Hello, I'm working on Ingress labs, I've created a deny network policy in defau . . .

Mark:
Hello,

I’m working on Ingress labs, I’ve created a deny network policy in default namespace but still traffic is allowed.

apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress

root@controlplane:~# kubectl get pods,svc,ep
NAME READY STATUS RESTARTS AGE
pod/app 1/1 Running 0 17m
pod/foo 1/1 Running 1 15m

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/app ClusterIP 10.108.159.88 <none> 80/TCP 17m
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 44m

NAME ENDPOINTS AGE
endpoints/app 10.244.0.4:80 17m
endpoints/kubernetes 10.29.118.9:6443 44m

root@controlplane:~# kubectl get netpol -A
NAMESPACE NAME POD-SELECTOR AGE
default default-deny-ingress <none> 5m24s

When I’m trying to access cluster ip from a test pod, it’s actually accessible.

root@controlplane:~# kubectl exec -it foo -- sh
/ # telnet 10.108.159.88 80
Connected to 10.108.159.88

Could any one suggest what’s actually wrong here?
@Mumshad Mannambeth@Vijin Palazhi

Nitin:
Hello @Mark which CNI are you using ? weave, calico etc ?

Mark:
@Nitin it’s flannel
root@controlplane:/etc/cni/net.d# cat 10-flannel.conflist
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}

unnivkn:

image.png1059×286 36.2 KB

Nitin:
@Mark so my guess was correct … as @unnivkn shared … pls use callico for netpol restrictions

Mark:
gotcha makes sense, thanks! guys

Mark:
final question @unnivkn @Nitin
what wrong with the ports section here.
could you correct me
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: test-network-policy-3
namespace: default
spec:
podSelector:
matchLabels:
app: fe
policyTypes:
- Ingress

ingress:
- {}
ports:
- protocol: TCP
port: 80

Nitin:
whats the error ?

Subrata Biswas:
Or you can use canal if you already has flannel, which will enable calico policy on the top of flannel

unnivkn:
https://github.com/ahmetb/kubernetes-network-policy-recipes

Mark:
unexpected key at line where ports section is defined.

Mark:
ingress:
- ports:
- protocol: TCP
port: 80

Mark:
this works fine but I would like to understand the difference between b/w them.

unnivkn:
here you are allowing everything & ask to restrict port: 80, that is not the correct logic rt?

unnivkn:
ingress:
- {}
ports:
- protocol: TCP
port: 80

unnivkn:
In this case you allows only port:80

unnivkn:
ingress:
- ports:
- protocol: TCP
port: 80

unnivkn:
So as per me, this is good for case;1

unnivkn:
ingress:
- {}

Mark:
actually I want allow traffic only on port 80 from all pods.