more details of Network Policy.




        • Default policies


        • Setting a Default NetworkPolicy for New Projects in case OpenShift.






        share|improve this answer















        It would not be answer you want, but I can provide the helpful feature information to implement your requirements.



        AFAIK Kubernetes can define network policy to limit the network access.



        Refer Declare Network Policy for more details of Network Policy.




        • Default policies


        • Setting a Default NetworkPolicy for New Projects in case OpenShift.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 19 at 16:20

























        answered Jan 19 at 16:09









        Daein ParkDaein Park

        1,04539




        1,04539






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54267922%2fhow-to-allow-deny-http-requests-from-other-namespaces-of-the-same-cluster%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Homophylophilia

            Image
            Haec pagina ad tempus protecta est ob maleficia perpetua. Quaesemus, emendationes suggere in pagina disputationis vel magistratum ad hanc deprotegendam pete. Homophylophilia Hyacinthus complexus ab amante suo Apolline, in pictura Mors Hyacinthi quam Jean Broc pinxit. Homophylophilia est sui sexus vel generis amor vel mores romantici vel sexuales, res venerea masculina in masculos, aut mulier in mulieres appetentes. Hoc ingenium sexuale est "exemplar permanens vel inclinatio ad experiendam sexualem, adfectionalem, vel romanticam vim attrahendi," praecipue vel solum ex hominibus eiusdem sexús; notio "etiam ad hominis iudicium identitatis privatae socialisque in illis attractionibus conditum refert, in moribus quoque qui illos exprimant, et in societate communitatis aliorum qui illos communicent." [1] [2] Per aevos alii aliter rem definiverunt, sed Occidentali nostrae aetatis cultu civili non tantum ad ipsa acta erotica spectat, sed etiam igitur
            Read more

            Updating UILabel text programmatically using a function

            Image
            0 so I am trying to update the UIlabel text using a func. I have seen few other questions like mine and I tried their method but it doesn't work. fun returns no value when used in the UIlabel. I have shown my code below.It has to be noted that when I use the function in viewdidload I can retrieve the data. lazy var name: UILabel = { let lb = UILabel() lb.text? = getthename() lb.lineBreakMode = NSLineBreakMode.byWordWrapping lb.textColor = .mainGreen lb.textAlignment = .left lb.font = UIFont.boldSystemFont(ofSize:12.0) return lb }() func getthename() -> String { var wins : String = "" let ud = (Auth.auth().currentUser?.uid) self.ref = Database.database().reference() self.ref.child("Users").child(ud!).observeSingleEvent(of: .value, with: {(snapshot) in
            Read more

            Cloud Functions - OpenCV Videocapture Read method fails for larger files from cloud storage

            Image
            0 I created a cloud function to read a video file from cloud storage and read frames and create an image for each frame. This function works for small files which is 1-2 MB, However, this method fails while reading larger file 130 MB. import cv2 from google.cloud import storage vidcap = cv2.VideoCapture("https://storage.googleapis.com/[bucker_name]/[filename.mp4]") if vidcap.isOpened(): vidcap.open("https://storage.googleapis.com/[bucker_name]/[filename.mp4]") success,image = vidcap.read() print(success) Expected the print will return true and an image will hold an image of a first frame. python-3.x function opencv cloud share | improve this question
            Read more