How can I isolate pods in namespace using NetworkPolicy without disabling external traffic to Kubernetes pods

Cluster information:

Kubernetes version:1.14.10
Cloud being used: (put bare-metal if not on a public cloud)
Installation method:kubeadm
Host OS: centos
CNI and version:calico 3.7
CRI and version: 18.06.3-ce

I am trying to isolate my pods in namespace from other namespaces. I have tried to create a NetworkPolicy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-from-other-namespaces
  namespace: dev-ns
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

This NetworkPolicy successfully isolating pods in my namespace from another namespace. But this policy, once applied, disables all external traffic to these pods.
For example when i request the service by its <EXTERNAL_IP>:<PORT> , then the network policy will deny the ingress traffic from the service and the request will time out

Is there any method for only block traffic from other namespaces and allow all external traffic to the pods.

I think you have to use namespaceSelector instead of podSelector to block other namespaces traffic.

@tej-singh-rana ,Yes we can do this using namespace selector in ingress field ,and this block traffic from another namespace,which is fine . But the issue is both methods will block traffic from outside the cluster via NodePort

I think it’s blocked dns service too so not able to resolv. Open port for dns (53).

@tej-singh-rana . No port 53 is open and working fine without Network Policy …