I tested the podSelector
approach in my environment, and it succeeded. please find the below end to end process.
Create AKS Cluster with Network Policies Enabled:
az group create --name np-demo-rg --location eastus (if you haven't created it)
az aks create \
--resource-group anji-rg \
--name np-demo-aks \
--node-count 1 \
--enable-addons monitoring \
--network-plugin azure \
--network-policy azure \
--generate-ssh-keys
connect with kubctl before you should configure the credentials:
az aks get-credentials --resource-group anji-rg --name np-demo-aks
Then Install NGINX Ingress Controller: i create a namespace for this
Like this kubectl create namespace ingress-nginx
Make sure install kubeclt and helm:
kubectl > curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
Binary chmod +x kubectl
move the binary to your path > sudo mv kubectl /usr/local/bin/
Helm > curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Now install NGINX Ingress Controller using helm:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx
I deployed here backend and frontend apps by creating separate namespace to them: In my case > kubectl create namespace demo-app
#backend.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: demo-app
spec:
replicas: 1
selector:
matchLabels:
app: backend
template:
metadata:
labels:
app: backend
spec:
containers:
- name: backend
image: hashicorp/http-echo
args: ["-text=Hello from Backend"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: backend
namespace: demo-app
spec:
selector:
app: backend
ports:
- port: 80
targetPort: 5678
Then apply it > kubectl apply -f backend.yaml
(make sure the file name should be same, in my case I used > backend.yaml
Frontend pod i used curl clint: #frontend.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
namespace: demo-app
labels:
app: frontend
spec:
containers:
- name: curl
image: curlimages/curl
command: ["sleep", "3600"]
Apply it > kubectl apply -f frontend.yaml
Create Ingress Resource for Backend:
#ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: backend-ingress
namespace: demo-app
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- http:
paths:
- path: /backend
pathType: Prefix
backend:
service:
name: backend
port:
number: 80
Apply > kubectl apply -f ingress.yaml
Then get the ingress IP > kubectl get ingress -n demo-app
and access without Any NetworkPolicy through > kubectl exec -n demo-app frontend -- curl http://<Your-ingress-IP>/backend
you should see Hello From Backend
Now Add Restrictive NetworkPolicy Using podSelector
:
Label the ingress-nginx namespace first > kubectl label namespace ingress-nginx name=ingress-nginx
Network policy: #netpol-selector.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-ingress
namespace: demo-app
spec:
podSelector:
matchLabels:
app: frontend
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: ingress-nginx
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
ports:
- protocol: TCP
port: 80
Apply > kubectl apply -f netpol-selector.yaml
Test Again With podSelector-Based Policy > kubectl exec -n demo-app frontend -- curl http://<Your-ingress-IP>/backend
again you should see the same message Hello from Backend
Still podSelector
traffic is allowed dynamically. Let me know if you have any thoughts or doubts, and I will be glad to clear them. -Thank you. @Jananath Banuka