Welcome to the Linux Foundation Forum!

Lab 6.3 / Exercise 6.5 is missing an important testing note

I've been following Lab 6.3, testing the deny-default NetworkPolicy. I was confused because although the egress was (not) working as expected, the ingress rules didn't appear to be respected. Looking at the K8S documentation I think I found the answer: connections to a pod from the node that it is running on, are not limited.

From the documentation: When a pod is isolated for ingress, the only allowed connections into the pod are those from the pod's node and those allowed by the ingress list of some NetworkPolicy that applies to the pod for ingress

Here's the policy:

  1. cameron_kerr_nz@a-cp:~/app2$ k describe networkpolicy deny-default
  2. Name: deny-default
  3. Namespace: default
  4. Created on: 2023-06-24 10:26:02 +0000 UTC
  5. Labels: <none>
  6. Annotations: <none>
  7. Spec:
  8. PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
  9. Allowing ingress traffic:
  10. <none> (Selected pods are isolated for ingress connectivity)
  11. Allowing egress traffic:
  12. <none> (Selected pods are isolated for egress connectivity)
  13. Policy Types: Ingress, Egress

From my control-node (where secondapp pod is running, I can still connect just fine:

  1. cameron_kerr_nz@a-cp:~/app2$ k get pods -o wide -l example=secondapp
  2. NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
  3. secondapp 2/2 Running 0 37m 192.168.51.132 a-cp <none> <none>
  4. cameron_kerr_nz@a-cp:~/app2$ curl -s 192.168.51.132 | grep '<title>'
  5. <title>Welcome to nginx!</title>

I can also connect to the service:

  1. cameron_kerr_nz@a-cp:~/app2$ k get svc secondapp -o wide
  2. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
  3. secondapp NodePort 10.98.24.37 <none> 80:32000/TCP 7d6h example=secondapp
  4. cameron_kerr_nz@a-cp:~/app2$ curl -s 10.98.24.37 | grep '<title>'
  5. <title>Welcome to nginx!</title>

Let's try from another node, which is not the node running the pod, I get denied when trying to access the pod or the service:

  1. cameron_kerr_nz@a-worker-1:~$ curl -s 192.168.51.132 | grep '<title>'
  2. ^C (ie. traffic was being dropped, timing out)
  3.  
  4. cameron_kerr_nz@a-worker-1:~$ curl -s '10.98.24.37' | grep '<title>'
  5. ^C (ie. traffic was being dropped, timing out)

Please update Exercise 6.5, as it makes no mention of this aspect of where the limit is actually being implemented. Not being aware of this behaviour will impact on some people's testing.

My versioning at the time of writing:

  1. cameron_kerr_nz@a-worker-1:~$ k get nodes
  2. NAME STATUS ROLES AGE VERSION
  3. a-cp Ready control-plane 27d v1.26.1
  4. a-worker-1 Ready <none> 26d v1.26.1

Thanks,
Cameron

Comments

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training