Kubernetes network policy to filter on both namespaces and pod's labels

Question

Is there any ability to filter by both namespace and pod's labels at the same time?

The example present in documentation at https://kubernetes.io/docs/user-guide/networkpolicies/#the-networkpolicy-resource

 - from:
 - namespaceSelector:
    matchLabels:
     project: myproject
 - podSelector:
    matchLabels:
     role: frontend

means that communication is allowed for pods with role=frontend or from namespace myproject.

Is there any way to change that "or" into an "and"?

Answer 1

Kubernetes 1.11 and above supports combining podSelector and namespaceSelector with a logical AND:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database.postgres
  namespace: database
spec:
  podSelector:
    matchLabels:
      app: postgres
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          namespace: default
      podSelector:
        matchLabels:
          app: admin
  policyTypes:
  - Ingress

See more details in here: https://medium.com/@reuvenharrison/an-introduction-to-kubernetes-network-policies-for-security-people-ba92dd4c809d/#f416