search

metal-stack / firewall-controller

A kubernetes controller running on bare-metal firewalls, creating nftables rules, configures suricata, collects network metrics
MIT License
47 stars 4 forks source link

allow a namespace selector for ClusterwideNetworkPolicy #40

Closed ulrichSchreiner closed 3 years ago

ulrichSchreiner commented 4 years ago

at the moment a ClusterwideNetworkPolicy works clusterwide, as the name suggests. It would be great to support something like a namespaceSelector so a policy only matches pods in the given namespace.

in the current environment we try to install multiple gitlabs for multiple customers in one cluster. every gitlab resides in its own namespace. as the postgres database is an external service, i have to enable all gitlabs to access all postgres databases. it would be great to limit the different gitlab-namespaces only to the corresponding postgres database.

the same problem appears in other areas too.

mwindower commented 4 years ago

This should be possible to implement, because:

mwindower commented 4 years ago

Instead of having a namespace-selector we could do this like Cilium and others do - with a more general label selector:

---
apiVersion: metal-stack.io/v1
kind: ClusterwideNetworkPolicy
metadata:
  namespace: firewall
  name: egress-gitlab1-db
spec:
  egress:
  - to:
    - cidr: 192.168.0.0/24
    ports:
    - protocol: TCP
      port: 5432
    matchLabels:
      "k8s:io.kubernetes.pod.namespace": gitlab1

or alternatively:

---
apiVersion: metal-stack.io/v1
kind: ClusterwideNetworkPolicy
metadata:
  namespace: firewall
  name: egress-gitlab1-db
spec:
  egress:
  - to:
    - cidr: 192.168.0.0/24
    ports:
    - protocol: TCP
      port: 5432
    namespaceSelector:
      matchLabels:
        gitlab: 1

@ulrichSchreiner  WDYT?
mwindower commented 3 years ago

is not possible to implement because PodIPs are hidden for the firewall.