Recommended Network Policies for Linkerd

Trying to find some guide on what network policies one should set to make sure meshed pods can talk to each other when we have network policies in our namespace

Our network policies is setup similar to this article: Linkerd 2.x With Network Policy. In this post, we’re going to experiment… | by Ivan Sim | Medium

We have policies such as this:

spec:
  podSelector:
    matchExpressions:
      - key: linkerd.io/proxy-deployment
        operator: Exists
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector: {}
      podSelector:
        matchExpressions:
        - key: linkerd.io/proxy-deployment
          operator: Exists

That allow communication from linkerd pods to other pods with linkerd

We do notice that some pods that do not use Deployments like Argo Rollouts have this label instead: linkerd.io/proxy-replicaset

Is there a recommended way to allow linkerd communication in a namespace that has locked down network policies?

Hi @kzap!

A more reliable label to look for would be the linkerd.io/control-plane-ns label since this should be present on all meshed pods, no matter what the kind of workload they belong to.

Thanks, I did use that for now. Wondering more about if there’s a guide or article about which traffic we need to allow?

If I’m understanding your question correctly, the answer will depend on your application and environment. Linkerd proxies run as sidecar containers and they only communicate between each other when those pod communicate between each other. Therefore, you shouldn’t need to add any additional network policies specifically to facilitate Linkerd.

The exception to this is that all Linkerd proxies need to talk to the Linkerd control plane, which runs in the linkerd namespace.

Thanks, so ideally I should need 1 network policy only for egress

---
# This allows any Pod w/ Linkerd Proxy to communicate with pods in the Linkerd namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-linkerd-proxy-egress
spec:
  podSelector:
    matchLabels:
      linkerd.io/control-plane-ns: linkerd
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: linkerd

I dont need any ingress network policies to accept incoming traffic from pods in the Linkerd namespace?

Not as far as I’m aware.