Isolate Apps with Implicit Namespace Labels

Objective

This document provides instructions on how to set implicit namespace labels in vK8s network policies and service policies to control communication between applications deployed in different namespaces. To know more about labels, see Labels. To know more about network policies and service policies, see Network Policy and Service Policy.

An implicit namespace label is a label with key-value pair in the name.ves.io/namespace=<user namespace> format. All objects in a user namespace implicitly get this label and users cannot modify these labels. Security administrators can use these labels in the vK8s network policy and service policy to set controls for communication between apps in different namespaces.

Using the instructions provided in this document, you can apply implicit namespace label inside vK8s network policy and service policy to restrict communication between namespaces.

Note: The instructions presented in this guide cover only applying of implicit namespace labels to the vK8s network policy and service policy. For detailed instruction on creating a vK8s network policy, see vK8s Network Policy and Service Policy respectively.


Prerequisites


Apply Implicit Namespace Labels

You can apply the implicit namespace labels from a vK8s network policy and/or a service policy. The instructions provided in this guide cover both scenarios and assume sample apps are deployed in 2 different namespaces ns1 and ns2. The requests from Product Page service in ns1 towards Reviews Page in ns2 are blocked using the implicit namespace label of ns1.

The following image is a graphical representation of the configuration presented in this guide:

implicit ns
Figure: Implicit Namespace Label to Control Communication

Note: You can use the implicit label in either label selector or label matcher part of policy configuration. Label matcher only requires key matching and label selector requires to match the key-value pair.


Apply Label in vK8s Network Policy

Step 1: Log into VoltConsole and start creating vK8s network policy.
  • Click App on the namespace selector and select your application namespace from the namespace drop-down list.
  • Click Security -> vK8s Network Policy in the configuration menu and select Active Network Policies in the options. Click Select network policy and click Add new in the active network policy page.
Step 2: Set metadata and endpoint policy.
  • Enter a name in the Name field in metadata section.
  • Select Any Endpoint for the Endpoint(s) field in the Policy for Endpoints section.
Step 3: Configure rules.

Do the following in the Connections To and From Endpoints section:

  • Click Configure for the Ingress Rules field.
  • Click Add item in the ingress rules page.
  • Enter a name in the Name field of the Metadata section.
  • Set a rule with either label selector or label matcher to apply the implicit label.
Label Selector
  • Select Label Selector for Select Other Endpoint field.
  • Configure the following for the Label Selector field:

    • Select from the list or type name.ves.io/namespace as the key and select In as the operator for selector expression.
    • Start typing your namespace name for the Value and select from the displayed list.
    • Click Apply.

deny ns1 label
Figure: Apply Implicit Namespace Label for Ingress Rules

Label Matcher

Label matcher field requires only the key of the implicit namespace label. However, this will block requests from any client with the implicit namespace label.

  • Click Add item under the Label Matcher field.
  • Select name.ves.io/namespace key for the label matcher key field.
  • Click Apply in the ingress rules page.
Step 4: Complete network policy creation.
  • Click Continue in the network policy configuration to create the network policy and return to the network policy selection of active network policies page. The created network policy gets displayed in the list of policy objects.
  • Select the network policy and click Select network policy to apply the network policy to the active policies.

active pols
Figure: Active Policy with Implicit Label to Deny Traffic

  • Click Save and Exit to complete creating active policy.

Apply Label in Service Policy

Step 1: Log into VoltConsole and start creating service policy.
  • Click App on the namespace selector and select your application namespace from the namespace drop-down list.
  • Click Security -> Service Policy in the configuration menu and select Active Service Policies in the options. Click Select service policy and click Add new in the active service policy page.
Step 2: Set metadata and start configuring policy rules.
  • Enter a name in the Name field in metadata section.
  • Go to Select Policy Rules section and select Custom Rule List for the Select Policy Rules field.
  • Click Add item under the Rules field.
Step 3: Configure rules.
  • Enter a name for the rule in the Name field of rules metadata section.
  • Click Configure for the Rule Specification field to open the rule specification page.
  • Set a rule with either label selector or label matcher to apply the implicit label.
Label Selector
  • Select Group of Clients by Label Selector for Client Selection field in the Clients section.
  • Click on the Selector Expression field and configure the following:

    • Select from the list or type name.ves.io/namespace as the key and select In as the operator for selector expression.
    • Start typing your namespace name for the Value and select from the displayed list.
    • Click Apply.

deny ns1 srvpol
Figure: Apply Implicit Namespace Label for Service Policy Rule

Label Matcher

Label matcher field requires only the key of the implicit namespace label. However, this will block requests from any client with the implicit namespace label.

  • Go to Advanced Match section and click Add item under the Label Matcher field.
  • Select name.ves.io/namespace key for the label matcher key field.
  • Click Apply in the rules specification page.
Step 4: Complete service policy creation.
  • Click Continue in the service policy configuration to create the service policy and return to the service policy selection of active service policies page. The created service policy gets displayed in the list of policy objects.
  • Select the service policy and click Select service policy to apply the service policy to the active policies.

active srv pols
Figure: Service Policy with Implicit Label to Deny Traffic

  • Click Save and Exit to complete creating active service policy.

Verify the Policy Operation

Do the following to verify the policy operation:

  • Verify the policy by sending a request you the app in the namespace from which you setup the policy. In this example, send a request from product page to reviews page.
  • Go to vK8s Network Policy -> Network Policies or Service Policy -> Service Policies under the Security section in your application namespace. Check the Hits field for your policy to view how many times the policy is applied. Click on the value on the Hits field for your policy to view the rule hits.

Concepts


API References