Welcome to the Linux Foundation Forum!

Lab 6.5 deny policy doesn't work for curl on the same host

Hello, I just wanted to ask:

On Lab 6.5 when the default deny policy is applied, if I curl the ep or svc ip, or even the external IP with the nodeport, from the host on which the pod is running, it connects as expected. This threw me off for some time, thinking the policy was not working.

Finally I realized that if I curled from another node it worked as expected. Also the rules from within the container work as expected (I just hadn't try them yet)
So my question is, did the behavior change or perhaps the question "3. Then test from the host to the container" is wrong, at least from the same node. In my case, the pod was deployed to cp1 so it didn't work, if it was deployed to wk1, i would have not had this problem

Answers

  • Hi @jsm3031,

    You are correct, the behavior seems to be inconsistent when validating the policy against pods running on the same node vs other nodes of the cluster.

    However, the validation steps assume curl and ping are run by the user (who typically is not directly logged into any cluster nodes). What if the validation curl and ping is run from a test-pod against another pod on the same node, and eventually against a pod on another node. What are the results then?

    Regards,
    -Chris

Categories

Upcoming Training