K
Q

k8s pod can only access the host it is on

9/19/2019

In short, the pod can only access the host it is on.

I have a k8s-1.15 cluster with 3 nodes and Calico plugin:

  • master.test.local (192.168.1.137)
  • node1.test.local (192.168.1.138)
  • node2.test.local (192.168.1.139)

There are 2 pods, pod-1 running on master(1.137), and pod-2 running on node1(1.138), when I ping 192.168.1.138 from pod-1(running on 1.137), I got:

[~pod-1] # ping 192.168.1.138
PING 192.168.1.138 (192.168.1.138): 56 data bytes

but if I ping the 1.137 from pod-1(running on 1.137), it succeeded:

[~pod-1] # ping 192.168.1.137
PING 192.168.1.137 (192.168.1.137): 56 data bytes
64 bytes from 192.168.1.137: seq=0 ttl=64 time=0.089 ms
64 bytes from 192.168.1.137: seq=1 ttl=64 time=0.094 ms

How should I solve it?

-- RYAN14
kubernetes

Similar Questions

Is there a way to filter metric by a string value a part of which comes from the result of another query in prometheus query?
Combining several network policies for fine-grained, flag-based control
Getting accurate status of openshift pod deployment
Expose ngnix ingress controller as Daemon-set
Istio Virtual Service is not working very well

1 Answer

9/19/2019

Your question is answered in Issue #2543

this looks to be working as expected, since your network policy doesn't have any egress rules.

If you want to deny egress from pod A, you can add the following section to the NetworkPolicy:

types:
- Ingress
- Egress

This will tell the policy to apply to both ingress and egress traffic, and all egress from pod A will be denied unless you specify egress rules.

Alternatively, you can create an ingress policy which selects pod B in order to prevent pod A from accessing it.

You can use calicoctl profile to edit the default policy that forbids inbound traffic

calico profile {{ profile_name }} rule add inbound allow from <ip>
-- Yasen
Source: StackOverflow