I walked through the code in a 3 node K8 cluster and doesn't seem like I am able to block the flow of traffic using networkpolicy on a deployment pod.
Here is the the output from the exercise.
user@myk8master:~$ kubectl get deployment,svc,networkpolicy
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP X.X.X.X <none> 443/TCP 20d
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl create deployment nginx --image=nginx
deployment.apps/nginx created
user@myk8master:~$ kubectl expose deployment nginx --port=80
service/nginx exposed
user@myk8master:~$ kubectl run busybox --rm -ti --image=busybox -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (X.X.X.X:80)
remote file exists
/ # exit
Session ended, resume using 'kubectl attach busybox -c busybox -i -t' command when the pod is running
pod "busybox" deleted
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ vi network-policy.yaml
user@myk8master:~$ cat network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
app: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl apply -f network-policy.yaml
networkpolicy.networking.k8s.io/access-nginx created
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl run busybox --rm -ti --image=busybox -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.97.229:80)
remote file exists. <<<< THIS SHOULD NOT WORK
I followed all the steps as is, but it seems like I am unable to block the traffic even with networkpolicy defined.
Can someone please help and let me know if I am doing something dumb here?
CodePudding user response:
As described in the documentation , restricting client access should work by using a network plugin. Because of some conflict or glitch it may not restrict the access. So try to reinstall/reconfigure.
You can also try another method like blocking them in NGINX
You can restrict Access by IP Address. NGINX can allow or deny access based on a particular IP address or the range of IP addresses of client computers. To allow or deny access, use the allow and deny directives inside the stream context or a server block:
stream {
#...
server {
listen 12345;
deny 192.168.1.2;
allow 192.168.1.1/24;
allow 2001:0db8::/32;
deny all;
}
}
Limiting the Number of TCP Connections. You can limit the number of simultaneous TCP connections from one IP address:
stream {
#...
limit_conn_zone $binary_remote_addr zone=ip_addr:10m;
#...
}
you can also limit bandwidth and ip range etc.,Using NGINX is more flexible.
Refer to the link for more information about network plugins.
CodePudding user response:
My bad. I forgot to setup either one of the supported network services, as was indicated in the documentation. It worked flawlessly after that.