Network policy not working with daemonset pods

7/21/2021

Is a network policy applicable to pods of a daemonset? I have a default deny network policy for all ingress and egress for all pods. However, it does not seem to seem to be applied for pods belonging to the daemonset.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
-- Parvathy Mohan
calico
daemonset
kubernetes
kubernetes-networkpolicy
kubernetes-pod

1 Answer

7/21/2021

netpol is applicable for the pods spawned under daemonset. For netpol they are just pods like the one deployed by deployments or rs.

If you do the describe of the netpol you provided, it says its applicable for namespace=default.

Name:         default-deny
Namespace:    default
Created on:   2021-07-21 17:59:56 -0500 CDT
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Allowing egress traffic:
    <none> (Selected pods are isolated for egress connectivity)
  Policy Types: Ingress, Egress

and netpol is a namespaced resource:

NAME                              SHORTNAMES   APIVERSION                             NAMESPACED   KIND
networkpolicies                   netpol       networking.k8s.io/v1                   true         NetworkPolicy

This means, your daemonset is created under some different namespace.

-- P....
Source: StackOverflow