Trying to find some guide on what network policies one should set to make sure meshed pods can talk to each other when we have network policies in our namespace
A more reliable label to look for would be the linkerd.io/control-plane-ns label since this should be present on all meshed pods, no matter what the kind of workload they belong to.
If I’m understanding your question correctly, the answer will depend on your application and environment. Linkerd proxies run as sidecar containers and they only communicate between each other when those pod communicate between each other. Therefore, you shouldn’t need to add any additional network policies specifically to facilitate Linkerd.
The exception to this is that all Linkerd proxies need to talk to the Linkerd control plane, which runs in the linkerd namespace.
Thanks, so ideally I should need 1 network policy only for egress
---
# This allows any Pod w/ Linkerd Proxy to communicate with pods in the Linkerd namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-linkerd-proxy-egress
spec:
podSelector:
matchLabels:
linkerd.io/control-plane-ns: linkerd
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: linkerd
I dont need any ingress network policies to accept incoming traffic from pods in the Linkerd namespace?