skip to Main Content

I walked through the code in a 3 node K8 cluster and doesn’t seem like I am able to block the flow of traffic using networkpolicy on a deployment pod.

Here is the the output from the exercise.

user@myk8master:~$ kubectl get deployment,svc,networkpolicy
NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   X.X.X.X    <none>        443/TCP   20d
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl create deployment nginx --image=nginx
deployment.apps/nginx created
user@myk8master:~$ kubectl expose deployment nginx --port=80
service/nginx exposed
user@myk8master:~$ kubectl run busybox --rm -ti --image=busybox -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (X.X.X.X:80)
remote file exists
/ # exit
Session ended, resume using 'kubectl attach busybox -c busybox -i -t' command when the pod is running
pod "busybox" deleted
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ vi network-policy.yaml
user@myk8master:~$ cat network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx
spec:
  podSelector:
    matchLabels:
      app: nginx
  ingress:
  - from:
    - podSelector:
        matchLabels:
          access: "true"

user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl apply -f network-policy.yaml
networkpolicy.networking.k8s.io/access-nginx created
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl run busybox --rm -ti --image=busybox -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.97.229:80)
remote file exists. <<<<  THIS SHOULD NOT WORK 

I followed all the steps as is, but it seems like I am unable to block the traffic even with networkpolicy defined.

Can someone please help and let me know if I am doing something dumb here?

2

Answers


  1. Chosen as BEST ANSWER

    My bad. I forgot to setup either one of the supported network services, as was indicated in the documentation. It worked flawlessly after that.


  2. As described in the documentation , restricting client access should work by using a network plugin. Because of some conflict or glitch it may not restrict the access. So try to reinstall/reconfigure.

    You can also try another method like blocking them in NGINX

    You can restrict Access by IP Address. NGINX can allow or deny access based on a particular IP address or the range of IP addresses of client computers. To allow or deny access, use the allow and deny directives inside the stream context or a server block:

     stream {
         #...
         server {
           listen 12345;
           deny   192.168.1.2;
           allow  192.168.1.1/24;
           allow  2001:0db8::/32;
           deny   all;
         }
       }
    

    Limiting the Number of TCP Connections. You can limit the number of simultaneous TCP connections from one IP address:

     stream {
       #...
       limit_conn_zone $binary_remote_addr zone=ip_addr:10m;
       #...
      }
    

    you can also limit bandwidth and ip range etc.,Using NGINX is more flexible.

    Refer to the link for more information about network plugins.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search