Reputation: 89
Network policy not working with daemonset pods
Is a network policy applicable to pods of a daemonset? I have a default deny network policy for all ingress and egress for all pods. However, it does not seem to seem to be applied for pods belonging to the daemonset.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Upvotes: 0
Views: 577
Answers (1)
Reputation: 18351
netpol is applicable for the pods spawned under daemonset. For netpol they are just pods like the one deployed by deployments or rs.
If you do the description of the netpol you provided, it says its applicable for namespace=default.
Name: default-deny
Namespace: default
Created on: 2021-07-21 17:59:56 -0500 CDT
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Ingress, Egress
and netpol is a namespaced resource:
NAME SHORTNAMES APIVERSION NAMESPACED KIND
networkpolicies netpol networking.k8s.io/v1 true NetworkPolicy
This means your daemonset is created under some different namespace.
Here is one example:
Created a daemon set:
kubectl get pod -n jackops -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
curl 1/1 Running 0 53m 10.233.75.51 node2 <none> <none>
dummy-2b9qv 1/1 Running 0 50m 10.233.75.4 node2 <none> <none>
dummy-tx9rl 1/1 Running 0 50m 10.233.102.149 node1 <none> <none>
Verified that curl is working without netpol:
k exec -it curl -n jackops -- curl -m 5 10.233.75.4 -I
HTTP/1.1 200 OK
Server: nginx/1.23.3
Date: Tue, 07 Feb 2023 17:13:05 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 13 Dec 2022 15:53:53 GMT
Connection: keep-alive
ETag: "6398a011-267"
Accept-Ranges: bytes
Applied the below netpol:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: jackops
spec:
podSelector: {}
policyTypes:
- Ingress
Now, the connection is not going through:
k exec -it curl -n jackops -- curl -m 5 10.233.75.4 -I
curl: (28) Connection timed out after 5001 milliseconds
command terminated with exit code 28
About, knowing who is the parent of an object:
kubectl get pod -n jackops dummy-2b9qv -ojsonpath='{.metadata.ownerReferences}'
[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"DaemonSet","name":"dummy","uid":"cba5c840-672a-4ad8-830f-03993e32117a"}]
Upvotes: 1
Related Questions
- Kubernetes Network Policy Egress to pod via service
- Kubernetes: cannot see network policies created with calico
- kubernetes - Ingress network policy not working as expected
- Kubernetes DNS and NetworkPolicy with Calico not working
- Kubernetes Health Checks Failing with Network Policies Enabled
- Starting with Calico network policy in Kubernetes
- Kubernetes Networkpolicy dosen't block traffic
- Calico CNI networkPolicy not affecting pods running on nodes
- How to enable Network Policies in Docker for Mac with Kubernetes
- Whitelist kube-apiserver with Network Policy