Network policy on Google kubernetes engine not being applied

11/1/2019

I was trying to use a network policy for a pod on my GKE cluster, but I saw it is not working, although I have network policy enabled both for master and nodes.

Then I tried deny-all network policy to see if it is my network policy that is wrong, or something with GKE, but to no avail.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

What am I doing wrong?

UPDATE:

These are the Calico Pods that were installed on my cluster:

calico-node-vertical-autoscaler-c97d48744-h4fjj                1/1     Running   0          5m24s
calico-typha-59cb487c49-hf4sg                                  1/1     Running   0          5m20s
calico-typha-horizontal-autoscaler-55c949db8f-vtvrf            1/1     Running   0          5m24s
calico-typha-vertical-autoscaler-f7c48db59-lj9h6               1/1     Running   0          5m24s

calico-typha-horizontal-autoscaler log is full of this:

k8sclient.go:221] Falling back to extensions/v1beta1, error using apps/v1: deployments.apps "calico-typha" is forbidden: User "system:serviceaccount:kube-system:typha-cpha" cannot get resource "deployments/scale" in API group "apps" in the namespace "kube-system"

Solution:

After poking around and after Suren's comment about checking logs, I figured it might be the cluster is so small and it is not handling the load anymore, so changed my nodes pool to a bigger one, and now everything is fine, seems like GCP wasn't able to install everything for Calico, but no error or anything was showing.

-- CodeBird
google-kubernetes-engine
kubernetes-networkpolicy

0 Answers