Kubernetes calico networkpolicy

Question

I am a newbie to Kubernetes and trying to learn calico networking. I am following this documentation (https://docs.aws.amazon.com/eks/latest/userguide/calico.html) and I tried to create a networkpolicy for the traffic to flow between backend to client :

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: stars
  name: backend-client
spec:
  podSelector:
    matchLabels:
      role : client
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              role: backend
      ports:
        - protocol: TCP
          port: 9000

I finished all the 10 steps in the documentation, and i tried to test by creating a policy that would send traffic from the backend to the client with the above policy.

When i applied the policy there was no error , but i don't see the traffic/connection between the two.

Please let me know what is wrong.

What do you mean by "the demo does not show me the connection"? — samhain1138, Oct 01 '18 at 23:36
I think he means the demo on the EKS link. Your question is kind of broad if you can post more details for `kubectl get pods`, `kubectl get svc`, etc, it would be helpful. — Rico, Oct 02 '18 at 00:01

score 1 · Answer 1 · answered Apr 22 '19 at 08:59

Creating NetworkPolicy alone will not help in ensuring that the NetworkPolicy is enforced. We should configure the network plugin like Calico which is integrated with Kubernetes and executes the necessary operations to achieve the intent of the given Network Policy

https://kubernetes.io/docs/concepts/services-networking/network-policies/ says

"Network policies are implemented by the network plugin, so you must be using a networking solution which supports NetworkPolicy - simply creating the resource without a controller to implement it will have no effect."

score 0 · Answer 2 · answered Oct 02 '18 at 14:12

0

I believe you need to put your policy in the client namespace instead of the stars namespace. I don't believe there are any pods with role: client in the stars namespace. A pod selector like you've specified only applies to pods in the namespace the policy is in.

While I don't think it is as direct as it could be the Kubernetes Network Policy docs do mention that a NetworkPolicy applies in the given namespace. I suggest you check them out if you haven't already.

I hope that helps.

answered Oct 02 '18 at 14:12

Erik Stidham

201
1
4

i did tried using namespace as client , but seems like its not working, how do i check if there is a pod selector with role: client in client namespace? – user_01_02 Oct 02 '18 at 18:04
1

Make sure you are giving plenty of time after making a change. I believe there have been issues with that star demo where it takes a long time to update links. You could also try deleting the pods to make sure they are retrying the connections. Actually it is probably easier to just exec into your backend pod and try connecting to `http://client.client:9000/status` with curl. – Erik Stidham Oct 03 '18 at 19:52

Kubernetes calico networkpolicy

2 Answers2