Skip to content

Networking Policies#

By default, Landlord configures networking policies such that tenants cannot communicate directly with each other. This means that any cross-tenant traffic must come through the external load balancer. For more information, see Achieving Multi-tenancy.

In the event that two tenants need to talk to each other directly, two additional NetworkPolicies are required. For tenant A -> B, then you need one policy in A for traffic to egress A to B and a second policy in B for traffic to ingress B from A.

Policy Examples#

For fine-grained access to a set of tenant pods, use the podSelector and nodeSelector. For rough-grained access to an entire tenant namespace, use the namespaceSelector only. The policy can be refined further by specifying the ports.

Prefer fine-grained access policies.

The Ingress Policy#

This network policy is for B to allow ingress from A.

Place this policy with tenant repo B.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-network-policy
  namespace: B-tenant-namespace
spec:
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: A-tenant-namespace
      podSelector:
        matchLabels:
          app.kubernetes.io/name: A-tenant-name
    ports:
    - protocol: TCP
      port: A-port

The Egress Policy#

This network policy is for A to allow egress to B.

Place this policy in tenant repo A.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-network-policy
  namespace: A-tenant-namespace
spec:
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: B-tenant-namespace
      podSelector:
        matchLabels:
          app.kubernetes.io/name: B-tenant-name
    ports:
    - protocol: TCP
      port: B-port