Namespace network isolation with Calico

[danielhartnell]

Hey @the-smooth-operator and @ziegeer,

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-most
  namespace: prod
spec:
  selector: role != 'proxy'
  types:
  - Ingress
  - Egress
  ingress:
  - action: Allow
    source:
      namespaceSelector: name == 'prod'
  - action: Deny
    source:
      namespaceSelector: name != 'prod'
  egress:
  - action: Allow

This policy should provide namespace network isolation. Sorry that got lost in the transition. Maybe it'll save you a little time. The policy can only be applied with calicoctl I believe. In order to do that, I had to run calicoctl as a pod in the cluster itself which is documented here:

https://docs.projectcalico.org/v3.5/usage/calicoctl/install#installing-calicoctl-as-a-kubernetes-pod

I think that the current cluster has Calico available in policy only mode but I'm not sure I fully understood the state of Calico in the cluster.

Cheers!
Daniel

Update: I forgot. You'll want to read the docs on Calico policies. You can do some pretty neat stuff including using the namespaceSelector and selector for this. I can't remember exactly what I was doing here but you'll just need to make sure that the namespace and pod labels match whatever you have in the policy here. May take a bit of experimenting but it shouldn't be too bad to get it all working.

[the-smooth-operator]

@danielhartnell thanks so much for submitting this! We'll start playing using that code.

[the-smooth-operator]

I'm starting to work on this.
After having a glance to the calico documentation I think we can use the Kubernetes' Networking API instead of the calico one. The advantage of this is that we don't need to submit it using calicoctl tool but just with kubectl, so it will be easier to integrate it in a CI pipeline, debug and fix in case of fire. The disadvantage of it is that we can't express as much as with the Calico API, but for our "simple" use case it should be enough