Kubernetes/Rancher: NetworkPolicy with Traefik

Question

we are using Rancher to setup clusters with Canal as the CNI. We decided to use Traefik as an Ingress Controller and wanted to create a NetworkPolicy. We disabled ProjectIsolation and Traefik is running in the System project in the kube-system namespace.

I created this Policy:

# deny all ingress traffic
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}

---
# allow traefik
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: ingress-allow-traefik
spec:
  podSelector: {}
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            namespace: kube-system
        podSelector:
          matchLabels:
            app: traefik

---
# allow backnet
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: ingress-allow-backnet
spec:
  podSelector: {}
  ingress:
    - from:
      - ipBlock:
          cidr: 10.0.0.0/24
      - ipBlock:
          cidr: 10.1.0.0/24
      - ipBlock:
          cidr: 10.2.0.0/24
      - ipBlock:
          cidr: 192.168.0.0/24

But somehow we can't get this to work. The connection gets time-outed and that's it. Is there a major problem with this policy? Something i didn't understand about NetworkPolicies?

Thanks in advance

Answer 1

I solved the Problem. It was a plain beginner mistake:

- namespaceSelector:
    matchLabels:
      namespace: kube-system

I didn't add the Label namespace: kube-system to the Namespace kube-system .

After adding the Label it worked instantly.