K8s Network Policy is not working

aphraz · May 3, 2023, 9:17am

I've implemented a network policy that allows access to pod-b in namespace beta from pod-a in namespace alpha ONLY. But it is not working as expected. I have re-checked all the manifests and nothing seems to be wrong. Please have a look at them and see if you can find anything that should be changed..

Note: this is for my CKA preparation. I am running a minikube cluster on my laptop with Celico as CNI plugin.

pod-a

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2023-05-01T12:37:26Z"
  labels:
    app: pod-a
  name: pod-a
  namespace: alpha
  resourceVersion: "1292955"
  uid: afc7a921-3a1a-49bd-9d31-4e11f69f0fde
spec:
  containers:
  - args:
    - sleep
    - "72000"
    image: curlimages/curl
    imagePullPolicy: Always
    name: pod-a
    resources: {}

pod-b

kind: Pod
metadata:
  creationTimestamp: "2023-05-01T12:32:20Z"
  labels:
    app: pod-b
  name: pod-b
  namespace: beta
  resourceVersion: "1292378"
  uid: dd9491fc-6c78-4441-b8c8-db6a4f1fe33c
spec:
  containers:
  - image: nginx
    imagePullPolicy: Always
    name: pod-b
    resources: {}

ClusterIP

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2023-05-01T12:33:47Z"
  labels:
    app: pod-b
  name: netpol-test
  namespace: beta
  resourceVersion: "1293341"
  uid: 910fe136-fec9-4442-b98a-eb74bbbcc652
spec:
  clusterIP: 10.110.162.221
  clusterIPs:
  - 10.110.162.221
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: pod-b
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

Network Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-pod-a-to-pod-b
  namespace: beta
spec:
  podSelector:
    matchLabels:
      app: pod-b 
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: alpha 
      podSelector:
        matchLabels:
          app: pod-a 
    ports:
    - protocol: TCP
      port: 80

But I have been able to access pod-b even from the default namespace with a random container.

k -n default run test-curl -l "team=backend" --rm -it --restart=Never --image=curlimages/curl -- curl 10-244-0-147.beta.pod.cluster.local

OR

k -n default run test-curl -l "team=backend" --rm -it --restart=Never --image=curlimages/curl -- curl netpol-test.beta.svc.cluster.local

system · May 17, 2023, 9:18am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.