Isolate Apps with Implicit Namespace Labels

Objective

This document provides instructions on how to set implicit namespace labels in vK8s network policies and service policies to control communication between applications deployed in different namespaces. To learn more about labels, see Labels. To learn more about network policies and service policies, see Network Policy and Service Policy.

An implicit namespace label is a label with key-value pair in the name.ves.io/namespace=<user namespace> format. All objects in a user namespace implicitly get this label, and users cannot modify these labels. Security administrators can use these labels in the vK8s network policy and service policy to set controls for communication between applications in different namespaces.

Using the instructions provided in this document, you can apply implicit namespace label inside vK8s network policy and service policy to restrict communication between namespaces.

Note: The instructions presented in this guide only cover applying of implicit namespace labels to the vK8s network policy and service policy. For detailed instruction on creating a vK8s network policy, see vK8s Network Policy and Service Policy, respectively.

Prerequisites

An F5® Distributed Cloud Services Account. If you do not have an account, see Create an Account.
One or more cloud or edge locations with a Distributed Cloud Services Site. Install the node or cluster image in your site.
Apps deployed in two or more namespaces. See vK8s Deployment.

Apply Implicit Namespace Labels

You can apply the implicit namespace labels from a vK8s network policy and/or a service policy. The instructions provided in this guide cover both scenarios and assume sample applications are deployed in two different namespaces.

The following image is a graphical representation of the configuration presented in this guide:

Figure: Implicit Namespace Label to Control Communication

Note: You can use the implicit label in either the label selector or label matcher portions of policy configuration. Label matcher only requires key matching and label selector requires a match with the key-value pair.

Apply Label in vK8s Network Policy

Step 1: Start creating vK8s network policy.

Log into F5® Distributed Cloud Console (Console).
Click Distributed Apps.

Figure: Console Homepage

Select your application namespace from the namespace drop-down menu.
Click Manage > vK8s Network Policies > Active Network Policies.

Figure: Active Network Policies

Click Select Active Network Policies.
Click Select Network Policy.
Click Add new.

Step 2: Set metadata and endpoint policy.

Enter a name in the Name field.
From the Endpoint(s) menu, select Any Endpoint.

Step 3: Configure ingress rules.

Perform the following in the Connections To and From Endpoints section:

In the Ingress Rules field, click Configure.
Click Add Item.
Enter a name in the Name field under the Metadata section.
In the Label Matcher section, click Add item.
From the Enter keys menu, select name.ves.io/namespace to apply the implicit label.
Click Add Item.
Click Apply.

Step 4: Complete network policy creation.

Click Continue to return to the network policy selection of active network policies page. The created network policy gets displayed in the list of policy objects.
Select the network policy and click Select Network Policy to apply the network policy to the active policies.
Click Save and Exit to complete creating active policy.

Apply Label in Service Policy

Step 1: Start creating service policy.

In Console, click Distributed Apps.
Select your application namespace from the namespace drop-down menu.
Click Manage > Service Policies > Service Policies.
Click Add service policy.

Step 2: Set metadata and start configuring policy rules.

Enter a name in the Name field.
Optionally, add a description and select labels.
In the Rules section, perform the following:
- From the Select Policy Rules menu, select Custom Rule List.
- Click Configure.

Figure: Configure Service Policy Rules

Click Add Item.

Step 3: Configure rules.

You can configure the rules using either the label selector option or the label matcher option.

Enter a name for the rule in the Name field.
In the Rule Specification field, click Configure.

Label Selector option

From the Client Selection menu in the Clients section, select Group of Clients by Label Selector.
Click on the Selector Expression menu and configure the following:
- Select from the list or type name.ves.io/namespace as the key and select In as the operator for selector expression.
- Start typing your namespace name for the Value and select from the displayed list.
- Click Apply.

Figure: Namespace Label for Service Policy Rule

Label Matcher option

The label matcher field requires only the key of the implicit namespace label. However, this will block requests from any client with the implicit namespace label.

Go to Advanced Match section and click Add item under the Label Matcher field.
Select name.ves.io/namespace from the list.
Click Apply.
Click Add Item.
Click Apply.
Click Save and Exit to complete creating active service policy.

Step 4: Complete service policy creation and activation.

Click Manage > Service Policies > Active Service Policies.
Click Select Active Service Policies.
Click Select Service Policy.
Select the service policy and then click Select Service Policy.

Figure: Select Active Service Policy

Click Save and Exit.

Verify the Policy Operation

Perform the following to verify the policy operation:

Send a request to your application in the namespace from which you set up the service policy.
Under Distributed Apps, click Manage > vK8s Network Policies > Network Policies. Or click Manage > Service Policies > Service Policies from under Web App & API Protection.
Check the Hits field for your policy to view how many times the policy was applied.
Click on the value in the Hits field to view the rule hits.