K8s network policy restrict egress for one endpoint only

Question

I need to create a NetwrokPolicy for my pod which from the network aspects needs to access to only one specific endpoint outside the cluster, only this endpoint.

The endpoint looks like following. https://140.224.232.236:8088

Before apply the following network policy I've exec to the pod (the image is based on alpine) and run ping www.google.com and it works as expected,

However when I apply the network policy I and I try to ping google.com I got ping: bad address 'www.google.com' but when I ping to the ip like

1. ping 140.224.232.236
2. ping 140.224.232.236:8080

it get stuck and before I was able to see something like this

64 bytes from 140.224.232.236: seq=518 ttl=245 time=137.603 ms
64 bytes from 140.224.232.236: seq=519 ttl=245 time=137.411 ms
64 bytes from 140.224.232.236: seq=520 ttl=245 time=137.279 ms
64 bytes from 140.224.232.236: seq=521 ttl=245 time=137.138 ms
....

Now its just stuck on this, any idea?

ping 140.224.232.236
PING 140.224.232.236 (140.224.232.236): 56 data bytes

and nothing more, what does it mean?

What I did is the following

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: test-network-policy
    namespace: dev
spec:
    podSelector:
      matchLabels:
        app.kubernetes.io/name: foo
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 140.224.232.236/32
    ports:
    - protocol: TCP
      port: 8088 

1. I've applied it on the same ns of the pod.
2. the name of the pod selector label has taken from the pod which I want to apply the network policy and have the following. app.kubernetes.io/name: foo

Answer 1

Your Network policy is perfect. You cannot use ping to test your TCP port as ping works with ICMP protocol.

There are ways without changing your network policy to test your configuration.

For examples:-

1. exec to the pod and run this one liner. You should get 'Port is open'

$  </dev/tcp/140.224.232.236/8088 && echo Port is open || echo Port is closed
Port is open

/dev/tcp/host/port
    If host is a valid hostname or Internet address, and port is an integer port number
    or service name, bash attempts to open a TCP connection to the corresponding socket.
/dev/udp/host/port
    If host is a valid hostname or Internet address, and port is an integer port number
    or service name, bash attempts to open a UDP connection to the corresponding socket.

2. If curl/wget is installed , run cur/wget by doing exec to the pod

curl -k https://140.224.232.236:8088
wget --no-check-certificate https://140.224.232.236:8088

3. If network tool nc is present, exec to pod and run this command, if '0' is returned it works.

nc 140.224.232.236 8088 &> /dev/null; echo $?
0

or below command should return 'succeeded'

nc -zv 140.224.232.236 8088 
Connection to 140.224.232.236 8088 port [tcp/*] succeeded!

Answer 2

As you defined egress with ports:

ports:
- protocol: TCP
  port: 8080

which means allowing connections to ip 140.224.232.236 on TCP port 8080.

However, ping(ICMP) doesnot know the port. Ping will fail every time.

1. ping is a networking utility used to test the reachability of a remote host over Internet Protocol (IP). The ping utility does so by sending out a series of Internet Control Message Protocol (ICMP) echo request packets to a remote host.

2. You cannot probe a specific port with ping command because ICMP belongs to layer-3 IP layer, not layer-4 transport layer (e.g., TCP/UDP).

3. In order to ping a specific port of a remote host, you need to use layer-4 transport protocols which have a notion of port numbers, with many command-line tools like:

• paping 140.224.232.236 -p 8080 -c 3
• nmap -p 80 -sT www.google.com
• tcpping www.google.com

Answer 3

You are allowing egress traffic to port 8088 over TCP, not ICMP. Ping won't work with that applied.

If you want to allow a non-TPC nor UDP protocol using vanilla's Kubernetes API for network policies, then you need to omit the port definition.

You can also use a network policy API of Calico for this matter.

That gives more flexibility when it comes to configuring Network Policies in your cluster.