K
Q

Enforce NetworkPolicies to control access to pods in Azure ACS cluster

3/23/2018

I am trying to setup NetworkPolicy to control access to pods running in acs cluster. The cluster is created using acs-engine and networkPolicy=azure.

The contents of the json file used to create the cluster:

{
  "apiVersion": "vlabs",
  "properties": {
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
        "networkPolicy": "azure"
      },
      "orchestratorRelease": "1.9"
    },
    ...
}

The network policy that I am applying is to deny all ingress traffic to pods in my namespace:

 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: default-deny
 spec:
   podSelector: {}
   policyTypes:
   - Ingress

The required restrictions are not effected with this NetworkPolicy.

If this even possible with "networkPolicy": "azure"?

Can someone point to right direction to achieve this?

-- Sachin
acs
azure
kubernetes
kubernetes-networkpolicy

Similar Questions

Do Cluster IP and Node Port IP addresses load balance between different nodes?
How to get the id/name of the container in which my web application is running to serve the current user request
VSTS Fetch Service Connection for Kubernetes
Will Kubernetes emptyDir survive even after "recreation" of the Pod?

1 Answer

3/27/2018

After exploring I found that Azure CNI policy does not support Kubernetes network policies. The solution is to use CNI that supports it eg Calico.

Container networking capabilities of Azure CNI

-- Sachin
Source: StackOverflow