Closed ulrichSchreiner closed 3 years ago
This should be possible to implement, because:
Instead of having a namespace-selector we could do this like Cilium and others do - with a more general label selector:
---
apiVersion: metal-stack.io/v1
kind: ClusterwideNetworkPolicy
metadata:
namespace: firewall
name: egress-gitlab1-db
spec:
egress:
- to:
- cidr: 192.168.0.0/24
ports:
- protocol: TCP
port: 5432
matchLabels:
"k8s:io.kubernetes.pod.namespace": gitlab1
or alternatively:
---
apiVersion: metal-stack.io/v1
kind: ClusterwideNetworkPolicy
metadata:
namespace: firewall
name: egress-gitlab1-db
spec:
egress:
- to:
- cidr: 192.168.0.0/24
ports:
- protocol: TCP
port: 5432
namespaceSelector:
matchLabels:
gitlab: 1
@ulrichSchreiner WDYT?
is not possible to implement because PodIPs are hidden for the firewall.
at the moment a
ClusterwideNetworkPolicy
works clusterwide, as the name suggests. It would be great to support something like anamespaceSelector
so a policy only matches pods in the given namespace.in the current environment we try to install multiple gitlabs for multiple customers in one cluster. every gitlab resides in its own namespace. as the postgres database is an external service, i have to enable all gitlabs to access all postgres databases. it would be great to limit the different gitlab-namespaces only to the corresponding postgres database.
the same problem appears in other areas too.