how to configure access from internal dns to the container by using kubernetes network policy

Question

I want to harden the traffic coming from other k8s containers with same segment but also to permit the k8s ingress (dns) to access the container

VM machine (10.194.65.4) --> k8s Ingress (10.194.66.14) --> k8s service (172.30.0.255) --> k8s container (172.18.0.43)

below is my network policy configured to accept traffic coming from 172.18.0.0/21

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    env: dev
    namespace: big-calculator-dev
  name: big-calculator-dev
  namespace: big-calculator-dev
spec:
  ingress:
  - from:
    - ipBlock:
        cidr: 172.18.0.0/21
    ports:
    - port: 443
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress

What can I do to accept the traffic coming from my ingress from my VM in more?

thanks, Maurice

Hi `Maurice Amar` is your issue resolved.. if you are still facing some issues revert back here so that we can assist you, also check these [guidelines](https://stackoverflow.com/help/someone-answers) so that it will be helpful for remaining community members. — Kranthiveer Dontineni, Jul 24 '23 at 12:43

Kranthiveer Dontineni · Answer 1 · 2023-07-25T09:09:24.843

Using subnet mask 32 will help you in this scenario, since you wanted to allow only a particular IP to access your Kubernetes resources. So you need to add one more rule allowing your vm ip to access your container after adding this your yaml looks like below.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    env: dev
    namespace: big-calculator-dev
  name: big-calculator-dev
  namespace: big-calculator-dev
spec:
  ingress:
  - from:
    - ipBlock:
        cidr: 172.18.0.0/21
      ipBlock:
        cidr: 10.194.65.4/32
    ports:
    - port: 443
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress

Update:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    env: dev
    namespace: big-calculator-dev
  name: big-calculator-dev
  namespace: big-calculator-dev
spec:
  ingress:
  - from:
    - ipBlock:
        cidr: 10.194.66.14/32
    ports:
    - port: 443
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress

The current config which you have given as a solution allows all the traffic excluding your container traffic if you want to allow only a particular IP address you can go with this updated manifest file.

@MauriceAmar I have updated my response and in the response provided by you the manifest is accepting entire traffic and excluding only the container network but as per your requirement earlier you need to allow only a particular IP address and prevent remaining traffic. Please go through this updated response once it will help. — Kranthiveer Dontineni, Jul 25 '23 at 11:43

score 0 · Answer 2 · answered Jul 25 '23 at 08:12

I found the solution by doing like this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    env: dev
    namespace: big-calculator-dev
  name: big-calculator-dev
  namespace: big-calculator-dev
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 172.19.0.0/21
  podSelector: {}
  policyTypes:
  - Egress

how to configure access from internal dns to the container by using kubernetes network policy

2 Answers2