Missing Network Policies Support

[djsly]

It would be good to allow the creation of network policies as part of the chart to cover as a minimum the ingress of the exposed port.

We can work on the PR if this is an accepted feature.

[bergerx]

Any progress here, we have some network policies in all namespaces, and seems like without defining an allow all ingress rule ambassador doesnt work. I'd expect it to be blocked in egress bit not ingress rules.

Ambassador reaches out to the pods, it's not supposed to be reached out by others as i understood, but when we define any ingress ambassador stops working until i define something like this (i didn't yet check if a specific ip would be enough):

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-all-ips
spec:
  podSelector: {}
  ingress:
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0

Same set of NetworkPolicies are enough for regular ingress'es with ingress-nginx to keep working.

[kulkarnigovind9]

+1

[ChristianTrolleMikkelsen]

+1

[cindymullins-dw]

@djsly , if this is still of interest to you you're welcome to attend an Emissary Contributors Meeting where our engineers could give feedback on the feasibility and what's involved.

[poppupp]

+1

k8s : 1.26 CNI: cillium emissary-ingress: 2.5.1 & 3.7.1

i try to setup network policy that allow ingress only inside cluster (across all namespace & pod). The emissary-ingress cannot communicate with our service.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: untitled-policy
  namespace: test
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector: {}
    - from:
        - namespaceSelector: {}

fyi; i try same config with cillium network policy. it worked as expected