K
Q

kubernetes - Ingress network policy not working as excpected

7/28/2021

I have 3 Kubernetes deployments and services for each of the deployments (namespace = firstspace). each deployment is labelled as app1, app2, app3 in order.

As an example, if I run the following command. I will get the first pod as the result.

kubectl get pods -l app=app1 --namespace firstspace

My goal is to restrict the Ingress access of the third pod (app=app3) using the following Network Policy allowing traffic only from the second pod (app=app2) and any pods from another namespace called "secondspace".

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-app3
  namespace: firstspace
spec:
  podSelector: 
    matchLabels:
      app: app3
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: secondspace
    - podSelector:
        matchExpressions:
          - {key: app, operator: In, values: [app2]}
  policyTypes:
  - Ingress

However, when I deploy the network policy to the "firstspace" namespace, I can still curl (and get a sample JSON response) the service of the third pod (app=app3) using the first pod (app=app1).

Following is a sample command. Here, 10.100.150.0 is the ClusterIP of the service created for the third pod.

kubectl exec app1-849b94c6df-rzdls --namespace firstspace-- curl -sL 10.100.150.0:8080/testendpoint

Can someone help me understand what I'm doing wrong here?

-- gayashanbc
kubernetes
kubernetes-ingress
kubernetes-networkpolicy

Similar Questions

How to watch a Pod api endpoint in a Kubernetes Operator using the SDK
Cannot execute netcat inside a Docker/Kubernetes container
Pod going to evicted state when running npm install
kubectl unable to recognize "dashboard/deployment.yml"
Minikube - access host machine's ports

1 Answer

7/28/2021

After some trial and error, I observed the following. According to the Kubernetes Network Policies documentation, Deployed Network Policies will be only effective if a network plugin is installed in the Kubernetes cluster.

Since my local minikube cluster did not have a network plugin the network policy I have mentioned in the question description was not effective.

After, installing the Cillium Network Plugin in my minikube cluster, the network policy worked as expected.

Notes:

  • Cillium Network Plugin installation was not successful on minikube when using docker as the driver. But it worked when selected hyperv as the driver.
  • I had to create an Egress policy as well for the pod with app=app2 label to allow egress traffic from the pod with app=app3 label (See the example below).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-app2
  namespace: firstspace
spec:
  podSelector: 
    matchLabels:
      app: app2
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: app3
  policyTypes:
  - Egress
-- gayashanbc
Source: StackOverflow