Advanced NetworkPolicy rules let you:
namespaceSelector)ipBlock)β Essential for multi-team clusters, hybrid cloud, or compliance (e.g., βonly finance namespace can access payroll DBβ).
Like a corporate network with VLANs:
- Finance VLAN can talk to Payroll Server
- Dev VLAN can talk to CI/CD and package repos (10.0.0.0/8)
- No cross-talk between teams
frontend NamespaceAssume:
backend Pods in prod namespace (app: backend)frontend Pods in frontend namespace (app: frontend)team: webStep 1: Label Namespaces
kubectl label ns frontend team=web
kubectl label ns prod team=web
Step 2: Create NetworkPolicy in prod
# allow-frontend-ns-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
meta
name: allow-frontend-ns
namespace: prod
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
team: web # β Only namespaces with this label
podSelector:
matchLabels:
app: frontend # β And Pods with this label
ports:
- port: 80
β
Result: Only Pods in namespaces labeled team=web AND with app=frontend can reach backend.