how to deny egress to all namespaces, and allow ingress from some namespaces in kubernetes using network policies

kubernetes project-calico kubernetes-networkpolicy kubernetes-networking

I am not sure exactly about the internals of calico / network policies, but I was able to solve this as follows:

  ingress:  - from:    - namespaceSelector:        matchLabels:          name: simon-test

The above ingress rule was not working, because the namespace had no "name=simon-test" label onit. I thought by default all namespaces had a label called "name" thatyou can reference from here, but it doesn't seem to be the case. Tosolve this I had to add a label:kubectl label ns simontest name=simon-test.
For the second problem: I am curious why I can still reach "simon-test" from another pod in another namespace though (when ingress was blocked) it was because I was trying to reach "simon-test" ns from a pod in kube-system, which happened to be using hostNetwork enabled, hence the IP address that the pod had assigned, happened to be the IP address of the k8s node, (and not an IP of a pod, apparently network policies can tell apart when an IP is assigned to a pod and a k8s node?) hence not being filtered by the network policy.

CodeHunter