Kubernetes Ingress network policy working as expected, egress is blocking all traffic
Question
I have installed Calico on EKS from here .
I have two namespaces, foo and bar, both labeled with a label 'purpose', and containing one app pod each.
When I import the following Ingress-only policy into the foo namespace, it works exactly as expected; other test pods can not connect to foo-app, but bar-app can.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: foo
namespace: foo
spec:
podSelector:
matchLabels:
app: foo-app
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: bar
- from:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
However when I import a policy containing both ingress and egress rules it completely shuts off networking to the pod. I can no longer even ping the foo-app pod IP from bar-app.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: foo
namespace: foo
spec:
podSelector:
matchLabels:
app: foo-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: bar
- from:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
egress:
- to:
- namespaceSelector:
matchLabels:
purpose: bar
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
After removing and systematically re-adding parts of the policy, it is definitely the addition of the namespaceSelector entry in the egress that breaks it.
There are no other network policies on the cluster.
If there is not a directly obvious reason as to why this is happening; other than trawling through netfilter rules on worker nodes: Is there any efficient way to debug this?
2 answers
solution1
1 2020-03-02 15:31:21
I don't think you Network Policy is correctly written.
I think you should change
egress:
- to:
- namespaceSelector:
matchLabels:
purpose: bar
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
to
egress:
- to:
- namespaceSelector:
matchLabels:
purpose: bar
- to:
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
This is because you might be blocking the DNS which is being used to resolve service names to their IP addresses. You can read a really nice Introduction to Kubernetes Network Policies for Security People .
If this is still a problem please provide detailed info about where are the pods running what are the labels and what rules you want to implement.
You can also check some nice examples for Ingress and Egress at GitHub - ahmetb/kubernetes-network-policy-recipes and Declare Network Policy .
solution2
-1 2020-03-01 15:16:38
Your last network policy addresses both Egress and Ingress. I would split Egress and Ingress in two different yaml files (if there are several different Ingress/Egress policies I would also split them in different files), and I would apply them one by one. This way is easier to read them. Also, if you use a deny rule, I would apply it the first and then apply the other rules.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.