Mayur Sharma:
okay, got you! and I would try the scenario in some other environment/lab with same netpol
Vijin Palazhi:
Sure. just make sure that the environment (if its a lab) has weave installed. Most of our labs use flannel which does not support network policy.
Mayur Sharma:
Yeah, sure!
Mayur Sharma:
@Vijin Palazhi You were right, solution is limiting access to default namespace only. May be because of weave error netpol is not coming into picture and giving wroong result.
I tested on AWS server, traffic is blocked from other ns
ubuntu@ip-10-0-128-5:~$ kubectl -n other run temp --image=busybox --rm -it --restart=Never -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # nc -z -v -w 2 np-test-service 80
nc: bad address 'np-test-service'
/ # wget -O- <http://np-test-service:80>
wget: bad address 'np-test-service:80'
/ # exit
pod "temp" deleted
pod other/temp terminated (Error)
ubuntu@ip-10-0-128-5:~$
Vijin Palazhi:
yes - that is the expected result. We will be upgrading out labs with netpol specific questions soon to the new platform so hopefully this particilar issue should be resolved soon.
SaidBen:
@Vijin Palazhi quick question pls, will this updated netpol allow traffic from ALL namespaces right?
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: ingress-to-nptest
namespace: default
spec:
podSelector:
matchLabels:
run: np-test-1
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector: {}
ports:
- protocol: TCP
port: 80
Hinodeya:
@SaidBen yes man 