4

I am trying to add a calico network policy to allow my namespace to talk to kube-system namespace. But in my k8s cluster kube-system has no labels attached to it, so I am not able to select pods in there. Below is what I tried but its not working.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-kube-system
  namespace: advanced-policy-demo
spec:
  podSelector: {}       # select all pods in current namespace.
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels: {}
      podSelector:
        matchLabels:
          tier: control-plane
  egress:
  - to:
    - namespaceSelector:
        matchLabels: {}
      podSelector:
        matchLabels:
          tier: control-plane

$ kubectl describe ns kube-system
Name:         kube-system
Labels:       <none>
Annotations:  <none>
Status:       Active

No resource quota.

No resource limits.

I there a way by which I can select a namespace by its name only?

Hemant_Negi
  • 1,555
  • 14
  • 22

2 Answers2

4

What prevents you from creating a new labels for this namespace ?, like this:

kubectl label ns/kube-system calico=enabled
Nepomucen
  • 2,354
  • 1
  • 3
  • 13
1

They specifically call that out as a limitation and @Nepomucen has the correct work around solution.

"Targeting of namespaces or services by name (you can, however, target pods or namespaces by their labels, which is often a viable workaround)."

Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/#what-you-can-t-do-with-network-policy-s-at-least-not-yet

runamok
  • 823
  • 1
  • 9
  • 22