I am confused about some elementary network concept in k8s and can someone kindly explain this to me please? thank you!
as described by https://github.com/bmuschko/ckad-crash-course/blob/master/exercises/31-networkpolicy/instructions.md,
All ingress Pod-to-Pod communication has been denied across all namespaces.
You want to allow the Pod busybox in namespace k1 to communicate with Pod nginx in namespace k2.
You'll create a network policy to achieve that.
I create two pods in k1 and k2 separately in KIND cluster, and I didn’t create any network policy, so I understand pod in k1 are not allowed to talk to pod in k2; and why am I seeing the wget is successful between the two pods here?
$k get ns k1 k2
NAME STATUS AGE
k1 Active 10m
k2 Active 10m
$k get pod -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
k1 busybox 1/1 Running 0 11m 10.244.0.5 t1-control-plane <none> <none>
k2 nginx 1/1 Running 0 11m 10.244.0.6 t1-control-plane <none> <none>
$k get NetworkPolicy -A
No resources found
$k exec -it busybox -n k1 -- wget --timeout=5 10.244.0.6:80
Connecting to 10.244.0.6:80 (10.244.0.6:80)
saving to 'index.html'
index.html 100% |********************************| 615 0:00:00 ETA
'index.html' saved
2
Answers
Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies
As in the instructions you linked, you can create a "default" ingress isolation policy for k2 namespace by creating a
NetworkPolicy
that selects all pods but does not allow any ingress traffic to those pods.So traffic will be blocked from k1 to k2 only when this policy will be created in the k2 namespace. It will block all ingress traffic to all pods in k2 namespace.
The instruction say that once you create this default policy which blocks everything, you can then further create more network policies to allow traffic say from specific pod in k1 namespace to some specific pod in k2 namespace.
So if you look in the solution folder, this is the policy which does that:
This policy will apply to all pods in namespace k2 which have the label
app: backend
and will allow ingress traffic (over port 80) to those pods from pods in any namespace, where the namespace has the labelrole: consumer
.the setup.yaml should create a NetworkPolicy,
you also need to install Cilium to achieve the setup before apply the solution
https://github.com/bmuschko/ckad-crash-course/blob/master/exercises/31-networkpolicy/cilium-setup.md