Question on network policy for lab 6.1

nbuekers

Hello,

In the last part of lab 6.1 we create a networkpolicy to only allow Ingress from Cidr 192.168.0.0/16 on port TCP 80.

This is confirmed working because from the second node (IP 10.132.0.4), I can no longer curl the node's internal IP (10.132.0.3:32000), nor the external IP from the master node from my laptop. And it still works to curl the pod's IP 192.168.174.82 on port 80 from the second and master node.

However what I don't understand is that I can still curl the master node's internal IP when I'm on the master node itself (10.132.0.3). This does not work like I said from the second node. If I remove the network policy it again also works from the second node.

Also in the logs of the webserver container of the pod, I can see incoming connection from 10.132.0.3. I don't understand how this is possible since CIDR ingress is limited to 192.168.0.0/16. I first thought the master node would use another NIC because it also has IP 192.168.174.64 from the tunl0 interface, but then my logs still show successful connection from 10.132.0.3. If this was true, my second node, with tunl0 interface having ip 192.168.247.2 should also be able to get in.

What am I missing here? This is my 'allclosed.yaml':

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: deny-default
spec:
 podSelector: {}
 policyTypes:
 - Ingress
 ingress:
 - from:
   - ipBlock:
      cidr: 192.168.0.0/16
   ports:
   - port: 80
     protocol: TCP
# - Egress

serewicz

Hello,

It seems like with the NetworkPolicy in place you can still connect locally, but not from a remote system. Without tracing the traffic in detail this would indicate that the local connection is not being ingested in the same manner and thus bypassing the policy, in a similar manner that using the loopback interface does not actually use a full NIC, and remains in the node itself.

If you have two windows up are you seeing the incoming connection at the same time as you curl from an exterior instance? I'm wondering if you are seeing previous attempts, not ones where the policy was in place. I would agree that with the policy in place there should be no request to the container. If you indeed see traffic immediately , and the policy is in place please let me know and I will try to investigate further.

Regards,

nbuekers

hi,

thanks for getting back. I have 2 connections to my node1, one doing a $watch on the logs, and the other doing the curl. When I do the new curl, I do see the new log in the other window. Is this what you are referring to?

serewicz

Hello,

Yes. You should see traffic in the log window. This can be useful for troubleshooting issues and to see activity as the requests come in.

Regards,