Network Policy restricts ingress controller

[mrpanigale]

I am unable to define a network policy that allows an ingress controller

Example:

Pod in namespace A

Ingress controller in namespace kube-system

Policy:

kind: NetworkPolicy

apiVersion: networking.k8s.io/v1

metadata:

  name: access-microservices

spec:

  podSelector:

    matchLabels:

      tier: microservices

  ingress:

  - from:

    - podSelector:

        matchLabels:

          tier: microservices

    - podSelector:

        matchLabels:

          tier: gateway

    - podSelector:

        matchLabels:

          tier: tools

    - namespaceSelector:

        matchLabels:

          tier: ingress

I have tested this with the following ingress controllers attaching the label "tier: ingress":

- zlabjp/nghttpx-ingress-controller:v0.24.0

- gcr.io/google_containers/nginx-ingress-controller:0.8.3

Ingress is only working for containers that do match a network policy restriction, for example my envoy gateway.

I need ingress a pod as my gateway does not support http 1.1 websockets

My setup is a 1.7, canal enabled, self hosted, muti-node, bootkube initialized coreos-cluster

Anyone else got this working?

[i...@ciklum.com]

Hi! Did you manage to fix that? I'm facing the same issue now.

[andrew...@brainloop.com]

Hi,

I was not able to make any progress here. I have to disable the network policy for services that should be reached by the ingress controller as a workaround.

kind regards,

Andrew

[Igor Cicimov]

This is missing `namespace:` in metadata

[mrpanigale]

When editing an already published network policy the namespace field is automatically populated.

[Mark NS]

Hi,

I also seem to be unable to configure a network policy to allow pod ingress only from an nginx ingress-controller

Here is what I did (GKE 1.8.8-gke.0):

$ kubectl run web --image=gcr.io/google-samples/hello-app:1.0 --port=8080
$ kubectl expose deployment web --target-port=8080 --type=NodePort
$ helm install stable/nginx-ingress --name nginx-ingress --namespace kube-system --set rbac.create=true

$ cat <<'EOF' | kubectl create -f -

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  annotations:

    kubernetes.io/ingress.class: nginx

    name: basic-ingress

  namespace: default

spec:

  backend:

    serviceName: web

    servicePort: 8080

EOF

$ cat <<'EOF' | kubectl create -f -
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: web-np
  namespace: default
spec:
  policyTypes:
  - Ingress
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: kube-system

    ports:

    - protocol: TCP

      port: 8080

EOF

I think this should allow a connection from the nginx-controller running in kube-system namespace to the "web" pod running in default. However that's not successful:

$ curl x.y.z:80
<html>
<head><title>504 Gateway Time-out</title></head>
<body bgcolor="white">
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.13.5</center>
</body>
</html>      

   

However, if I open the network policy to allow all traffic

  podSelector: {}
  ingress:
    - {}

then I can successfully connect to the pod:

$ curl x.y.z:80
Hello, world!
Version: 1.0.0
Hostname: web-6498765b79-b6866

Also want to note that I've had a similar issue with the Istio ingress controller: 

Is it possible to restrict ingress traffic to only the ingress controller? 

Thanks,

Mark

[Mark NS]

Gah, I could kick myself! 

I was expecting that 

  - from:
    - namespaceSelector:
        matchLabels:
          name: kube-system

would match 

kind: Namespace
metadata:
  name: kube-system

Which of course it won't... only when the label name: kube-system is applied

kind: Namespace
metadata:
  name: kube-system
  labels:
    name: kube-system

Apologies for hijacking the thread, now to go and see if I can get this working with the istio-ingress after all!

[mrpanigale]

I also made the same incorrect assumptions. Thanks for identifying it, I will also give it a try.

many kind regards,

Andrew

[Ahmet Alp Balkan]

I also find it very interesting that Network Policy API requires namespaces to be labeled, rather than working with namespace names directly.

I wonder who out there is actively labeling their namespaces, but it sounds like a good practice and a good use case for labels.

I have some off the shelf network policy recipes at https://github.com/ahmetb/kubernetes-network-policy-recipes if you're interested in getting things working through examples.

--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

[mrpanigale]

This I think was the wrong assumption I also made. A attacked this problem mainly from another angle because I was trying to template this all in Helm keeping things namespace generic.