stackoom
  简体   繁体   中英

AZURE AKS: why network Policy not working?

 原文  2022-08-12 15:49:20       azure/ kubernetes-ingress/ azure-aks/ azure-application-gateway/ kubernetes-networkpolicy

Question

I have an kubernetes cluster (AKS) within azure, With Application Gateway Ingress Controller.

I deployed on it, wordpress helm release. I Would like to enable ingress traffic only from Application Gateway ingress controller pod which is in kube-system

So, my values.yml look like:

# I paste only NetworkPolicy part
networkPolicy:
  enabled: true
  ingress:
    enabled: true
  ingressRules:
    customRules:
      - from:
          - namespaceSelector:
              matchLabels:
                kubernetes.io/metadata.name: kube-system
            podSelector:
              matchLabels:
                app: ingress-appgw

However when i deploy a release, the wordpress its self works fine. But i can not access to it via <Application_Gateway_Ingress_Controller_PublicIP>

On my Azure Portal, when i go Application Gateway resource i got the following messages:

Image1: 在此处输入图像描述

Image2: 在此处输入图像描述

But when i remove Network Policy part from values.yml , the AGIC become healthy!

Any Help please?

Thank you in adavance!

1 answers

solution1
 0  2022-08-12 18:07:41

This error mentions as you don't have any healthy backend pools, try to add healthy probes as below. This will continuously monitor your backend pools for the health status, and it will update the application gateway. App gateway will only send traffic to healthy backend pools and refresh

在此处输入图像描述

在此处输入图像描述

After adding healthy probes and refresh it takes few minutes for updating these and try to access the application gateway and then if you received invalid hostname error try to change the setting as below in advance

在此处输入图像描述

Check out this So thread by Vladam for some pointers.

Alternately, try to develop a network policy that blocks all traffic. Create a file named as backend-policy.yaml and use the below manifest to block all incoming traffic to the pod:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: backend-policy
  namespace: development
spec:
  podSelector:
    matchLabels:
      app: webapp
      role: backend
  ingress: []

Reference:

Troubleshoot backend health issues in Azure Application Gateway | Microsoft Docs

Secure pod traffic with network policy - Azure Kubernetes Service | Microsoft Docs

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AKS cross regional Network policy Azure policy for network subnet How to enable Calico network policy on the existing AKS cluster Azure AKS Load Balancer issue with Azure Network CNI plugin not accessible Terraform - How to find Azure Kubernetes AKS vnet ID for network peering Remediation for Network restriction policy of Azure Storage account Inbound policy in Azure VM is not working Azure built in policy container-no-privilege-escalation preventing "az aks command invoke" AKS 1.22.2 cluster Ingress configuration not working with Azure Application gateway Why unable to access Azure aks Service external IP with browser?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM