K
Q

Network policy preventing all traffic to selected labels

7/31/2020

In our cluster we're running two versions of an API within separate node pools. For now our microservice traffic in each version routes from pod1 > service1 > service2 > pod2. I want to use a network policy to future proof our APIs against the possibility of pods in one version of the API communicating with the other.

Below is an example of the network policy I've written for version 1.1. However, this seems to be obstructing all traffic in the 1.1 node pool. 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: networkpolicy-v1-1
  namespace: default
spec:
  podSelector:
    matchLabels:
      version: v1-1
  policyTypes:
    - Ingress
    - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          version: v1-1
  egress: 
  - {}

Here is the output of describe pod <podname> showing a match for the labels.

Name:         adduser-v1-1-696467d46-zkvq9
Namespace:    default
Labels:       app=adduser-v1-1
              pod-template-hash=696467d46
              version=v1-1

Just for confirmation I added the following statement into the code running in the pod above. I'm able to see the logging statement without the network policy in place. When the policy is active the request times out and the logging statement is nowhere to be found. 

@api.route('/customer/add', methods=['POST'])
def create_customer():
    logger.info("inside create customer")

And for good measure here is our service: 

apiVersion: v1
kind: Service
metadata:
  name: adduser-v1-1
spec:
  ports:
  - port: 80
    targetPort: 8081
    protocol: TCP
    name: http
  selector:
    app: adduser-v1-1
  type: LoadBalancer

EDIT

Just to clarify: in my above example with pod1 > service1 > service2 > pod2 all pods and services 1 & 2 are in the same node pool and pods 1 & 2 and both contain the label version=v1-1. Example:

I want these pods to be able to talk to each other:

Pod1

Labels:       app=adduser-v1-1
              pod-template-hash=687b4f6b8d
              version=v1-1

Pod2

Labels:       app=authuser-v1-1
              pod-template-hash=5449f9bd6d
              version=v1-1

While these pods should be blocked by the Network Policy

Pod1

Labels:       app=adduser-v1-1
              pod-template-hash=687b4f6b8d
              version=v1-1

Pod 2

Labels:       app=authuser-v2-0
              pod-template-hash=bd87f9d55
              version=v2-0
-- NealR
google-kubernetes-engine
kubernetes
kubernetes-networkpolicy

Similar Questions

Ne4J performance on Kubernetes is too slow
Does kubernetes cAdvisor include host machine (OS) metrics too when used with prometheus?
Multidrive access for Kubernetes Nodes
Connection to MySQL (AWS RDS) in Istio
wait for other deployments to start running before other can be created?

1 Answer

7/31/2020

The above network policy networkpolicy-v1-1 will allow only ingress traffic from pod1 (version: v1-1) to pod1 (version: v1-1) it wont allow any other ingress traffic but allows all outgoing traffic, is that intentional? if pod1 > service1 > service2 > pod2 is to be implemented then below network policy can help. The below will ensure that that pod2 will only receive traffic from POD1

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: networkpolicy-v2-2
  namespace: default
spec:
  podSelector:
    matchLabels:
      version: v2-2
  policyTypes:
    - Ingress
    - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          version: v1-1
  egress: 
  - {}
-- DBSand
Source: StackOverflow