stewartshea/namespaceisolation.txt

## namespaceisolation.txt
$ cat isolate-default-k8s-ns.yml
APIVersion: 0
data:
  networkaccesspolicies:
    - action: Reject
      logsEnabled: true
      fallback: true
      name: isolate-default-namespace
      object:
        - - "@app:k8s:namespace=default"
      propagate: true
      subject:
        - - $namespace=/aporeto/gigaom/mct/*
          - $type=Docker
identities:
  - networkaccesspolicy
label: isolate-default-namespace
$ apoctl api import --file isolate-default-k8s-ns.yml -n /aporeto/gigaom/mct
successfully imported data in /aporeto/gigaom/mct
$ cat allow-testns-to-defaultns.yml
APIVersion: 0
data:
  networkaccesspolicies:
    - logsEnabled: true
      name: allow-testns-to-defaultns
      object:
        - - "@app:k8s:namespace=default"
      propagate: true
      subject:
        - - "@app:k8s:namespace=testns"
identities:
  - networkaccesspolicy
label: allow-testns-to-defaultns
$ apoctl api import --file allow-testns-to-defaultns.yml -n /aporeto/gigaom/mct
successfully imported data in /aporeto/gigaom/mct
	$ cat isolate-default-k8s-ns.yml
	APIVersion: 0
	data:
	networkaccesspolicies:
	- action: Reject
	logsEnabled: true
	fallback: true
	name: isolate-default-namespace
	object:
	- - "@app:k8s:namespace=default"
	propagate: true
	subject:
	- - $namespace=/aporeto/gigaom/mct/*
	- $type=Docker
	identities:
	- networkaccesspolicy
	label: isolate-default-namespace
	$ apoctl api import --file isolate-default-k8s-ns.yml -n /aporeto/gigaom/mct
	successfully imported data in /aporeto/gigaom/mct
	$ cat allow-testns-to-defaultns.yml
	APIVersion: 0
	data:
	networkaccesspolicies:
	- logsEnabled: true
	name: allow-testns-to-defaultns
	object:
	- - "@app:k8s:namespace=default"
	propagate: true
	subject:
	- - "@app:k8s:namespace=testns"
	identities:
	- networkaccesspolicy
	label: allow-testns-to-defaultns
	$ apoctl api import --file allow-testns-to-defaultns.yml -n /aporeto/gigaom/mct
	successfully imported data in /aporeto/gigaom/mct