K
Q

Kubernetes Network Policy - Allow specific IP

12/4/2018

I'm using Kubernetes on IBM cloud.

I want to create a network policy that denies all the incoming connections to a pod (which expose the app on port 3000 ), but which allows the incoming connections only from a specific IP (MY_IP).

I wrote this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <MY_POLICY_NAME>
namespace: <MY_NAMESPACE>
spec:
  podSelector:
    matchLabels:
      app: <MY_APP>
      env: <MY_ENV>
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: <MY_IP>/24
        except:
        - <MY_IP>/32
    ports:
    - protocol: TCP
    port: 3000

Unfortunately, this is not working because it blocks all the connections.

How can I fix this?

-- Leonardo Carraro
ibm-cloud
ibm-cloud-kubernetes
kubernetes
kubernetes-ingress

Similar Questions

Serialising the deployment of pods/ helm charts
Kubernetes doesnt create certificates
Kubernetes deployment not exposed
Kubernetes docker private registry with TLS and without username

1 Answer

12/4/2018

In your policy as it is right now, you are allowing ingress from that CIDR, except for all traffic from your <MY_IP>. So it is blocking all traffic from your IP.

PS: Source IP preservation is disabled by default for Ingress in IBM Cloud Kubernetes Service. Make sure you've enabled it for your Ingress service: https://console.bluemix.net/docs/containers/cs_ingress.html#preserve_source_ip

-- Rachael Graham
Source: StackOverflow