I'm looking to block pod access to the instance metadata service via network policies. The VPC CNI now supports network policies and my cluster uses it (v1.14).
What's perplexing is that blocking all egress traffic with the following policy works but...
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector: {}
policyTypes:
- Egress
the policy below does not (taken from here). From within the pod, I can still curl to the IP address.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-metadata-access
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
suggestions as to why one works and the other doesn't are welcome
Tried different policies. As noted before, block all egress works, but a particular IP range does not.