Poorni:
Hi, trying to solve this.
Create an nginx deployment of 2 replicas, expose it via a ClusterIP service on port 80. Create a NetworkPolicy so that only pods with labels ‘access: granted’ can access the deployment and apply it.
Though i have defined network policy with pod selector in ingress. All the pods are able to access nginx service.
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
app: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: “granted”
Access with pod with no labels “access=granted”. But i can access it
poorni@poorni-VirtualBox:~/Desktop/k8/lab-ubuntu$ sudo kubectl run busybox1 --rm -ti --image=busybox – /bin/sh
If you don’t see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.105.188.184:80)
remote file exists
/ # exit
Need help on this pls…
Dhawan Shringi:
Could you try adding this default-deny policy and see what happens
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
Gowtham Chinta:
You just forgot to mention policy type in your yaml file. So there is no rule getting applied
Gowtham Chinta:
spec:
podSelector:
policyTypes:
Make sure both are availablr
Poorni:
Tried both deny-all & added policy types. still all pods can access nginx without the appropriate labels
poorni@poorni-VirtualBox:~/Desktop/k8/lab-ubuntu$ cat deny.yaml
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: lab
spec:
podSelector: {}
policyTypes:
poorni@poorni-VirtualBox:~/Desktop/k8/lab-ubuntu$ cat nginx-policy.yaml
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
namespace: lab
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
access: “granted”
poorni@poorni-VirtualBox:~/Desktop/k8/lab-ubuntu$ sudo kubectl get svc,networkpolicy -o wide -n lab
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/foo ClusterIP 10.103.253.104 <none> 6262/TCP 124m app=foo
service/nginx ClusterIP 10.101.252.53 <none> 80/TCP 2m33s app=nginx
NAME POD-SELECTOR AGE
http://networkpolicy.networking.k8s.io/access-nginx|networkpolicy.networking.k8s.io/access-nginx app=nginx 106m
http://networkpolicy.networking.k8s.io/default-deny-ingress|networkpolicy.networking.k8s.io/default-deny-ingress <none> 7m31s
poorni@poorni-VirtualBox:~/Desktop/k8/lab-ubuntu$ kubectl run busybox1 --rm -ti --image=busybox – /bin/sh
If you don’t see a command prompt, try pressing enter.
/ # wget -o- --timeout=1 nginx
Connecting to nginx (10.101.252.53:80)
saving to ‘index.html’
index.html 100% |*****************************************************************************************************************| 612 0:00:00 ETA
‘index.html’ saved
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.101.252.53:80)
remote file exists
Dhawan Shringi:
I’m not sure if this is the reason:
Creating a NetworkPolicy resource without a controller that implements it will have no effect.
Poorni:
Found out Minikube by default don’t support network policies.
Referenced
https://medium.com/@atsvetkov906090/enable-network-policy-on-minikube-f7e250f09a14
and
https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/
Now I am able to use the network policy. Important to note is , cilium needs to be deployed in the namespace where you want to test the network policies.