79653944

Date: 2025-06-05 07:12:30
Score: 2
Natty:
Report link

I tested the podSelector approach in my environment, and it succeeded. please find the below end to end process.

Create AKS Cluster with Network Policies Enabled:

az group create --name np-demo-rg --location eastus (if you haven't created it)

az aks create \
  --resource-group anji-rg \
  --name np-demo-aks \
  --node-count 1 \
  --enable-addons monitoring \
  --network-plugin azure \
  --network-policy azure \
  --generate-ssh-keys

connect with kubctl before you should configure the credentials:

az aks get-credentials --resource-group anji-rg --name np-demo-aks

Then Install NGINX Ingress Controller: i create a namespace for this

Like this kubectl create namespace ingress-nginx

Make sure install kubeclt and helm: kubectl > curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

Binary chmod +x kubectl move the binary to your path > sudo mv kubectl /usr/local/bin/

Helm > curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

Now install NGINX Ingress Controller using helm:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

helm install nginx ingress-nginx/ingress-nginx \
  --namespace ingress-nginx

I deployed here backend and frontend apps by creating separate namespace to them: In my case > kubectl create namespace demo-app

#backend.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend
  namespace: demo-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: backend
  template:
    metadata:
      labels:
        app: backend
    spec:
      containers:
      - name: backend
        image: hashicorp/http-echo
        args: ["-text=Hello from Backend"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: backend
  namespace: demo-app
spec:
  selector:
    app: backend
  ports:
  - port: 80
    targetPort: 5678

Then apply it > kubectl apply -f backend.yaml (make sure the file name should be same, in my case I used > backend.yaml

Frontend pod i used curl clint: #frontend.yaml

apiVersion: v1
kind: Pod
metadata:
  name: frontend
  namespace: demo-app
  labels:
    app: frontend
spec:
  containers:
  - name: curl
    image: curlimages/curl
    command: ["sleep", "3600"]

Apply it > kubectl apply -f frontend.yaml

Create Ingress Resource for Backend:

#ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: backend-ingress
  namespace: demo-app
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx
  rules:
  - http:
      paths:
      - path: /backend
        pathType: Prefix
        backend:
          service:
            name: backend
            port:
              number: 80

Apply > kubectl apply -f ingress.yaml

Then get the ingress IP > kubectl get ingress -n demo-app and access without Any NetworkPolicy through > kubectl exec -n demo-app frontend -- curl http://<Your-ingress-IP>/backend you should see Hello From Backend enter image description here

Now Add Restrictive NetworkPolicy Using podSelector: Label the ingress-nginx namespace first > kubectl label namespace ingress-nginx name=ingress-nginx

Network policy: #netpol-selector.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-to-ingress
  namespace: demo-app
spec:
  podSelector:
    matchLabels:
      app: frontend
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
      podSelector:
        matchLabels:
          app.kubernetes.io/name: ingress-nginx
    ports:
    - protocol: TCP
      port: 80

Apply > kubectl apply -f netpol-selector.yaml Test Again With podSelector-Based Policy > kubectl exec -n demo-app frontend -- curl http://<Your-ingress-IP>/backend again you should see the same message Hello from Backend enter image description here

enter image description here

Still podSelector traffic is allowed dynamically. Let me know if you have any thoughts or doubts, and I will be glad to clear them. -Thank you. @Jananath Banuka

Reasons:
  • Blacklisted phrase (0.5): Thank you
  • Blacklisted phrase (1.5): any thoughts
  • Long answer (-1):
  • Has code block (-0.5):
  • User mentioned (1): @Jananath
  • Low reputation (0.5):
Posted by: Bheemani Anji Babu