Network policy not working using pods label selector
Hello!
During ex 6.6 I am not able get my network policy to block all ingress and egress traffic using pod selector by label, after creation and re-creation of the deployment I am still able to access nginx web page when I expected to get any traffic denied. Any help is greatly appreciated:
kubectl describe networkpolicies netblock
Name: netblock
Namespace: default
Created on: 2020-04-28 01:26:37 +0000 UTC
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"netblock","namespace":"default"},"spec":{...
Spec:
PodSelector: app=nserver
Allowing ingress traffic:
(Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
(Selected pods are isolated for egress connectivity)
Policy Types: Ingress, Egress
network policy yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: netblock
namespace: default
spec:
podSelector:
matchLabels:
app: nserver
policyTypes:
- Ingress
- Egress
kubectl describe pod ndeploy-76dcd7ccd8-jmjp4 | grep Labels
Labels: app=nserver
kubectl describe pod ndeploy-76dcd7ccd8-jmjp4
Name: ndeploy-76dcd7ccd8-jmjp4
Namespace: default
Priority: 0
Node: kw1/10.1.10.31
Start Time: Tue, 28 Apr 2020 01:47:11 +0000
Labels: app=nserver
pod-template-hash=76dcd7ccd8
type=nserver
Annotations: cni.projectcalico.org/podIP: 192.168.159.115/32
Status: Running
IP: 192.168.159.115
IPs:
IP: 192.168.159.115
Controlled By: ReplicaSet/ndeploy-76dcd7ccd8
Containers:
nginx:
Container ID: docker://f4924d52f1e021a9304795ee0b9e4078cb4fee81f20a04cd74ec6a37b1be8262
Image: nginx:1.14.2
Image ID: docker-pullable://nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d
Port: 80/TCP
Host Port: 0/TCP
State: Running
Started: Tue, 28 Apr 2020 01:47:13 +0000
Ready: True
Restart Count: 0
Environment:
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-zqbsw (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-zqbsw:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-zqbsw
Optional: false
QoS Class: BestEffort
Node-Selectors:
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 7m5s default-scheduler Successfully assigned default/ndeploy-76dcd7ccd8-jmjp4 to kw1
Normal Pulled 7m4s kubelet, kw1 Container image "nginx:1.14.2" already present on machine
Normal Created 7m4s kubelet, kw1 Created container nginx
Stefan
Best Answer
-
Hi Stefan,
I would recommend reading up on the network policy documentation. In the introductory sections, you will find explained how the policy behaves once you introduce selectors. It may be the opposite of what you would expect
https://kubernetes.io/docs/concepts/services-networking/network-policies/
Regards,
-Chris5
Answers
-
Hi Stefan,
You can take a look at the default policy examples available in the official documentation:
https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies
You may notice that default policies do not include any selectors.
Regards,
-Chris0 -
Chris,
I will be very thankful to learn how to use the NetworkPolicy spec.podselectors to filter pods for which a network policy applies for.Stefan
0 -
Thank you very much Chris, I read the third time and I realized that my new policy was only adding to the one previously created; I deleted the old one and now the new policy is working for my selected pods as expected.
Stefan
0
Categories
- All Categories
- 177 LFX Mentorship
- 177 LFX Mentorship: Linux Kernel
- 754 Linux Foundation IT Professional Programs
- 374 Cloud Engineer IT Professional Program
- 170 Advanced Cloud Engineer IT Professional Program
- 74 DevOps IT Professional Program - Discontinued
- 5 DevOps & GitOps IT Professional Program
- 100 Cloud Native Developer IT Professional Program
- 7.6K Training Courses & Learning Paths
- 2 AI & ML Training
- 1 Blockchain & Decentralized Identity Training
- 5 Cloud & Containers Training
- 1 Cybersecurity Training
- 2 DevOps & Site-Reliability Training
- 1 Linux Kernel Development Training
- 1 Networking Training
- 2 Open Source Best Practice Training
- 2 System Administration Training
- 1 System Engineering Training
- 1 Web & Application Development Training
- 794 Hardware
- 202 Drivers
- 68 I/O Devices
- 37 Monitors
- 95 Multimedia
- 173 Networking
- 91 Printers & Scanners
- 89 Storage
- 769 Linux Distributions
- 81 Debian
- 68 Fedora
- 22 Linux Mint
- 13 Mageia
- 24 openSUSE
- 150 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 465 Linux System Administration
- 31 Cloud Computing
- 73 Command Line/Scripting
- Github systems admin projects
- 98 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 112 Mobile Computing
- 20 Android
- 77 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 393 Off Topic
- 121 Introductions
- 182 Small Talk
- 29 Study Material
- 977 Programming and Development
- 310 Kernel Development
- 649 Software Development
- 990 Software
- 382 Applications
- 182 Command Line
- 5 Compiling/Installing
- 68 Games
- 317 Installation
- Archived
- 2 LFD140 Class Forum
- 1.4K LFS258 Class Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)