Error with documentation ?? NetworkPolicy?-CodePudding

I walked through the code in a 3 node K8 cluster and doesn't seem like I am able to block the flow of traffic using networkpolicy on a deployment pod.

Here is the the output from the exercise.

user@myk8master:~$ kubectl get deployment,svc,networkpolicy
NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   X.X.X.X    <none>        443/TCP   20d
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl create deployment nginx --image=nginx
deployment.apps/nginx created
user@myk8master:~$ kubectl expose deployment nginx --port=80
service/nginx exposed
user@myk8master:~$ kubectl run busybox --rm -ti --image=busybox -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (X.X.X.X:80)
remote file exists
/ # exit
Session ended, resume using 'kubectl attach busybox -c busybox -i -t' command when the pod is running
pod "busybox" deleted
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ vi network-policy.yaml
user@myk8master:~$ cat network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx
spec:
  podSelector:
    matchLabels:
      app: nginx
  ingress:
  - from:
    - podSelector:
        matchLabels:
          access: "true"

user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl apply -f network-policy.yaml
networkpolicy.networking.k8s.io/access-nginx created
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl run busybox --rm -ti --image=busybox -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.97.229:80)
remote file exists. <<<<  THIS SHOULD NOT WORK

I followed all the steps as is, but it seems like I am unable to block the traffic even with networkpolicy defined.

Can someone please help and let me know if I am doing something dumb here?

CodePudding user response：

As described in the documentation , restricting client access should work by using a network plugin. Because of some conflict or glitch it may not restrict the access. So try to reinstall/reconfigure.

You can also try another method like blocking them in NGINX

You can restrict Access by IP Address. NGINX can allow or deny access based on a particular IP address or the range of IP addresses of client computers. To allow or deny access, use the allow and deny directives inside the stream context or a server block:

 stream {
     #...
     server {
       listen 12345;
       deny   192.168.1.2;
       allow  192.168.1.1/24;
       allow  2001:0db8::/32;
       deny   all;
     }
   }

Limiting the Number of TCP Connections. You can limit the number of simultaneous TCP connections from one IP address:

 stream {
   #...
   limit_conn_zone $binary_remote_addr zone=ip_addr:10m;
   #...
  }

you can also limit bandwidth and ip range etc.,Using NGINX is more flexible.

Refer to the link for more information about network plugins.

CodePudding user response：

My bad. I forgot to setup either one of the supported network services, as was indicated in the documentation. It worked flawlessly after that.