Automated network policies on namespaces


I want to deploy multiple applications to a Kubernetes cluster. These applications can consist of multiple pods that interact with each other. However, I want to isolate the applications from each other for security reasons. I’m coming from Docker Swarm where you deploy a docker-compose.yml an overlay network is created per stack you deploy.
On Kubernetes, I was planning to put each application in it’s own namespaces and define network policies so that pods can only communicate with pods inside the namespace (with exceptions ofcourse).
However, I don’t want to do this again for every application and namespace I create. I was thinking to write an Operator to watch the namespaces and automatically create the necessary network policies. However, before starting an implementation, I would like to get some feedback on this approach. I’m probably not the only one with these requirements, and others have probably implemented similar things. Is my approach valid, and are there things I can use that are already out there? I could not find them, but I might not be searching with the correct terms.

Cluster information:

Kubernetes version: 1.23.4
Cloud being used: Scaleway
Installation method: Kapsule (managed)
CNI and version: Cilium

I got some help on Slack:

[mimmus] Kyverno can probably be easier for you

[thijs lemmens] thanks for that suggestion, I did not know that tool yet

[mimmus] great tool!

[ArgTang] You can aslo check if ciliums networkpolicy

[thijs lemmens] that seems like a good option as well

What you want is AdminNetworkPolicy, which is still in development :frowning:

Until then, a trivial operator can do this.

Good to know. I’ll keep an eye on the issue so I can replace any custom solution with the Kubernetes feature once it is there: