0

I have installed Calico on EKS from here.

I have two namespaces, foo and bar, both labeled with a label 'purpose', and containing one app pod each.

When I import the following Ingress-only policy into the foo namespace, it works exactly as expected; other test pods can not connect to foo-app, but bar-app can.

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: foo
  namespace: foo
spec:
  podSelector:
    matchLabels:
      app: foo-app
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          purpose: bar
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

However when I import a policy containing both ingress and egress rules it completely shuts off networking to the pod. I can no longer even ping the foo-app pod IP from bar-app.

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: foo
  namespace: foo
spec:
  podSelector:
    matchLabels:
      app: foo-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          purpose: bar
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          purpose: bar
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

After removing and systematically re-adding parts of the policy, it is definitely the addition of the namespaceSelector entry in the egress that breaks it.

There are no other network policies on the cluster.

If there is not a directly obvious reason as to why this is happening; other than trawling through netfilter rules on worker nodes: Is there any efficient way to debug this?

GDev
  • 428
  • 1
  • 5
  • 14
  • Your yaml is wrong. Why are you opening `0.0.0.0/0`? It is the same as not to create the `NetworkPolicy`. I don't know why is it blocking sometimes, because it shouldn't. – suren Mar 02 '20 at 16:53

2 Answers2

1

I don't think you Network Policy is correctly written.

I think you should change

  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          purpose: bar
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

to

  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          purpose: bar
  - to:
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

This is because you might be blocking the DNS which is being used to resolve service names to their IP addresses. You can read a really nice Introduction to Kubernetes Network Policies for Security People.

If this is still a problem please provide detailed info about where are the pods running what are the labels and what rules you want to implement.

You can also check some nice examples for Ingress and Egress at GitHub - ahmetb/kubernetes-network-policy-recipes and Declare Network Policy.

Crou
  • 10,232
  • 2
  • 26
  • 31
-1

Your last network policy addresses both Egress and Ingress. I would split Egress and Ingress in two different yaml files (if there are several different Ingress/Egress policies I would also split them in different files), and I would apply them one by one. This way is easier to read them. Also, if you use a deny rule, I would apply it the first and then apply the other rules.

JGG
  • 41
  • 4