I have the following pods in the default namespace:
web-test-pod-01 1/1 Running 0 19m app=web-test-pod-01
web-test-pod-02 1/1 Running 0 18m app=web-test-pod-02
And in another namespace called devwebapp I have the following
NAME READY STATUS RESTARTS AGE LABELS
pod/webapp-01 1/1 Running 0 47m run=webapp-01
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE LABELS
service/svc-webapp-01 ClusterIP 10.109.4.169 <none> 80/TCP 46m run=webapp-01
I also have network policy called np-webapp-01 and its yaml descriptor:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-webapp-01
namespace: devwebapp
spec:
podSelector:
matchLabels:
run: webapp-01
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: default
- podSelector:
matchLabels:
app: web-test-pod-01
ports:
- protocol: TCP
port: 80
I am trying to allow only the pod web-test-pod-01 in default namespace to access the svc-webapp-01 service but at the moment all pods in default namespace can access it.
$ k exec web-test-pod-01 -- curl -I svc-webapp-01.devwebapp.svc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0HTTP/1.1 200 OK 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
615 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Server: nginx/1.23.4
Date: Thu, 18 May 2023 08:32:34 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT
Connection: keep-alive
ETag: "64230162-267"
Accept-Ranges: bytes
The following pod should not be able to access the service but as of now it can reach it!
$ k exec web-test-pod-02 -- curl -I svc-webapp-01.devwebapp.svc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/1.1 200 OK
0 615 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Server: nginx/1.23.4
Date: Thu, 18 May 2023 08:33:21 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT
Connection: keep-alive
ETag: "64230162-267"
Accept-Ranges: bytes
I am not sure why podSelector in the network policy is not taking effect.
2
Answers
You are probably missing the default deny all
NetworkPolicy:From the docs:
In network policy for selecting pod and namespace we have two conditions . You can find them in this git link.
This example below is OR condition(policy is enforced based on namespaceSelector or podSelector)
You have used the above condition.
while this example is AND condition
Can you try the ‘AND’ condition and let me know if this works.
Attaching a blog written by Ashish Choudhary for reference.