Hi.. Just need some help in understanding Network policy,- I have pod and netpol . . .

Kubernetes-Slack Discussions
#1

naveen B:
Hi… Just need some help in understanding Network policy,- I have pod and netpol specs are here,
I would like to allow inbound and outbout traffic from pods redis05 httpd05 and I’m not sure what is wrong with this policy and I’m able to access nginx05 pod without adding labels, testing with this command : k run test --image=nginx --rm -it -- /bin/sh and wget nginx05_ip - this downloads index.html from nginx05 pod, ideally it should timeout since I’m not adding label redis05 or httpd05

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx05
  name: nginx05
spec:
  containers:
  - image: nginx
    name: nginx05
    resources: {}
  - image: busybox
    name: busybox05
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: pod-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: nginx05
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              run: redis05
        - podSelector:
            matchLabels:
              run: httpd05
  egress:
    - to:
        - podSelector:
            matchLabels:
              run: redis05
        - podSelector:
            matchLabels:
              run: httpd05
#2

Vitor Jr.:
Hi @naveen B, have you tried this site here for better network policy comprehension? https://editor.cilium.io/

#3

naveen B:
Nope, Haven’t will try

#4

Vitor Jr.:
About your network policy:
• it will select the pod with the label run: nginx05
• allow ingress from labels run: redis05 and run: httpd05
• allow egress from it to labels run: redis05 and run: httpd05

#5

naveen B:
Yes that is correct and if I create temp pod without labels also still I’m able to access nginx05 pod

#6

Vitor Jr.:
What CNI are you using?

#7

naveen B:
k run test --image=nginx --rm -it -- /bin/sh
wget nginx05_ip : this is downloading file

#8

Vitor Jr.:
Some CNI’s are incompatible with network policies

#9

naveen B:
It is EKS cluster

#10

Vitor Jr.:
Are you using Fargate also?

#11

Vitor Jr.:
https://docs.aws.amazon.com/eks/latest/userguide/eks-networking.html

#12

Vitor Jr.:
You need to install Calico CNI

#13

Vitor Jr.:

image.png
image.png1816×182 48.8 KB