CODEWITHSUNDEEP
google-cloud-dnskubernetes-networkpolicy
Maurice Amar
Maurice Amar

Reputation: 139

how to configure access from internal dns to the container by using kubernetes network policy

I want to harden the traffic coming from other k8s containers with same segment but also to permit the k8s ingress (dns) to access the container

VM machine (10.194.65.4) --> k8s Ingress (10.194.66.14) --> k8s service (172.30.0.255) --> k8s container (172.18.0.43)

below is my network policy configured to accept traffic coming from 172.18.0.0/21

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    env: dev
    namespace: big-calculator-dev
  name: big-calculator-dev
  namespace: big-calculator-dev
spec:
  ingress:
  - from:
    - ipBlock:
        cidr: 172.18.0.0/21
    ports:
    - port: 443
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress

What can I do to accept the traffic coming from my ingress from my VM in more?

thanks, Maurice

Upvotes: 0

Views: 100

Answers (2)

Kranthiveer Dontineni
Kranthiveer Dontineni

Reputation: 1543

Using subnet mask 32 will help you in this scenario, since you wanted to allow only a particular IP to access your Kubernetes resources. So you need to add one more rule allowing your vm ip to access your container after adding this your yaml looks like below.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    env: dev
    namespace: big-calculator-dev
  name: big-calculator-dev
  namespace: big-calculator-dev
spec:
  ingress:
  - from:
    - ipBlock:
        cidr: 172.18.0.0/21
      ipBlock:
        cidr: 10.194.65.4/32
    ports:
    - port: 443
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress

Update:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    env: dev
    namespace: big-calculator-dev
  name: big-calculator-dev
  namespace: big-calculator-dev
spec:
  ingress:
  - from:
    - ipBlock:
        cidr: 10.194.66.14/32
    ports:
    - port: 443
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress

The current config which you have given as a solution allows all the traffic excluding your container traffic if you want to allow only a particular IP address you can go with this updated manifest file.

Upvotes: 0

Maurice Amar
Maurice Amar

Reputation: 139

I found the solution by doing like this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    env: dev
    namespace: big-calculator-dev
  name: big-calculator-dev
  namespace: big-calculator-dev
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 172.19.0.0/21
  podSelector: {}
  policyTypes:
  - Egress

Upvotes: 1

Related Questions