Kubernetes: prevent pods from communicating with the node-ips-CodePudding

I have a Kubernetes cluster running behind a NAT. Now I want to forbid the pods to communicate with the network in which my Kubernetes nodes / servers are. The network has the CIRD: 10.12.12.0/27.

I've already tried the Kubernetes NetworkPolicy, but I haven't figured out how to prohibit communication with certain IPs. Instead, I have limited the Konnunikation to these IP's. Here is my previous NetworkPolicy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-net-kubernetes
  namespace: default
spec:
  podSelector:
    matchLabels:
      namespace: default
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 10.12.12.0/27

Many thanks in advance! Kind regards Niclas

CodePudding user response：

You can use the expect block to filter out some IPs. Using that, the below example is allowing all egress but blocking traffic to 10.12.12.0/27

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-net-kubernetes
  namespace: default
spec:
  podSelector:
    matchLabels:
      namespace: default
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.12.12.0/27

CodePudding user response：

Thanks to P....! It works! But there is an litte formatting error: The except: statement needs to be indented one more. Like here:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-net-kubernetes
  namespace: default
spec:
  podSelector:
    matchLabels:
      namespace: default
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.12.12.0/27