I've been trying to implement a network policy on my cluster (k8s bare-metal) and no policies seem to be implemented on pods running on cluster nodes, only on pods running directly on the master.
What I've tried:
- A single namespace with a master+node and calico CNI with calicoctl with k8s datastore (I can see the calico/calicoctl containers running on both nodes)
- Both networkPolicy types (networking.k8s.io/v1 & projectcalico.org/v3)
- Applying a simple deny any ingress/egress policy and testing ping to 8.8.8.8 (pod on master gets blocked, pods on other nodes can still ping)
Appreciate your help
Found the problem was with the deployment where I've used 'hostNetwork' which uses a subnet that is not part of the pod network (thus Calico is unaware of).
Removing the 'hostNetwork: true' param made the container get a suitable IP and network policies applied to it.