1.9 KiB
| assignees | title | |||
|---|---|---|---|---|
|
Configuring Namespace Isolation |
{% capture overview %}
This page shows how to add NetworkPolicy objects to an isolated namespace to specify what traffic should be allowed.
{% endcapture %}
{% capture prerequisites %}
Network policies are implemented by the network plugin, so you must be using a networking solution which supports NetworkPolicy - simply creating the resource without a controller to implement it will have no effect.
{% endcapture %}
{% capture steps %}
Configuring Namespace Isolation
By default, all traffic is allowed between all pods (and NetworkPolicy resources have no effect).
Isolation can be configured on a per-namespace basis. Currently, only isolation on inbound traffic (ingress) can be defined. When a namespace has been configured to isolate inbound traffic, all traffic to pods in that namespace (even from other pods in the same namespace) will be blocked. NetworkPolicy objects can then be added to the isolated namespace to specify what traffic should be allowed.
Isolation is enabled via the NetworkPolicy field of the Namespace object. To enable isolation via kubectl:
{% raw %}
kubectl patch ns <namespace> -p '{"spec": {"networkPolicy": {"ingress": {"isolation": "DefaultDeny"}}}}'
{% endraw %}
To disable it:
{% raw %}
kubectl patch ns <namespace> -p '{"spec": {"networkPolicy": null}}'
{% endraw %}
NOTE: older network plugins may instead require the v1beta1 syntax, using an annotation:
{% raw %}
kubectl annotate ns <namespace> "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}"
{% endraw %}
{% endcapture %}
{% capture whatsnext %}
- For conceptual information about Network Policies, see Network Policies. {% endcapture %} {% include templates/task.md %}