Skip to main content
Calico Open Source 3.29 (latest) documentation

Use namespace rules in policy

Big picture

Use Calico network policies to reference pods in other namespaces.

Value

Kubernetes namespaces let you group/separate resources to meet a variety of use cases. For example, you can use namespaces to separate development, production, and QA environments, or allow different teams to use the same cluster. You can use namespace selectors in Calico network policies to allow or deny traffic to/from pods in specific namespaces.

How to

Control traffic to/from endpoints in a namespace

In the following example, ingress traffic is allowed to endpoints in the namespace: production with label color: red, and only from a pod in the same namespace with color: blue, on port 6379.

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-tcp-6379
namespace: production
spec:
selector: color == 'red'
ingress:
- action: Allow
protocol: TCP
source:
selector: color == 'blue'
destination:
ports:
- 6379

To allow ingress traffic from endpoints in other namespaces, use a namespaceSelector in the policy rule. A namespaceSelector matches one or more namespaces based on the labels that are applied on the namespace. In the following example, ingress traffic is also allowed from endpoints with color: blue in namespaces with shape: circle.

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-tcp-6379
namespace: production
spec:
selector: color == 'red'
ingress:
- action: Allow
protocol: TCP
source:
selector: color == 'blue'
namespaceSelector: shape == 'circle'
destination:
ports:
- 6379

Use Kubernetes RBAC to control namespace label assignment

Network policies can be applied to endpoints using selectors that match labels on the endpoint, the endpoint's namespace, or the endpoint's service account. By applying selectors based on the endpoint's namespace, you can use Kubernetes RBAC to control which users can assign labels to namespaces. This allows you to separate groups who can deploy pods from those who can assign labels to namespaces.

In the following example, users in the development environment can communicate only with pods that have a namespace labeled, environment == "development".

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: restrict-development-access
spec:
namespaceSelector: 'environment == "development"'
ingress:
- action: Allow
source:
namespaceSelector: 'environment == "development"'
egress:
- action: Allow
destination:
namespaceSelector: 'environment == "development"'

Additional resources