stackoom
  简体   繁体   中英

Kubernetes network policy deny-all policy not blocking basic communication

 原文  2020-11-26 07:03:14       kubernetes/ google-kubernetes-engine/ kubernetes-networkpolicy

Question

I am running a GKE cluster version 1.17.13-gke.1400.

I have applied the following.network policy in my cluster -

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Which should block all communication to or from pods on the default namespace. However, it does not. As is evident from this test -

$ kubectl run p1 -it  --image google/cloud-sdk
root@p1:/# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=1.14 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=1.21 ms
^C
root@p1:/# curl www.google.com 
<!doctype html><html itemscope=" ...

From the docs , seems like this application should be pretty straight forward. Any help in understanding what I'm doing wrong, or tips for further troubleshooting, will be appreciated.

Thanks, Nimrod,

2 answers

solution1
 9 ACCPTED  2020-11-26 13:15:51

For Network Policies to take effect, your cluster needs to run a network plugin which also enforces them. Project Calico or Cilium are plugins that do so. This is not the default when creating a cluster!

So first, you should check if your cluster is set up accordingly as described in the Google Cloud Network Policies docs . This is somehow abstracted away behind the --enable-network-policy flag.

If it is enabled, you should see some calico pods in the kube-system namespace.

kubectl get pods --namespace=kube-system

If there is a plugin in place which enforces network policies, you need to make sure to have deployed the network policy in the desired namespace - and check if your test using kubectl run is executed in that namespace, too. You might have some other namespace configured in your kube context and not hit the default namespace with your command.

solution2
 0  2022-03-17 17:36:57

To install Calico using manifests

Apply the Calico manifests to your cluster. These manifests create a DaemonSet in the kube-system namespace.

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-operator.yaml

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-crs.yaml

View the resources in the kube-system namespace.

kubectl get daemonset calico-node --namespace kube-system Output

The values in the DESIRED and READY columns should match. The values returned for you are different than the values in the following output.

NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE calico-node 1 1 1 1 1 kube.netes.io/os=linux 26m

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Kubernetes: Network policy - deny all with allow all kubernetes: NetworkPolicy deny-all not denying Kubernetes Ingress network policy working as expected, egress is blocking all traffic Kubernetes - Network policy for communication between services Kubernetes Network Policy, allow communication within namespace kubernetes ingress network policy blocking services Kubernetes Network Policy stops all traffic to Pod Network Policy in Kubernetes How to allow external traffic and deny inter pod communication using network policy? Network Policy in Kubernetes under the hood
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM