I have a flask service (6 replicas) and ui (3 replicas) deployed using a kind:Deployment but when i add a calico NetworkPolicy like this:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: application-network-policy
namespace: team-prod-xyz
labels:
app: application-network-policy
spec:
podSelector:
matchLabels:
app: xyz-svc
run: xyz-svc
ingress:
- ports:
- port: 8000
from:
- podSelector:
matchLabels:
app: xyz-ui
egress:
- {}
policyTypes:
- Ingress
- EgressMy flask service goes like this if i directly access it
504 Gateway Time-out
nginx/1.15.3which is probably expected but my UI can not hit the endpoints as well.
Why is that?
EDIT 2: Kubernetes and Ingress Information
Kubernetes Version -
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.8", GitCommit:"211047e9a1922595eaa3a1127ed365e9299a6c23", GitTreeState:"clean", BuildDate:"2019-10-15T12:02:12Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}NAME READY STATUS RESTARTS AGE
pod/xyz-mongodb-replicaset-0 1/1 Running 0 10d
pod/xyz-mongodb-replicaset-1 1/1 Running 0 7d
pod/xyz-mongodb-replicaset-2 1/1 Running 0 6d23h
pod/xyz-svc-7b589fbd4-25qd6 1/1 Running 0 20h
pod/xyz-svc-7b589fbd4-9n8jh 1/1 Running 0 20h
pod/xyz-svc-7b589fbd4-r5q9g 1/1 Running 0 20h
pod/xyz-ui-7d6f44b57b-8s4mq 1/1 Running 0 3d20h
pod/xyz-ui-7d6f44b57b-bl8r6 1/1 Running 0 3d20h
pod/xyz-ui-7d6f44b57b-jwhc2 1/1 Running 0 3d20h
pod/mongodb-backup-check 1/1 Running 0 20h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/xyz-mongodb-replicaset ClusterIP None <none> 27017/TCP 10d
service/xyz-prod-service ClusterIP 10.3.92.123 <none> 8000/TCP 20h
service/xyz-prod-ui ClusterIP 10.3.49.132 <none> 80/TCP 10d
--Deployment--
--Replicasset--
--Statefulset--My ingress looks like -
Name: xyz-prod-svc
Namespace: prod-xyz
Address:
Default backend: default-http-backend:80 (<none>)
TLS:
prod terminates xyz.prod.domain.com
Rules:
Host Path Backends
---- ---- --------
xyz.prod.domain.com
/ xyz-prod-u:80 (10.7.2.4:80,10.7.4.22:80,10.7.5.24:80)
/project xyz-prod-servic:8000 (10.7.2.15:8000,10.7.5.10:8000,10.7.5.10:8000 + 3 more...)
/trigger xyz-prod-servic:8000 (10.7.2.15:8000,10.7.5.10:8000,10.7.5.10:8000 + 3 more...)
/kpi xyz-prod-servic:8000 (10.7.2.15:8000,10.7.5.10:8000,10.7.5.10:8000 + 3 more...)
/feedback xyz-prod-servic:8000 (10.7.2.15:8000,10.7.5.10:8000,10.7.5.10:8000 + 3 more...)Do I have to specify my Ingress in the podSelector option of my Network Policy?
So far my Network Policy looks like this -
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: application-network-policy
namespace: app-prod-xyz
labels:
app: application-network-policy
spec:
podSelector:
matchLabel:
run: xyz-svc
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: xyz-ui
- podSelector:
matchLabels:
app: application-health-check
egress:
- to:
- podSelector:
matchLabels:
app: xyz-ui
- podSelector:
matchLabels:
app: xyz-mongodb-replicaset
- podSelector:
matchLabels:
app: mongodb-replicasetEDIT 1: I learned that we need to expose port 8000 using a config map before the network policy.
EDIT 3: With UI I mean the deployment done with the node image. I have to check whether the request is being sent through the UI pod or directly to the svc pod.