Welcome to the Linux Foundation Forum!

Network policy not working using pods label selector

suser
suser Posts: 67
edited April 2020 in LFD259 Class Forum

Hello!

During ex 6.6 I am not able get my network policy to block all ingress and egress traffic using pod selector by label, after creation and re-creation of the deployment I am still able to access nginx web page when I expected to get any traffic denied. Any help is greatly appreciated:

kubectl describe networkpolicies netblock
Name: netblock
Namespace: default
Created on: 2020-04-28 01:26:37 +0000 UTC
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"netblock","namespace":"default"},"spec":{...
Spec:
PodSelector: app=nserver
Allowing ingress traffic:
(Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
(Selected pods are isolated for egress connectivity)
Policy Types: Ingress, Egress

network policy yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: netblock
namespace: default
spec:
podSelector:
matchLabels:
app: nserver
policyTypes:
- Ingress
- Egress

kubectl describe pod ndeploy-76dcd7ccd8-jmjp4 | grep Labels
Labels: app=nserver

kubectl describe pod ndeploy-76dcd7ccd8-jmjp4
Name: ndeploy-76dcd7ccd8-jmjp4
Namespace: default
Priority: 0
Node: kw1/10.1.10.31
Start Time: Tue, 28 Apr 2020 01:47:11 +0000
Labels: app=nserver
pod-template-hash=76dcd7ccd8
type=nserver
Annotations: cni.projectcalico.org/podIP: 192.168.159.115/32
Status: Running
IP: 192.168.159.115
IPs:
IP: 192.168.159.115
Controlled By: ReplicaSet/ndeploy-76dcd7ccd8
Containers:
nginx:
Container ID: docker://f4924d52f1e021a9304795ee0b9e4078cb4fee81f20a04cd74ec6a37b1be8262
Image: nginx:1.14.2
Image ID: docker-pullable://nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d
Port: 80/TCP
Host Port: 0/TCP
State: Running
Started: Tue, 28 Apr 2020 01:47:13 +0000
Ready: True
Restart Count: 0
Environment:
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-zqbsw (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-zqbsw:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-zqbsw
Optional: false
QoS Class: BestEffort
Node-Selectors:
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 7m5s default-scheduler Successfully assigned default/ndeploy-76dcd7ccd8-jmjp4 to kw1
Normal Pulled 7m4s kubelet, kw1 Container image "nginx:1.14.2" already present on machine
Normal Created 7m4s kubelet, kw1 Created container nginx

Stefan

Best Answer

Answers

  • chrispokorni
    chrispokorni Posts: 2,155

    Hi Stefan,

    You can take a look at the default policy examples available in the official documentation:

    https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies

    You may notice that default policies do not include any selectors.

    Regards,
    -Chris

  • suser
    suser Posts: 67

    Chris,
    I will be very thankful to learn how to use the NetworkPolicy spec.podselectors to filter pods for which a network policy applies for.

    Stefan

  • suser
    suser Posts: 67

    Thank you very much Chris, I read the third time and I realized that my new policy was only adding to the one previously created; I deleted the old one and now the new policy is working for my selected pods as expected.

    Stefan

Categories

Upcoming Training