I need to isolate the network traffic for each individual namespace in a v1.18 K8 cluster. I have created a deny all ingress traffic network policy and an allow all ingress traffic from the Ingress Controller namespace network policy for each application namespace. This allows all application ingress traffic external to the cluster to reach applications internal to the cluster via Layer 7 but restricts and internal namespace to namespace traffic and it works like a champ. The issue is with external cluster traffic attempting to reach internal cluster applications via TCP Layer 4 - NodePort. Adding the network policies breaks NodePort. I need to carve out a network policy to allow all NodePort traffic to each namespace. Any ideas?
Cluster information:
Kubernetes version: v1.18
Cloud being used: baremetal
Installation method: kubeadm
Host OS: VMware Photon OS 3.0
CNI and version: Calico v3.11.2
CRI and version: containerd v1.3.4
Network Policy YAML
Deny All Network Policy
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: app1-namespace
name: deny-from-other-namespaces
spec:
podSelector:
matchLabels:
ingress:
- from:
- podSelector: {}
Allow All Ingress Controller Traffic
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: app1-namespace
name: allow-from-ingress-namespace
spec:
podSelector:
matchLabels:
ingress:
- from:
- namespaceSelector:
matchLabels:
app: ingress-controller