Let's say you have a pod that you want to reject all traffic to, unless the traffic is coming from a specific type of pod. In this case, an ingress Network Policy will serve your needs. Here's a quick example of what that might look like below, then we will discuss some specifics:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-network-policy namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: backend
In the above, any pod with the
role:db label will be able to receive traffic from a pod that is either in the namespace or contains the lable
role:backend. If a pod doesn't meet at least one of those criteria, it simply cannot connect to that protected pod.
Network policies are implicity set to deny all unless explicity allowed. Keep this in mind when you are restricting traffic so that you don't accidentally create an outage.