Newbie here. I have a nginx pod in namespace isolation, which is accessible only by a namespace with label env:test which apparently is the test namespace. Here is my .yaml:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-different-namespace-policy
namespace: isolation
spec:
podSelector:
matchLabels:
app: nginx
ingress:
- from:
- namespaceSelector:
matchLabels:
env: test
So what happens if my pod dies? I guess kube-node-lease namespace won't have access to my pod, so if anything bad happens it won't be restarted. What is considered best practice to grant access? Labeling is an option, but is there something else I can do?
So what happens if my pod dies?
if it's Deployed as kind:Deployment it will get restarted and start running again if there is no error.
I guess kube-node-lease namespace won't have access to my pod
True
there is no relation between kube-node-lease and POD restart, but if anything happens to one of the Node POD will get auto restated or shifted to another node. it's best option to run multiple PODs of Nginx like 3-4.
labeling is a good option for granular level access you can also use the POD level instead of the namespace label.
- podSelector:
matchLabels:
role: frontend
IP blocks
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
Ref doc : https://kubernetes.io/docs/concepts/services-networking/network-policies/