Yanhua Li:
quick question on question Mock Exam 5.
We have deployed a new pod called np-test-1 and a service called np-test-service. Incoming connections to this service are not working. Troubleshoot and fix it.
Create NetworkPolicy, by the name ingress-to-nptest that allows incoming connections to the service over port 80
Important: Don’t delete any current objects deployed.
controlplane $ kubectl describe networkpolicy ingress-to-nptest
Name: ingress-to-nptest
Namespace: default
Created on: 2021-03-14 18:23:46 +0000 UTC
Labels: <none>
Annotations: Spec:
PodSelector: run=np-test-1
Allowing ingress traffic:
To Port: 80/TCP
From: <any> (traffic not restricted by source)
Not affecting egress traffic
Policy Types: Ingress
controlplane $
But when I tried to test the policy, I don’t see the service available on port 80 from test pod.
controlplane $ kubectl run test --image busybox -it --rm --restart=Never – nslookup np-test-service
If you don’t see a command prompt, try pressing enter.
*** Can’t find np-test-service.svc.cluster.local: No answer
*** Can’t find np-test-service.cluster.local: No answer
*** Can’t find np-test-service.default.svc.cluster.local: No answer
*** Can’t find np-test-service.svc.cluster.local: No answer
*** Can’t find np-test-service.cluster.local: No answer
pod “test” deleted
pod default/test terminated (Error)
controlplane $ ^C
controlplane $ kubectl run test --image busybox -it --rm --restart=Never – telnet 10.40.0.2 80
If you don’t see a command prompt, try pressing enter.
Connection closed by foreign host
pod “test” deleted
pod default/test terminated (Error)
Please let me know if I am wrong in the policy definition or the test of the service.
Mohamed Ayman:
Port 53 is used to be able to reach the service using a service name instead of IP. Try to use FQDN for the POD.
Mohamed Ayman:
Check the following:
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: ingress-to-nptest
namespace: default
spec:
podSelector:
matchLabels:
run: np-test-1
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
ports:
- protocol: TCP
port: 80
- ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
Yanhua Li:
Hi MAyman, with an empty podselector for the fiest ingress rule, it will deny any pod from accessing this np-test-1 pod.
Yanhua Li:
controlplane $ kubectl describe networkpolicy ingress-to-nptest
Name: ingress-to-nptest
Namespace: default
Created on: 2021-03-14 20:17:04 +0000 UTC
Labels: <none>
Annotations: Spec:
PodSelector: run=np-test-1
Allowing ingress traffic:
To Port: 80/TCP
From:
PodSelector: <none>
----------
To Port: 53/TCP
To Port: 53/UDP
From: <any> (traffic not restricted by source)
Not affecting egress traffic
Policy Types: Ingress
Yanhua Li:
Now I am on the tsadminserver
What I did is below to allow all pods to access port 80 on pod matching label “run=np-test-1”
ingress:
Yanhua Li:
Hi @Mohamed Ayman it seems I have the right policy. It is just that telnet np-test-service 80 doesn’t work on a busybox:1.28 test pod. But using “nc -z -n -w 4 np-test-service 80” and “nc -z -n -w 4 IPOFSERVICE 80” do work after sh to the test pod. The question to me is why telnet to port 80 is not working
Manikanta Reddy Buchi:
latest busybox image has issues . here is the reference
https://github.com/docker-library/busybox/issues/48
from the documentation https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/
you can use dnsutils image for dns related debugging.
I have faced the same issue in mock exam 2 and found only busybox:1.28 version working