we are using Rancher to setup clusters with Canal as the CNI. We decided to use Traefik as an Ingress Controller and wanted to create a NetworkPolicy. We disabled ProjectIsolation and Traefik is running in the System project in the kube-system namespace.
I created this Policy:
# deny all ingress traffic
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
---
# allow traefik
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: ingress-allow-traefik
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: kube-system
podSelector:
matchLabels:
app: traefik
---
# allow backnet
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: ingress-allow-backnet
spec:
podSelector: {}
ingress:
- from:
- ipBlock:
cidr: 10.0.0.0/24
- ipBlock:
cidr: 10.1.0.0/24
- ipBlock:
cidr: 10.2.0.0/24
- ipBlock:
cidr: 192.168.0.0/24But somehow we can't get this to work. The connection gets time-outed and that's it. Is there a major problem with this policy? Something i didn't understand about NetworkPolicies?
Thanks in advance
According to this from K8s docs, There is now a label called kubernetes.io/metadata.name on all namespaces, which can be used to select a specific namespace as such:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-systemI solved the Problem. It was a plain beginner mistake:
- namespaceSelector:
matchLabels:
namespace: kube-systemI didn't add the Label namespace: kube-system to the Namespace kube-system.
After adding the Label it worked instantly.