skip to Main Content

I am confused about some elementary network concept in k8s and can someone kindly explain this to me please? thank you!

as described by https://github.com/bmuschko/ckad-crash-course/blob/master/exercises/31-networkpolicy/instructions.md,

All ingress Pod-to-Pod communication has been denied across all namespaces. 
You want to allow the Pod busybox in namespace k1 to communicate with Pod nginx in namespace k2. 
You'll create a network policy to achieve that.

I create two pods in k1 and k2 separately in KIND cluster, and I didn’t create any network policy, so I understand pod in k1 are not allowed to talk to pod in k2; and why am I seeing the wget is successful between the two pods here?

$k get ns k1 k2
NAME   STATUS   AGE
k1     Active   10m
k2     Active   10m

$k get pod -A -o wide
NAMESPACE            NAME                                       READY   STATUS    RESTARTS   AGE   IP              NODE               NOMINATED NODE   READINESS GATES
k1                   busybox                                    1/1     Running   0          11m   10.244.0.5      t1-control-plane   <none>           <none>
k2                   nginx                                      1/1     Running   0          11m   10.244.0.6      t1-control-plane   <none>           <none>

$k get NetworkPolicy -A
No resources found

$k exec -it busybox -n k1 -- wget --timeout=5 10.244.0.6:80
Connecting to 10.244.0.6:80 (10.244.0.6:80)
saving to 'index.html'
index.html           100% |********************************|   615  0:00:00 ETA
'index.html' saved

2

Answers


  1. Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies

    By default, if no policies exist in a namespace, then all ingress and
    egress traffic is allowed to and from pods in that namespace.

    As in the instructions you linked, you can create a "default" ingress isolation policy for k2 namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.

    So traffic will be blocked from k1 to k2 only when this policy will be created in the k2 namespace. It will block all ingress traffic to all pods in k2 namespace.

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: default-deny-ingress
      namespace: k2
    spec:
      podSelector: {}
      policyTypes:
      - Ingress
    

    The instruction say that once you create this default policy which blocks everything, you can then further create more network policies to allow traffic say from specific pod in k1 namespace to some specific pod in k2 namespace.

    You want to allow the Pod busybox in namespace k1 to communicate with Pod nginx in namespace k2. You’ll create a network policy to achieve that

    So if you look in the solution folder, this is the policy which does that:

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-ingress-networkpolicy
      namespace: k2
    spec:
      podSelector:
        matchLabels:
          app: backend
      policyTypes:
        - Ingress
      ingress:
        - from:
            - namespaceSelector:
                matchLabels:
                  role: consumer
          ports:
            - protocol: TCP
              port: 80
    

    This policy will apply to all pods in namespace k2 which have the label app: backend and will allow ingress traffic (over port 80) to those pods from pods in any namespace, where the namespace has the label role: consumer.

    Login or Signup to reply.
  2. the setup.yaml should create a NetworkPolicy,
    you also need to install Cilium to achieve the setup before apply the solution

    NOTE: Without a network policy controller, network policies won’t have
    any effect. You need to configure a network overlay solution that
    provides this controller. You’ll have to go through some extra steps
    to install and enable the network provider Cilium. Without adhering to
    the proper prerequisites, network policies won’t have any effect. You
    can find installation guidance in the file cilium-setup.md. If you do
    not already have a cluster, you can create one by using minikube or
    you can use the O’Reilly interactive lab "Creating a Network Policy".

    https://github.com/bmuschko/ckad-crash-course/blob/master/exercises/31-networkpolicy/cilium-setup.md

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search