I was trying to use a network policy for a pod on my GKE cluster, but I saw it is not working, although I have network policy enabled both for master and nodes.
Then I tried deny-all network policy to see if it is my network policy that is wrong, or something with GKE, but to no avail.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
What am I doing wrong?
UPDATE:
These are the Calico Pods that were installed on my cluster:
calico-node-vertical-autoscaler-c97d48744-h4fjj 1/1 Running 0 5m24s
calico-typha-59cb487c49-hf4sg 1/1 Running 0 5m20s
calico-typha-horizontal-autoscaler-55c949db8f-vtvrf 1/1 Running 0 5m24s
calico-typha-vertical-autoscaler-f7c48db59-lj9h6 1/1 Running 0 5m24s
calico-typha-horizontal-autoscaler log is full of this:
k8sclient.go:221] Falling back to extensions/v1beta1, error using apps/v1: deployments.apps "calico-typha" is forbidden: User "system:serviceaccount:kube-system:typha-cpha" cannot get resource "deployments/scale" in API group "apps" in the namespace "kube-system"
Solution:
After poking around and after Suren's comment about checking logs, I figured it might be the cluster is so small and it is not handling the load anymore, so changed my nodes pool to a bigger one, and now everything is fine, seems like GCP wasn't able to install everything for Calico, but no error or anything was showing.