0

I've been trying to implement a network policy on my cluster (k8s bare-metal) and no policies seem to be implemented on pods running on cluster nodes, only on pods running directly on the master.

What I've tried:

  • A single namespace with a master+node and calico CNI with calicoctl with k8s datastore (I can see the calico/calicoctl containers running on both nodes)
  • Both networkPolicy types (networking.k8s.io/v1 & projectcalico.org/v3)
  • Applying a simple deny any ingress/egress policy and testing ping to 8.8.8.8 (pod on master gets blocked, pods on other nodes can still ping)

Appreciate your help

Daniel
  • 131
  • 1
  • 1
  • 7
  • Unless you show what you've written in your network policy, it'll be really difficult to pin point the root cause of your trouble. – Mayank Verma Sep 27 '20 at 07:34
  • You're right, sorry for not posting the config. Yesterday finally managed to find a solution. – Daniel Sep 29 '20 at 09:01

1 Answers1

1

Found the problem was with the deployment where I've used 'hostNetwork' which uses a subnet that is not part of the pod network (thus Calico is unaware of).

Removing the 'hostNetwork: true' param made the container get a suitable IP and network policies applied to it.

Daniel
  • 131
  • 1
  • 1
  • 7