Ingress Network Policy

amitjain3087 · August 22, 2023, 5:31am

I have created two node cluster, 1 master(10.13.2.65) , 1 minion(10.13.2.66) , and run nginx app as a pod , now I have applied the ingress network policy to allow the traffic from 10.13.2.64 mentioned below

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-policy
spec:
podSelector:
matchLabels:
app: my-app
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.13.2.64/32 # Allow traffic from a specific CIDR range

Problem : When I tried to access the application from 10.13.2.64 via master IP like curl 10.13.2.65:30838 it does not allow but when I try to access directly by minion IP it is accessible 10.13.2.66:30838, Ideally It should work via master as well , Please let me know I need configure anything or missing something

Cluster information:

Kubernetes version: v1.24.8
Cloud being used: (put bare-metal if not on a public cloud) Virtual machines
Installation method:
Host OS: ubunto
CNI and version: Calico - cniVersion": "0.3.1
CRI and version: docker://24.0.5

Michael_Leneveut · August 22, 2023, 7:33am

By default any ingress and egress are allowed. So it seems you just blocked the ingress from .64, but I don’t understand what’s wrong in your yaml.

Try to disable all ingress :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

and then allow something (don’t you need egress too to get the result of the curl ?) :

Try to add a namespace to be sure (your my-app is in the default ns ?)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-policy
  namespace: something
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - ipBlock:
            cidr: 10.13.2.64/32
  egress:
    - to:
        - ipBlock:
            cidr: 10.13.2.64/32

amitjain3087 · August 22, 2023, 12:14pm

Yea , By default everything is allowed , I have created policy to just allow 10.13.2.64 . if I am not giving rule in egress then it will allow for all ,so I should get the result of the curl

When I apply this policy, It get applied and I can see in kubectl get networkpolicy , but the problem I am facing is when I am trying to curl from 10.13.2.64 to master IP then it is not working but when I am using minion IP it is working as expected .

Does master remove the source IP when it is sending to minion .Do we have any configuration where we can retain the source IP.

Topic		Replies	Views
Struggling with Network Policy General Discussions network	2	1297	March 15, 2024
NodePort Not Working in Conjunction with Network Policies General Discussions	2	1166	November 13, 2020
Kubernetes network policy not getting applied General Discussions	1	619	September 28, 2018
Network policy - Allow only one IP General Discussions network	11	4887	March 14, 2019
Network policies block only cross nodes traffic General Discussions	5	758	October 21, 2019

Ingress Network Policy

Cluster information:

Related Topics