The Problem

I've defined a kubernetes egress rule from pod test-1 to a specific pod test-2, but this rule blocks also blocks traffic from test-1 to test-2:

1. I've created two pods: test-1 and test-2
2. I've created a networkpolicy that allows only egress traffic from test-1 to test-2
3. I've tried to call test-2 from test-1 by curl test-2. But this call is blocked!
4. I've checked the selectors

Both selectors return the expected pod:

kubectl describe networkpolicies test-1-policy
kubectl get pod --selector app.kubernetes.io/name=test-1
kubectl get pod --selector app.kubernetes.io/name=test-2

When I remove the networkpolicy the connect by curl test-2 works.

My Question: What did I miss?

Here's how to reproduce the problem

1. Paste yaml into file deployment.yaml (see below)
2. Deploy demo kubectl apply -f deployment.yaml
3. Exec into pod: kubectl exec --stdin --tty $(kubectl get pod -l app.kubernetes.io/name=test-1 -o jsonpath="{.items[0].metadata.name}") -- /bin/bash
4. Call request in pod: curl test-2 => request is blocked
5. Remove networkpolicy: kubectl delete networkpolicy test-1-policy
6. Exec in pod and call request => request is executed

Here's the complete yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-1
  labels:
    app.kubernetes.io/name: test-1
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: test-1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: test-1
    spec:
      containers:
        - name: nginx
          image: nginx
          ports:
            - name: http
              containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-2
  labels:
    app.kubernetes.io/name: test-2
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: test-2
  template:
    metadata:
      labels:
        app.kubernetes.io/name: test-2
    spec:
      containers:
        - name: nginx
          image: nginx
          ports:
            - name: http
              containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: test-1
  labels:
    app.kubernetes.io/name: test-1
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      name: http
  selector:
    app.kubernetes.io/name: test-1
---
apiVersion: v1
kind: Service
metadata:
  name: test-2
  labels:
    app.kubernetes.io/name: test-2
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      name: http
  selector:
    app.kubernetes.io/name: test-2
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: test-1-policy
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: test-1
  policyTypes:
    - Ingress
    - Egress
  ingress: []
  egress:
    - to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: test-2
      ports:
        - port: 80
          protocol: TCP

CodePudding user response：

The dns egress rule is missing:

When you add the egress rules for port 53 everything works as expected:

  egress:
    - ports:
      - port: 53
        protocol: UDP
      - port: 53
        protocol: TCP

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/11-deny-egress-traffic-from-an-application.md