Isolate Apps with Implicit Namespace Labels
Objective
This document provides instructions on how to set implicit namespace labels in vK8s network policies and service policies to control communication between applications deployed in different namespaces. To learn more about labels, see Labels. To learn more about network policies and service policies, see Network Policy and Service Policy.
An implicit namespace label is a label with key-value pair in the name.ves.io/namespace=<user namespace>
format. All objects in a user namespace implicitly get this label, and users cannot modify these labels. Security administrators can use these labels in the vK8s network policy and service policy to set controls for communication between applications in different namespaces.
Using the instructions provided in this document, you can apply implicit namespace label inside vK8s network policy and service policy to restrict communication between namespaces.
Note: The instructions presented in this guide only cover applying of implicit namespace labels to the vK8s network policy and service policy. For detailed instruction on creating a vK8s network policy, see vK8s Network Policy and Service Policy, respectively.
Prerequisites
-
An F5® Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
One or more cloud or edge locations with a Distributed Cloud Services Site. Install the node or cluster image in your site.
-
Apps deployed in two or more namespaces. See vK8s Deployment.
Apply Implicit Namespace Labels
You can apply the implicit namespace labels from a vK8s network policy and/or a service policy. The instructions provided in this guide cover both scenarios and assume sample applications are deployed in two different namespaces.
The following image is a graphical representation of the configuration presented in this guide:
Figure: Implicit Namespace Label to Control Communication
Note: You can use the implicit label in either the label selector or label matcher portions of policy configuration. Label matcher only requires key matching and label selector requires a match with the key-value pair.
Apply Label in vK8s Network Policy
Step 1: Start creating vK8s network policy.
-
Log into F5® Distributed Cloud Console (Console).
-
Click
Distributed Apps
.
Figure: Console Homepage
-
Select your application namespace from the namespace drop-down menu.
-
Click
Manage
>vK8s Network Policies
>Active Network Policies
.
Figure: Active Network Policies
-
Click
Select Active Network Policies
. -
Click
Select Network Policy
. -
Click
Add new
.
Step 2: Set metadata and endpoint policy.
-
Enter a name in the
Name
field. -
From the
Endpoint(s)
menu, selectAny Endpoint
.
Step 3: Configure ingress rules.
Perform the following in the Connections To and From Endpoints
section:
-
In the
Ingress Rules
field, clickConfigure
. -
Click
Add Item
. -
Enter a name in the
Name
field under theMetadata
section. -
In the
Label Matcher
section, clickAdd item
. -
From the
Enter keys
menu, selectname.ves.io/namespace
to apply the implicit label. -
Click
Add Item
. -
Click
Apply
.
Step 4: Complete network policy creation.
-
Click
Continue
to return to the network policy selection of active network policies page. The created network policy gets displayed in the list of policy objects. -
Select the network policy and click
Select Network Policy
to apply the network policy to the active policies. -
Click
Save and Exit
to complete creating active policy.
Apply Label in Service Policy
Step 1: Start creating service policy.
-
In Console, click
Distributed Apps
. -
Select your application namespace from the namespace drop-down menu.
-
Click
Manage
>Service Policies
>Service Policies
. -
Click
Add service policy
.
Step 2: Set metadata and start configuring policy rules.
-
Enter a name in the
Name
field. -
Optionally, add a description and select labels.
-
In the
Rules
section, perform the following:-
From the
Select Policy Rules
menu, selectCustom Rule List
. -
Click
Configure
.
-
Figure: Configure Service Policy Rules
- Click
Add Item
.
Step 3: Configure rules.
You can configure the rules using either the label selector option or the label matcher option.
-
Enter a name for the rule in the
Name
field. -
In the
Rule Specification
field, clickConfigure
.
Label Selector option
-
From the
Client Selection
menu in theClients
section, selectGroup of Clients by Label Selector
. -
Click on the
Selector Expression
menu and configure the following:-
Select from the list or type
name.ves.io/namespace
as the key and selectIn
as the operator for selector expression. -
Start typing your namespace name for the
Value
and select from the displayed list. -
Click
Apply
.
-
Figure: Namespace Label for Service Policy Rule
Label Matcher option
The label matcher field requires only the key of the implicit namespace label. However, this will block requests from any client with the implicit namespace label.
-
Go to
Advanced Match
section and clickAdd item
under theLabel Matcher
field. -
Select
name.ves.io/namespace
from the list. -
Click
Apply
. -
Click
Add Item
. -
Click
Apply
. -
Click
Save and Exit
to complete creating active service policy.
Step 4: Complete service policy creation and activation.
-
Click
Manage
>Service Policies
>Active Service Policies
. -
Click
Select Active Service Policies
. -
Click
Select Service Policy
. -
Select the service policy and then click
Select Service Policy
.
Figure: Select Active Service Policy
- Click
Save and Exit
.
Verify the Policy Operation
Perform the following to verify the policy operation:
-
Send a request to your application in the namespace from which you set up the service policy.
-
Under
Distributed Apps
, clickManage
>vK8s Network Policies
>Network Policies
. Or clickManage
>Service Policies
>Service Policies
from underWeb App & API Protection
. -
Check the
Hits
field for your policy to view how many times the policy was applied. -
Click on the value in the
Hits
field to view the rule hits.