The Problem
I've defined a kubernetes egress
rule from pod test-1
to a specific pod test-2
, but this rule blocks also blocks traffic from test-1
to test-2
:
- I've created two pods:
test-1
andtest-2
- I've created a networkpolicy that allows only
egress
traffic fromtest-1
totest-2
- I've tried to call
test-2
fromtest-1
bycurl test-2
. But this call is blocked! - I've checked the selectors
Both selectors return the expected pod:
kubectl describe networkpolicies test-1-policy
kubectl get pod --selector app.kubernetes.io/name=test-1
kubectl get pod --selector app.kubernetes.io/name=test-2
When I remove the networkpolicy
the connect by curl test-2
works.
My Question: What did I miss?
Here's how to reproduce the problem
- Paste yaml into file
deployment.yaml
(see below) - Deploy demo
kubectl apply -f deployment.yaml
- Exec into pod:
kubectl exec --stdin --tty $(kubectl get pod -l app.kubernetes.io/name=test-1 -o jsonpath="{.items[0].metadata.name}") -- /bin/bash
- Call request in pod:
curl test-2
=> request is blocked - Remove networkpolicy:
kubectl delete networkpolicy test-1-policy
- Exec in pod and call request => request is executed
Here's the complete yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-1
labels:
app.kubernetes.io/name: test-1
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: test-1
template:
metadata:
labels:
app.kubernetes.io/name: test-1
spec:
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-2
labels:
app.kubernetes.io/name: test-2
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: test-2
template:
metadata:
labels:
app.kubernetes.io/name: test-2
spec:
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: test-1
labels:
app.kubernetes.io/name: test-1
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
name: http
selector:
app.kubernetes.io/name: test-1
---
apiVersion: v1
kind: Service
metadata:
name: test-2
labels:
app.kubernetes.io/name: test-2
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
name: http
selector:
app.kubernetes.io/name: test-2
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: test-1-policy
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: test-1
policyTypes:
- Ingress
- Egress
ingress: []
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: test-2
ports:
- port: 80
protocol: TCP
CodePudding user response:
The dns egress
rule is missing:
When you add the egress
rules for port 53
everything works as expected:
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP