Cluster information:
Kubernetes version: 1.28.10
Cloud being used: bare-metal
CNI and version: Calico
I have an application in a namespace, which I would like to be accessible externally and from one other namespace, and not from anywhere else.
The destination service is using type LoadBalancer with metallb.
So I had this Network Policy:
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: "source-ns"
- ipBlock:
cidr: "192.168.1.0/24"
This works externally from a PC with an ip in the defined ipBlock but a pod in source-ns can’t contact the service in destination-ns by using the LoadBalancer IP. It does work using the internal svc.cluster.local address, but I would like to use the LB IP for consistency.
Even if I change the policy to allow ALL namespaces and ALL pods, it doesn’t work. The only way I’ve found so far is to add an ipBlock allowing the entire pod network (10.42.0.0/16) which would allow everything else to talk to the service which is not what I want.
Is there a way to solve this, to allow pods in a namespace to talk to a service in a different namespace using a metallb loadbalancer IP?