Kubernetes NetWork Policies. unable to 'wget' on to pod running on different namespace?
Question
I have created two name-spaces named 'a' and 'b'
I have file structure like below..
on folder a
nginx-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-a
labels:
app-tier: UI
namespace: a
spec:
selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
network-policy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-a
namespace: a
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: b
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: b
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
and applied both yml files using kubectl apply -f
on folder b
nginx-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-b
labels:
app-tier: UI
namespace: b
spec:
selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
network-policy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-b
namespace: b
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: a
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: a
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
and applied both yml files using kubectl apply -f
The problem
So basically I want to allow traffic from namespace a to namespace b and vice-versa.
and i have exposed services using
$$ kubectl expose deployment nginx-deployment-b -n b --port=80
$$ kubectl expose deployment nginx-deployment-a -n a --port=80
And i have created busybox in namespace a using
kubectl run myshell --image=busybox -n a --command -- sh -c "sleep 3600"
And i have exec into busybox using
kubectl exec myshell -n a -it -- sh
Now Here is the output of wget
/ # wget nginx-deployment-b.b.svc.cluster.local
^Z[5]+ Stopped wget nginx-deployment-b.b.svc.cluster.local
/ # wget nginx-deployment-a.a.svc.cluster.local
^Z[6]+ Stopped wget nginx-deployment-a.a.svc.cluster.local
/ # wget nginx-deployment-a.a.svc
^Z[7]+ Stopped wget nginx-deployment-a.a.svc
/ # wget nginx-deployment-b.b.svc
^Z[8]+ Stopped wget nginx-deployment-b.b.svc
/ #
You can see that i'm neither able to connect to service running on namespace a nor b
What should i do to allow allow traffic from namespace a to namespace b and vice-versa?
Any suggestions or modifications.
Thanks
edit-1
Descriptions of.networks policies, np-a
Name: np-a
Namespace: a
Created on: 2020-08-21 18:41:12 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=b
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=b
Policy Types: Ingress, Egress
np-b
Name: np-b
Namespace: b
Created on: 2020-08-21 18:21:07 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=a
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=a
Policy Types: Ingress, Egress
Service descriptions
Name: nginx-deployment-a
Namespace: a
Labels: app-tier=UI
Annotations: <none>
Selector: app-tier=UI
Type: ClusterIP
IP: 10.107.112.202
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.0.0.147:80
Session Affinity: None
Events: <none>
and
Name: nginx-deployment-b
Namespace: b
Labels: app-tier=UI
Annotations: <none>
Selector: app-tier=UI
Type: ClusterIP
IP: 10.98.228.141
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.0.0.79:80
Session Affinity: None
Events: <none>
output of kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
cilium-operator-868c78f7b5-44nhn 0/1 Pending 0 7h58m
cilium-operator-868c78f7b5-jl5cq 1/1 Running 2 7h58m
cilium-qgzxs 1/1 Running 2 7h58m
coredns-66bff467f8-lpck8 1/1 Running 2 8h
etcd-minikube 1/1 Running 1 7h8m
kube-apiserver-minikube 1/1 Running 1 7h8m
kube-controller-manager-minikube 1/1 Running 3 8h
kube-proxy-f9vgr 1/1 Running 2 8h
kube-scheduler-minikube 1/1 Running 2 8h
storage-provisioner 1/1 Running 5 8h
1 answers
solution1
2 ACCPTED 2020-08-21 12:57:20
You need to allow egress on port 53 for DNS resolution
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dns
spec:
podSelector: {}
egress:
- to:
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
policyTypes:
- Egress
You can have separate.network policy like above in both the namespaces dedicated for DNS.
Also when you access a service which is in a different namespace you need to use <servicename>.<namespacename>.svc or <servicename>.<namespacename>.svc.cluster.local .
Hence the command to access nginx-deployment-b should be nginx-deployment-bbsvc or nginx-deployment-bbsvc.cluster.local
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.