EKS GlobalNetworkPolicies default-deny with pod exceptions

Question

Currently I have a GlobalNetworkPolicy 'default-deny' to limit all traffic within my cluster, all ingress/egress is set to deny for all().

I have attempted to allow exceptions for certain labels pods, using 'order'. When I don't specify 'action' arguments so that it allows all communication, the policy works. Although as below when I specify arguments within the allow, the pod doesn't allows egress traffic.

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-pod-ingress
spec:
  order: 50
  selector: name == 'egresspod'
  types:
  - Egress
  ingress:
  - action: Allow
    protocol: TCP
    source:
      selector: some-pod-label == 'some-pod-label-value'
    destination:
      ports:
      - 80

Is this policy configured correctly?

score 0 · Answer 1 · answered Oct 04 '19 at 19:55

Types: has to match the spec. You have it set to Egress, whereas you defined ingress rules.

If you want egresspod to accept inbound traffic on port 80, then try to change the type to Ingress. (If you want to achieve the opposite, then change both to Egress.)

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-pod-ingress
spec:
  order: 50
  selector: name == 'egresspod'
  types:
  - Ingress #Has to match
  ingress:  # With this guy.
  - action: Allow
    protocol: TCP
    source:
      selector: some-pod-label == 'some-pod-label-value'
    destination:
      ports:
      - 80

For more information, check this page: https://docs.projectcalico.org/v3.7/reference/calicoctl/resources/globalnetworkpolicy

EKS GlobalNetworkPolicies default-deny with pod exceptions

1 Answers1