Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to check if network policy have been applied to pod?

Tags:

kubernetes

google-kubernetes-engine

gke-networking

kubernetes-networkpolicy

I'm trying to restrict to my openvpn to allow accessing internal infrastructure and limit it only by 'develop' namespace, so I started with simple policy that denies all egress traffic and see no effect or any feedback from cluster that it was applied, I've read all docs both official and not and didn't find a solution, here is my policy:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: policy-openvpn
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: openvpn
  policyTypes:
  - Egress
  egress: []

I've applied network policy above with kubectl apply -f policy.yaml command, but I don't see any effect of this policy, I'm still able to connect to anything from my openvpn pod, how to debug this and see what's wrong with my policy?

It seems like a black-box for me and what can do only is try-error method, which seems not how it should work.

How can I validate that it finds pods and applies policy to them?

I'm using latest kubernetes cluster provided by GKE

I noticed that I didn't check 'use networkpolicy' in google cloud settings and after I checked my vpn just stopped worked, but I don't know how to check it, or why vpn just allows me to connect and blocks all network requests, very strange, is there a way to debug is instead of randomly changing stuff?

like image 354
animekun Avatar asked Feb 22 '19 12:02

animekun

People also ask

How do I check my Kubernetes network policy?

Start a Kubernetes cluster on your laptop The easiest way to test network policies is to start a single or multi node CNCF certified K8s cluster in Vagran, using the Banzai Cloud's PKE - default installation uses the Weave network plugin, so supports NetworkPolicy out-of-the-box.

Are Kubernetes network policies Namespaced?

The Kubernetes Network Policy API supports the following features: Policies are namespace scoped. Policies are applied to pods using label selectors. Policy rules can specify the traffic that is allowed to/from pods, namespaces, or CIDRs.

1 Answers

Debug with the netcat(nc):

$ kubectl exec <openvpnpod> -- nc -zv -w 5 <domain> <port>

P.S: To deny all egress traffic, do not need to declare the spec.egress key as an empty array, however it affects same:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: policy-openvpn
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: openvpn
  policyTypes:
  - Egress

ref: https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/network-policy-v1/

  • egress ([]NetworkPolicyEgressRule) ... If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). ...
like image 68
홍한석 Avatar answered Sep 18 '22 09:09

홍한석
Sign in to Comment

Related questions

helmfile sync vs helmfile apply
Why minikube needs a VM
Delete key from configmap in Kubernetes
EKS : could not find any suitable subnets for creating the ELB
helm list all installed charts
How to create Kubernetes load balancer on aws
Kubernetes - processing an unlimited number of work-items
nslookup: can't resolve kubernetes.default
Kubernetes: kubectl top nodes/pods not working
How can I view pods with kubectl and filter based on having a status of ImagePullBackOff?
How to reference kubernetes secrets in helm chart?
Managing DB migrations on Kubernetes cluster
helm iterate over range
How to enter a pod as root?
Kubernetes: kubectl run: command not found
GCE Ingress not picking up health check from readiness probe
How to Configure Pod initialization in a specific order in Kubernetes?
service selector vs deployment selector matchlabels
How to list kubernetes services in k9s?
Specify Dockerfile for gcloud build submit

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!