Kubernetes calico networkpolicy

Question

I am a newbie to Kubernetes and trying to learn calico networking. I am following this documentation (https://docs.aws.amazon.com/eks/latest/userguide/calico.html) and I tried to create a networkpolicy for the traffic to flow between backend to client :

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: stars
  name: backend-client
spec:
  podSelector:
    matchLabels:
      role : client
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              role: backend
      ports:
        - protocol: TCP
          port: 9000

I finished all the 10 steps in the documentation, and i tried to test by creating a policy that would send traffic from the backend to the client with the above policy.

When i applied the policy there was no error , but i don't see the traffic/connection between the two.

Please let me know what is wrong.

Answer 1

Creating NetworkPolicy alone will not help in ensuring that the NetworkPolicy is enforced. We should configure the network plugin like Calico which is integrated with Kubernetes and executes the necessary operations to achieve the intent of the given Network Policy

https://kubernetes.io/docs/concepts/services-networking/network-policies/ says

"Network policies are implemented by the network plugin, so you must be using a networking solution which supports NetworkPolicy - simply creating the resource without a controller to implement it will have no effect."

Answer 2

I believe you need to put your policy in the client namespace instead of the stars namespace. I don't believe there are any pods with role: client in the stars namespace. A pod selector like you've specified only applies to pods in the namespace the policy is in.

While I don't think it is as direct as it could be the Kubernetes Network Policy docs do mention that a NetworkPolicy applies in the given namespace. I suggest you check them out if you haven't already.

I hope that helps.