1

I have an EKS cluster with an nginx deployment on namespace gitlab-managed-apps. Exposing the application to the public from ALB ingress. I'm trying to block a specific Public IP (ex: x.x.x.x/32) from accessing the webpage. I tried Calico and K8s network policies. Nothing worked for me. I created this Calico policy with my limited knowledge of Network policies, but it blocks everything from accessing the nginx app, not just x.x.x.x/32 external IP. Showing everyone 504 Gateway timeout from ALB

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: ingress-external
  namespace: gitlab-managed-apps
spec:
  selector:
    app == 'nginx'
  types:
    - Ingress
  ingress:
    - action: Deny
      source:
       nets:
       - x.x.x.x/32
Sinethra Seneviratne
  • 25
  • 6
  • I'm not sure the syntax for the selector is correct. try maybe app: 'nginx' or use the example from here : https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/ – Eden Dupont Jun 18 '21 at 10:08

1 Answers1

0

Try this:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: ingress-external
  namespace: gitlab-managed-apps
spec:
  selector:
    app == 'nginx'
  types:
    - Ingress
  ingress:
    - action: Deny
      source:
       nets:
       - x.x.x.x/32
    - action: Allow

calico docs suggests:

If one or more network policies apply to a pod containing ingress rules, then only the ingress traffic specifically allowed by those policies is allowed.

So this means that any traffic is denied by default and only allowed if you explicitly allow it. This is why adding additional rule action: Allow should allow all other traffic that was not matched by the previous rule.

Also remember what docs mention about rules:

A single rule matches a set of packets and applies some action to them. When multiple rules are specified, they are executed in order.

So default Allow rule has to follow the Deny rule for the specific IP, not the other way around.

Matt
  • 7,419
  • 1
  • 11
  • 22