I have a service that I want to be able to access the internet and noother pods. However, ALL egress rules seem to block all egress.
# No NetworkPolicies
kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com'
With no NetworkPolicy my pod can access the internet. Next I make a Networkpolicy that allows egress to all IP-addresses.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: mytestnamespace
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
But now curl can no longer access the internet, but WHY??????
With NetworkPolicies allowing Egress to all IPs!
kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com'
Why does this NetworkPolicy block all egress? Makes no sense!
CodePudding user response:
The reason is, curl
attempts to form a 2-way TCP connection with the HTTP server at www.google.com
. This means, both egress and ingress traffic need to be allowed on your policy. Currently, only out-bound traffic is allowed. Maybe, you'll be able to see this in more detail if you ran curl in verbose mode:
kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com' -v
You can then see the communication back and forth marked by arrows >
(out-going) and <
(in-coming). You'll notice only >
arrows will be listed and no <
traffic will be shown.
Note: If you do something simpler like
ping google.com
it might work, since this is a simple state-less communication.
In order to have this, you can simply add an allow-all ingress rule to your policy like:
ingress:
- {}
Also, there's a simpler way to allow all egress traffic simply as:
egress:
- {}
I hope this helps. You can read more about policies here.
CodePudding user response:
It turns out that despite opening up to all IP-addresses, the networkpolicy does not allow egress to the DNS pod.
# Identifying DNS pod
kubectl get pods -A | grep dns
# Identifying DNS pod label
kubectl describe pods -n kube-system coredns-64cfd66f7-rzgwk
Next I add the dns label to the egress policy:
# network_policy.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-all
namespace: mytestnamespace
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
egress:
- to:
- ipBlock:
cidr: "0.0.0.0/0"
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: "kube-system"
- podSelector:
matchLabels:
k8s-app: "kube-dns"
I apply the network policy and test the curl calls:
# Setting up policy
kubectl apply -f network_policy.yaml
# Testing curl call
kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com'
SUCCESS! Now I can make egress calls, next I just have to block the appropriate IP-addresses in the private network.