Hi,
I’m attempting to implement a network policy to permit access from external networks. I’ve configured a service with External IPs to route all traffic to those IPs to the internal pod locations. However, when I apply the network policy to restrict access to only certain IPs, it appears that the policy is applied to the node where the real pod is located, rather than to those external IPs. As a result, the policy does not seem to take effect. Is this a bug, or is there a solution to address this issue?
Thank you.
service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: myapp
spec:
externalIPs:
- n.n.n.n
ports:
....
network.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-access
spec:
podSelector:
matchLabels:
app: myapp
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: "x.x.x.x"
no any iptable rules are found on n.n.n.n
$ sudo iptables -S | grep restrict
$
but can found on the node running the pod
$ sudo iptables -S | grep restrict
-A cali-pi-_xxxx -s x.x.x.x -m comment --comment "Policy ...restrict-access ingress" -j MARK --set-xmark 0x10000/0x10000