Skip to content

Set up access policies

This guide will show you how to define access policies for your workload.

Receive requests from workloads in the same namespace

For app <MY-APP> to be able to receive incoming requests from <MY-OTHER-APP> in the same namespace, this specification is needed for <MY-APP>:

apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
  name: <MY-APP>
...
spec:
  ...
  accessPolicy:
    inbound:
      rules:
        - application: <MY-OTHER-APP>
graph LR
  accTitle: Receive requests from other workload in the same namespace
  accDescr: The diagram shows two applications in the same namespace, MY-APP and MY-OTHER-APP. Application MY-APP is allowed to receive requests from MY-OTHER-APP.

  MY-OTHER-APP--"✅"-->MY-APP

  subgraph namespace
    MY-OTHER-APP
    MY-APP
  end

Receive requests from workloads in other namespaces

For app <MY-APP> to be able to receive incoming requests from <ANOTHER-APP> in <ANOTHER-NAMESPACE>, this specification is needed for <MY-APP>:

apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
  name: <MY-APP>
...
spec:
  ...
  accessPolicy:
    inbound:
      rules:
        - application: <ANOTHER-APP>
          namespace: <ANOTHER-NAMESPACE>
graph LR
  accTitle: Receive requests from other app in another namespace
  accDescr: The diagram shows two applications in different namespaces, <MY-APP> and <ANOTHER-APP>. Application <MY-APP> is allowing requests from <ANOTHER-APP>.

  ANOTHER-APP--"✅"-->MY-APP

  subgraph namespace
    MY-APP
  end

  subgraph another-namespace
    ANOTHER-APP
  end

Send requests to another app in the same namespace

For app <MY-APP> to be able to send requests to <MY-OTHER-APP> in the same namespace, this specification is needed for <MY-APP>:

apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
  name: <MY-APP>
...
spec:
  ...
  accessPolicy:
    outbound:
      rules:
        - application: <MY-OTHER-APP>
graph LR
  accTitle: Send requests to other app in the same namespace
  accDescr: The diagram shows two applications in the same namespace, <MY-APP> and <MY-OTHER-APP>. Application <MY-APP> is allowed to send requests to <MY-OTHER-APP>.

  MY-APP--"✅"-->MY-OTHER-APP

  subgraph mynamespace
    MY-APP
    MY-OTHER-APP
  end

Send requests to other app in another namespace

For app <MY-APP> to be able to send requests to <ANOTHER-APP> in <ANOTHER-NAMESPACE>, this specification is needed for <MY-APP>:

apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
  name: <MY-APP>
...
spec:
  ...
  accessPolicy:
    outbound:
      rules:
        - application: <ANOTHER-APP>
          namespace: <ANOTHER-NAMESPACE>
graph LR
  accTitle: Send requests to other app in another-namespace
  accDescr: The diagram shows two applications in different namespaces, <MY-APP> and <ANOTHER-APP>. Application <MY-APP> is allowed to send requests to <ANOTHER-APP>.

  MY-APP--"✅"-->ANOTHER-APP

  subgraph mynamespace
    MY-APP
  end

  subgraph another-namespace
    ANOTHER-APP
  end

Send requests to external endpoints

For app <MY-APP> to be able to send requests outside of the environment, this specification is needed for <MY-APP>:

apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
  name: <MY-APP>
...
spec:
  ...
  accessPolicy:
    outbound:
      external:
        - host: external-application.com
graph LR
  accTitle: External services
  accDescr: The diagram shows an application, <MY-APP>, that is allowed to send requests to an external service.

  MY-APP--"✅"-->external-application.com

  subgraph environment
    subgraph mynamespace
      MY-APP
    end
  end

See the access policy reference for a list of default external endpoints.