Daniel
Reputation: 151
Calico CNI networkPolicy not affecting pods running on nodes
I've been trying to implement a network policy on my cluster (k8s bare-metal) and no policies seem to be implemented on pods running on cluster nodes, only on pods running directly on the master.
What I've tried:
- A single namespace with a master+node and calico CNI with calicoctl with k8s datastore (I can see the calico/calicoctl containers running on both nodes)
- Both networkPolicy types (networking.k8s.io/v1 & projectcalico.org/v3)
- Applying a simple deny any ingress/egress policy and testing ping to 8.8.8.8 (pod on master gets blocked, pods on other nodes can still ping)
Appreciate your help
Upvotes: 0
Views: 742
Answers (1)
Daniel
Reputation: 151
Found the problem was with the deployment where I've used 'hostNetwork' which uses a subnet that is not part of the pod network (thus Calico is unaware of).
Removing the 'hostNetwork: true' param made the container get a suitable IP and network policies applied to it.
Upvotes: 1
Related Questions
- Kubernetes NetworkPlugin cni failed to set up pod
- Network policy not working with daemonset pods
- Kubernetes: cannot see network policies created with calico
- Kubernetes DNS and NetworkPolicy with Calico not working
- Starting with Calico network policy in Kubernetes
- Kubernetes Networkpolicy dosen't block traffic
- calico network connectivity failing between pods and services and pods in different hosts
- kubernetes networking: pod cannot reach nodes
- Error when applying Calico network on Kubernetes cluster