Reputation: 457
Network Policy not allowing communication inside namespace
I'm having trouble setting up a Network Policy that looks fine to me. Here are the 2 pods in the same namespace
k get po --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nfs-server-ccb8d5ff6-7rtr4 1/1 Running 0 22h role=nfs-server
nginx-jpm-549b69bf68-x5hd7 1/1 Running 0 21h app=nginx-jpm
And I'm restricting traffic to the nfs-server pod using the following network policy spec:
spec:
podSelector:
matchLabels:
role: nfs-server
policyTypes:
- Ingress
- Egress
ingress:
# Allow inbound from nginx-jpm on all ports
- from:
- podSelector:
matchLabels:
app: nginx-jpm
egress:
# Allow outbound DNS traffic inside the cluster (kube-system namespace is not labelled)
- to:
- namespaceSelector: {}
ports:
- protocol: "UDP"
port: 53
I exec into the nginx pod and am unable to connect to the nfs-server pod
root@nginx-jpm-549b69bf68-x5hd7:/# telnet nfs-server.jenkinsrepo.svc.cluster.local 111
Trying 172.22.117.55...
If I delete the network policy, it works then
root@nginx-jpm-549b69bf68-x5hd7:/# telnet nfs-server.jenkinsrepo.svc.cluster.local 111
Trying 172.22.117.55...
Connected to nfs-server.jenkinsrepo.svc.cluster.local.
Escape character is '^]'.
Is there something I've missed in my network policy? There is no other network policy in the namespace.
Upvotes: 0
Views: 1258
Answers (2)
Reputation: 750
Your egress rule is translated as apply these to rules traffic where namespace is not labelled "AND" port 53 UDP , its "AND" of rules. Even though DNS egress traffic might be working, all other egress traffic from all pods in is still blocked, which might be the reason.
if you try the below, it will allow outgoing traffic if: (destination pod has namespace which is not labelled) OR ((port is 53 UDP) OR (port is 53 TCP))
egress:
- to:
- namespaceSelector: {}
- ports: # 2nd egress rule
- port: 53 # allow DNS UDP
protocol: UDP
- port: 53 # allow DNS TCP
protocol: TCP
link: https://docs.projectcalico.org/security/tutorials/kubernetes-policy-advanced
Upvotes: 0
Reputation: 44569
Since you have podSelector which selects pods with role: nfs-server label, the egress rule gets applied to only those pods and hence egress is blocked from nginx pod. You should probably create a separate network policy for egress only to cluster DNS which applies to all pods.
Upvotes: 1
Related Questions
- How to use network policy to allow access to pods only from a specific namespace to another in kubernetes?
- Allowing traffic between different pods using pod network policy
- networkpolicy in kubernetes to allow port from namespace
- kubernetes - Ingress network policy not working as expected
- network policy - Kubernetes : Allow traffic from one namespace to pods listening on one port
- Network policy to prevent cross namespace communication
- Kubernetes network policy blocks traffic between nodes on AKS
- Network policy to restrict communication of pods within namespace and port
- Kubernetes NetworkPolicies refused connection
- Network policy to deny traffic from a particular namespace