Question on network policy for lab 6.1

nbuekers

Hello,

In the last part of lab 6.1 we create a networkpolicy to only allow Ingress from Cidr 192.168.0.0/16 on port TCP 80.

This is confirmed working because from the second node (IP 10.132.0.4), I can no longer curl the node's internal IP (10.132.0.3:32000), nor the external IP from the master node from my laptop. And it still works to curl the pod's IP 192.168.174.82 on port 80 from the second and master node.

However what I don't understand is that I can still curl the master node's internal IP when I'm on the master node itself (10.132.0.3). This does not work like I said from the second node. If I remove the network policy it again also works from the second node.

Also in the logs of the webserver container of the pod, I can see incoming connection from 10.132.0.3. I don't understand how this is possible since CIDR ingress is limited to 192.168.0.0/16. I first thought the master node would use another NIC because it also has IP 192.168.174.64 from the tunl0 interface, but then my logs still show successful connection from 10.132.0.3. If this was true, my second node, with tunl0 interface having ip 192.168.247.2 should also be able to get in.

What am I missing here? This is my 'allclosed.yaml':

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: deny-default
spec:
 podSelector: {}
 policyTypes:
 - Ingress
 ingress:
 - from:
   - ipBlock:
      cidr: 192.168.0.0/16
   ports:
   - port: 80
     protocol: TCP
# - Egress

nbuekers

hi,

thanks for getting back. I have 2 connections to my node1, one doing a $watch on the logs, and the other doing the curl. When I do the new curl, I do see the new log in the other window. Is this what you are referring to?