Hi, trying to solve this. Create an nginx deployment of 2 replicas, expose it vi . . .

Poorni:
Hi, trying to solve this.
Create an nginx deployment of 2 replicas, expose it via a ClusterIP service on port 80. Create a NetworkPolicy so that only pods with labels ‘access: granted’ can access the deployment and apply it.

Though i have defined network policy with pod selector in ingress. All the pods are able to access nginx service.

apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
app: nginx
ingress:

  • from:
    • podSelector:
      matchLabels:
      access: “granted”

Access with pod with no labels “access=granted”. But i can access it

[email protected]:~/Desktop/k8/lab-ubuntu$ sudo kubectl run busybox1 --rm -ti --image=busybox – /bin/sh
If you don’t see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.105.188.184:80)
remote file exists
/ # exit

Need help on this pls…

Dhawan Shringi:
Could you try adding this default-deny policy and see what happens

apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress

Gowtham Chinta:
You just forgot to mention policy type in your yaml file. So there is no rule getting applied

Gowtham Chinta:
spec:
podSelector:
policyTypes:

Make sure both are availablr

Poorni:
Tried both deny-all & added policy types. still all pods can access nginx without the appropriate labels

[email protected]:~/Desktop/k8/lab-ubuntu$ cat deny.yaml
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: lab
spec:
podSelector: {}
policyTypes:

  • Ingress

[email protected]:~/Desktop/k8/lab-ubuntu$ cat nginx-policy.yaml
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
namespace: lab
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:

  • Ingress
    ingress:
  • from:
    • podSelector:
      matchLabels:
      access: “granted”

[email protected]:~/Desktop/k8/lab-ubuntu$ sudo kubectl get svc,networkpolicy -o wide -n lab
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/foo ClusterIP 10.103.253.104 <none> 6262/TCP 124m app=foo
service/nginx ClusterIP 10.101.252.53 <none> 80/TCP 2m33s app=nginx

NAME POD-SELECTOR AGE
http://networkpolicy.networking.k8s.io/access-nginx|networkpolicy.networking.k8s.io/access-nginx app=nginx 106m
http://networkpolicy.networking.k8s.io/default-deny-ingress|networkpolicy.networking.k8s.io/default-deny-ingress <none> 7m31s

[email protected]:~/Desktop/k8/lab-ubuntu$ kubectl run busybox1 --rm -ti --image=busybox – /bin/sh
If you don’t see a command prompt, try pressing enter.
/ # wget -o- --timeout=1 nginx
Connecting to nginx (10.101.252.53:80)
saving to ‘index.html’
index.html 100% |*****************************************************************************************************************| 612 0:00:00 ETA
‘index.html’ saved
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.101.252.53:80)
remote file exists

Dhawan Shringi:
I’m not sure if this is the reason:

Creating a NetworkPolicy resource without a controller that implements it will have no effect.

Dhawan Shringi:
As per the task it requires to configure a network provider: https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/#before-you-begin

Poorni:
Found out Minikube by default don’t support network policies.
Referenced
https://medium.com/@atsvetkov906090/enable-network-policy-on-minikube-f7e250f09a14
and
https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/

Now I am able to use the network policy. Important to note is , cilium needs to be deployed in the namespace where you want to test the network policies.