netpol: allow internamespace communication

Our network policies only allowed pods within the local namespace to
communicate with the hub/proxy/singleuser-server pods if they had a
certain label. But, we want any pod in any namespace with the relevant
access labels to be allowed to communicate with the associated pod, not
only pods within the local namespace.

This commit makes that possible!

jupyterhub/templates/hub/netpol.yaml

@@ -18,7 +18,9 @@ spec:
     - ports:
         - port: http
       from:
-        - podSelector:
+        - namespaceSelector:
+            matchLabels: {} # allow the label below to be set on a pod in any namespace
+          podSelector:
             matchLabels:
               hub.jupyter.org/network-access-hub: "true"
 

jupyterhub/templates/proxy/netpol.yaml

@@ -25,15 +25,19 @@ spec:
         - port: https
         {{- end }}
       from:
-        - podSelector:
+        - namespaceSelector:
+            matchLabels: {} # allow the label below to be set on a pod in any namespace
+          podSelector:
             matchLabels:
               hub.jupyter.org/network-access-proxy-http: "true"
 
     # allowed pods (hub.jupyter.org/network-access-proxy-api) --> proxy (api port)
     - ports:
         - port: api
       from:
-        - podSelector:
+        - namespaceSelector:
+            matchLabels: {} # allow the label below to be set on a pod in any namespace
+          podSelector:
             matchLabels:
               hub.jupyter.org/network-access-proxy-api: "true"
 

jupyterhub/templates/singleuser/netpol.yaml

@@ -19,7 +19,9 @@ spec:
     - ports:
         - port: notebook-port
       from:
-        - podSelector:
+        - namespaceSelector:
+            matchLabels: {} # allow the label below to be set on a pod in any namespace
+          podSelector:
             matchLabels:
               hub.jupyter.org/network-access-singleuser: "true"