Kubernetes Networkpolicy dosen't block traffic

5/14/2021

i've a namespace called: test, and containing 3 pods: frontend, backend and database.

this is the manifest of pods:

kind: Pod
apiVersion: v1
metadata:
  name: frontend
  namespace: test
  labels:
    app: todo
    tier: frontend
spec:
  containers:
    - name: frontend
      image: nginx

---

kind: Pod
apiVersion: v1
metadata:
  name: backend
  namespace: test
  labels:
    app: todo
    tier: backend
spec:
  containers:
    - name: backend
      image: nginx

---

kind: Pod
apiVersion: v1
metadata:
  name: database
  namespace: test
  labels:
    app: todo
    tier: database
spec:
  containers:
    - name: database
      image: mysql
      env:
      - name: MYSQL_ROOT_PASSWORD
        value: example

I would implement a network policy , that allow only allow incoming traffic from the backend to the database but disallow incoming traffic from the frontend.

this my network policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-allow
  namespace: test
spec:
  podSelector:
    matchLabels:
      app: todo
      tier: database
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: todo
          tier: backend
    ports:
    - protocol: TCP
      port: 3306
    - protocol: UDP
      port: 3306

This is the output of kubectl get pods -n test -o wide

NAME       READY   STATUS    RESTARTS   AGE   IP           NODE       NOMINATED NODE   READINESS GATES
backend    1/1     Running   0          28m   172.17.0.5   minikube   <none>           <none>
database   1/1     Running   0          28m   172.17.0.4   minikube   <none>           <none>
frontend   1/1     Running   0          28m   172.17.0.3   minikube   <none>           <none>

This is the output of kubectl get networkpolicy -n test -o wide

NAME        POD-SELECTOR             AGE
app-allow   app=todo,tier=database   21m

when i execute telnet @ip-of-mysql-pod 3306 from the frontend pod , the connection look be established and the network policy is not working

kubectl exec -it pod/frontend bash -n test
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@frontend:/# telnet 172.17.0.4 3306
Trying 172.17.0.4...
Connected to 172.17.0.4.
Escape character is '^]'.
J
8.0.25 k{%J\�#(t%~qI%7caching_sha2_password

there are something i missing ?

Thanks

-- Quentin Merlin
kubernetes
kubernetes-networkpolicy
project-calico

1 Answer

5/15/2021

It seems that you forgot to add "default deny" policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

The default behavior of NetworkPolicy is to allow all connections between pod unless explicitly denied.

More details here: https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic

-- Vasili Angapov
Source: StackOverflow