Network Policy not applied to OpenVPN Container?

Akito · July 13, 2022, 2:25pm

spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8

This is a snippet from a network policy applied to a namespace, which contains an OpenVPN deployment.

The container has the NET_ADMIN capability available.

For the OpenVPN setup to work, an iptables rule is created inside the container (not on the node), which looks like the following.

iptables -t nat -A POSTROUTING -s 10.95.0.0/255.255.0.0 -o eth0 -j MASQUERADE

Now, the NetworkPolicy works as expected on everything, all deployments and containers, as necessary, however the OpenVPN server is reachable through the internet and can communicate with clients over IPs like 10.95.0.9.

How can the OpenVPN server communicate through that IP, when a range including this IP is explicitly blocked for access by a NetworkPolicy applied to the namespace containing the Deployment with the OpenVPN Container?

Akito · July 18, 2022, 2:08pm

The MASQUERADE changes the IP address of the packets to a benign internal Kubernetes IP address, which is not caught by the except block in the NetworkPolicy.

Topic		Replies	Views
Struggling with Network Policy General Discussions network	2	1284	March 15, 2024
Kubernetes network policy not getting applied General Discussions	1	616	September 28, 2018
Network Policy on External IPs services General Discussions network	1	107	March 22, 2024
Ingress Network Policy General Discussions	2	377	August 22, 2023
Seeking Simplified Approaches for Common Kubernetes Network Policy Use Cases General Discussions	0	87	March 17, 2024

Network Policy not applied to OpenVPN Container?

Related Topics