Home > Enterprise >  Allowing traffic between different pods using pod network policy
Allowing traffic between different pods using pod network policy

Time:08-30

I have created the below 'pod` in default namespace

 kubectl run myhttpd --image="docker.io/library/nginx:latest" --restart=Never -l app=httpd-server --port 80

I was creating another Pod on a different namespace to check the connectivity on port 80 on default namespace with the below command

kubectl run cli-httpd --rm -it --image=busybox --restart=Never -l app=myhttpd -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 100.64.9.198  (IP of application in default namespace)

In order to allow the connectivity between both the namespace , I have created the below Pod network policy

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:

  name: allow-port-ingress-80
  namespace: default
  spec:
    podSelector:
       matchLabels:
       app: myhttpd
    policyTypes:
    - Ingress
    ingress:
    - from:
      - ipBlock:
         cidr: 10.64.8.0/22
     ports:
       - protocol: TCP
         port: 80

10.64.8.0/22 is the Pods network range.

But the connectivity is timing out. Please suggest to allow this connectivty

CodePudding user response:

In NetworkPolicy, the ipBlock is usually meant to allow communications from outside your SDN.

What you want to do is to filter based on pod labels.

Having started your test pod, check for its labels

kubectl get pods --show-labels

Pick one that identify your Pod, while not matching anything else, then fix your NetworkPolicy. Should look something like:

spec:
  ingress:
  - from:
    - podSelector: # assuming client pod belongs to same namespace as application
        matchLabels:
          app: my-test # netpol allows connections from any pod with label app=my-test
    ports:
    - port: 80 # netpol allows connections to port 80 only
      protocol: TCP
  podSelector:
    matchLabels:
      app: myhttpd  # netpol applies to any pod with label app=myhttpd
  policyTypes:
  - Ingress

While ... I'm not certain what the NetworkPolicy specification says regarding ipBlocks (can they refer to SDN ranges?) ... depending on your SDN, I guess your configuration "should" work, in some cases, maybe. Maybe your issue is only related to label selectors?

Note, allowing connections from everywhere, I would use:

spec:
  ingress:
  - {}
....

Page link:https//www.codepudding.com/Enterprise/528085.html

Prev:MongoDb ImagePullBackOff error in Kubernetes despite trying every SOF solution
Next:minikube does not download a public docker image
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding