Reputation: 93491
kubernetes network policy to disable all internet connections for specific namespace on AWS - EKS
I wanna deny the container from accessing the public internet.
After a long research, I found this example: DENY external egress traffic :
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: foo-deny-external-egress
spec:
podSelector:
matchLabels:
app: foo
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
to:
- namespaceSelector: {}
But it does not work. Indeed, I ran wget https://google.com and I got a positive response.
Any hint is apperciated
Upvotes: 1
Views: 4989
Answers (2)
Reputation: 11
The default CNI on EKS doesn't support network policies. You should either
- Install calico as described in https://docs.aws.amazon.com/eks/latest/userguide/calico.html or
- Use security group policies for pods https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
Upvotes: 1
Reputation: 3571
The network policy works fine on calico. Network Policy has no effect on cluster using flannel network plugin.
As mentioned on this link Flannel is focused on networking. For network policy, other projects such as Calico can be used.
Network policy blocks traffic as expected on cluster using calico
I have two clusters one using flannel and one using calico and test works as expected on calico.
Logs :
$ kubectl apply -f networkpolicy.yaml
networkpolicy.networking.k8s.io/foo-deny-external-egress created
ubuntu@calico-master-1:~$ kubectl run busybox --image=busybox --restart=Never -- sleep 3600
pod/busybox created
$ kubectl get networkpolicy
NAME POD-SELECTOR AGE
foo-deny-external-egress run=busybox 30m
$ kubectl exec -it busybox -- /bin/sh
/ # wget https://google.com
Connecting to google.com (74.125.193.102:443)
wget: can't connect to remote host (74.125.193.102): Connection timed out
On cluster using Flannel creating network policy has no effect
ubuntu@k8s-flannel:~$ kubectl exec -it busybox -- /bin/sh
/ # curl https://google.com
/bin/sh: curl: not found
/ # wget https://google.com
Connecting to google.com (216.58.207.238:443)
wget: note: TLS certificate validation not implemented
Connecting to www.google.com (172.217.20.36:443)
saving to 'index.html'
index.html 100% |*************************************************************************************************************************************************| 12498 0:00:00 ETA
'index.html' saved
Apply policy
$ kubectl apply -f networkpolicy.yaml
networkpolicy.networking.k8s.io/foo-deny-external-egress created
$ kubectl get networkpolicy
NAME POD-SELECTOR AGE
foo-deny-external-egress run=busybox 32m
We can still get to network outside as network policy does not work on flannel.
$ kubectl exec -it busybox -- /bin/sh
/ # wget https://google.com
Connecting to google.com (172.217.22.174:443)
wget: note: TLS certificate validation not implemented
Connecting to www.google.com (172.217.20.36:443)
saving to 'index.html'
index.html 100% |*************************************************************************************************************************************************| 12460 0:00:00 ETA
'index.html' saved
Upvotes: 3
Related Questions
- How to use network policy to allow access to pods only from a specific namespace to another in kubernetes?
- Kubernetes NetworkPolicy and only allow traffic from same Namespace and from ALB Ingress
- Deny egress traffic to internet on a Kubernetes pod
- Network policy to restrict communication of pods within namespace and port
- Network Policy - Restricting Egress From Some Namespaces But Allowing Other Namespace
- how to deny egress to all namespaces, and allow ingress from some namespaces in kubernetes using network policies
- How to block traffic from specific namespace in kubernetes
- How to apply kubernetes network policies to restrict access of namespace from other namespace?
- Network policy to deny traffic from a particular namespace
- How to stop all external traffic and allow only inter pod network call within namespace using network policy?