Hello Team, while exploring more on network policy, I can restrict access on spe . . .

kodekloud · June 8, 2021, 5:26pm

Basavraj Nilkanthe:
Hello Team, while exploring more on network policy, I can restrict access on specific port of container in network policy and this pod exposed on specific service port and both container port and service port both are different… I can access this pod container by service port and it works… However if we are restricting pod with specific port but how we can access that application via service port(different)… As per network policy restriction, we can add container port not service port…

kubectl run --generator=run-pod/v1 apiserver --image=ahmet/app-on-two-ports --labels=app=apiserver

kubectl create service clusterip apiserver \
    --tcp 8001:8000 \
    --tcp 5001:5000


kind: NetworkPolicy
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
metadata:
  name: api-allow-5000
spec:
  podSelector:
    matchLabels:
      app: apiserver
  ingress:
  - ports:
    - port: 5000
    from:
    - podSelector:
        matchLabels:
          role: monitoring

$ kubectl run --generator=run-pod/v1 test-$RANDOM --labels=role=monitoring --rm -i -t --image=alpine -- sh
/ # wget -qO- --timeout=2 <http://apiserver:8001>
wget: download timed out

/ # wget -qO- --timeout=2 <http://apiserver:5001/metrics>
http.requests=3
go.goroutines=5
go.cpus=1

kodekloud · June 8, 2021, 5:26pm

Nitin:
Hey @Basavraj Nilkanthe my 2 cents :

You are accessing the service port 5001 through temporary pod and the iptable rule fwds the call to 5000 port so eventually the request would be evaluated on destination container as per the netpol that request coming from the source container having desired labels hence a positive response …

I believe even if you try to access the pod port i.e. 5000 directly through temp pod it will give you response.

Also, you are able to access the service port from temp pod because service was not bound in the netpol …

I hope this helps