Kubernetes Egress call restrict with namespace
You can define a deny all egress
policy like described in the documentation:
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: default-deny-egress namespce: your-namespacespec: podSelector: {} policyTypes: - Egress
This policy will be applied to all pods in the namespace because the pod selector is empty and that means (quoting documentation):
An empty podSelector selects all pods in the namespace.
The policy will block all egress traffic because it has Egress
as policy type but it doesn't have any egress
section.
If you want to allow in-cluster egress you might want to add an egress
section in the policy, like for example:
egress: - to: - namespaceSelector: matchLabels: networking/namespace: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: TCP port: 53 - protocol: UDP port: 53
This allows all traffic from the namespace where you create the network policy to pods labeled with k8s-app: kube-dns
in namespace kube-system
on port 53 (TCP and UDP).