How can I isolate pods in namespace using NetworkPolicy without disabling external traffic to Kubernetes pods

The NetworkPolicy you applied is blocking the traffic from every source.

You can add authorized CIDR blocks in your definition:

apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: example-policy  namespace: defaultspec:  podSelector:    matchLabels:  policyTypes:  - Ingress  ingress:  - from:    - ipBlock:        cidr: 172.17.0.0/16

You can make sure that you namespace the NetworkPolicy resource and restrict the ingress/egress to just namespace.

apiVersion: extensions/v1beta1kind: NetworkPolicymetadata:  name: onlywithinnamespace  namespace: mynamespacespec:  ingress:  - from:    - namespaceSelector:        matchLabels:          role: mynamespace    - podSelector: {}  egress:  - to:    - namespaceSelector:        matchLabels:          role: mynamespace    - podSelector: {}  podSelector:    matchLabels:  policyTypes:  - Ingress  - Egress

Make sure that your namespace has the right labels to match:

apiVersion: v1kind: Namespacemetadata:  labels:    role: mynamespace  name: mynamespace

Using a kubernetes networkPolicy I don't believe its possible to deny communication between pods while allowing all external traffic. This is because the kubernetes networkPolicy resource doesn't have a concept of explicit Deny rules. I would either adjust your approach or consider another network policy that has Deny rules (such as Calico).

Solution:

apiVersion: projectcalico.org/v3kind: NetworkPolicymetadata:  name: deny-other-namespaces  namespace: prodspec:  selector: all()  types:  - Ingress  - Egress  ingress:  - action: Deny    protocol: TCP    source:      namespaceSelector: name == 'dev'  - action: Allow  egress:  - action: Allow