I created 2 deployments in default namespace
/home/asna/YAML::kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx1-6d7876f5d4-f5xnl 1/1 Running 0 3d6h
nginx2-9498d8f59-jmwpw 1/1 Running 0 3d6h
and made their services by exposing them with services name nginx1,nginx2
/home/asna/YAML::kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d6h
nginx1 ClusterIP 10.100.126.190 <none> 80/TCP 3d6h
nginx2 ClusterIP 10.105.162.165 <none> 80/TCP 3d6h
also i set the label of nginx2 deployment to access=true
/home/asna/YAML::kubectl describe pod nginx2-9498d8f59-jmwpw |grep Lab
Labels: access=true
and then created a network policy for nginx1 deployment
/home/asna/YAML::kubectl get networkpolicy
NAME POD-SELECTOR AGE
access-nginx app=nginx1 115m
below is the manifest file for network policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
namespace: default
spec:
podSelector:
matchLabels:
app: nginx1
policyTypes:
- Ingress
- Egress
egress:
- to:
- podSelector:
matchLabels:
access: "true"
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
according to the above yaml traffic can come to "nginx 1" from the pod with label access=true and recieve traffic from pod labels access=true but when a request is made from nginx2 to nginx1 it get a success full response
root@nginx2-9498d8f59-jmwpw:/# curl nginx1
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
but when a request is made from nginx1 to nginx2 it does not gets anything
root@nginx1-6d7876f5d4-f5xnl:/# curl nginx2
curl: (6) Could not resolve host: nginx2
root@nginx1-6d7876f5d4-f5xnl:/#
so i fond a solution on stacoverflow and did this
kubectl label namespace kube-system networking/namespace=kube-system
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-egress
spec:
podSelector: {}
egress:
- to:
- namespaceSelector:
matchLabels:
networking/namespace: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
policyTypes:
- Egress
applied the above yaml for resolving the dns and when i made a request from nginx1 to nginx2 i got a successfull response
root@nginx1-6d7876f5d4-f5xnl:/# curl nginx2
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
but after this when i made request from nginx2 to nginx1 i did not got any response
root@nginx2-9498d8f59-jmwpw:/# wget --spider --timeout=4 nginx1
Spider mode enabled. Check if remote file exists.
--2024-01-29 13:47:49-- http://nginx1/
Resolving nginx1 (nginx1)... 10.100.126.190
Connecting to nginx1 (nginx1)|10.100.126.190|:80... failed: Connection timed out.
Retrying.
Spider mode enabled. Check if remote file exists.
--2024-01-29 13:47:54-- (try: 2) http://nginx1/
Connecting to nginx1 (nginx1)|10.100.126.190|:80... ^C
root@nginx2-9498d8f59-jmwpw:/#
why i am not getting response from nginx1
for more detail output of some commands is given below.
/home/asna/YAML::kubectl describe networkpolicy access-nginx
Name: access-nginx
Namespace: default
Created on: 2024-01-29 16:45:38 +0500 PKT
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=nginx1
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
PodSelector: access=true
Allowing egress traffic:
To Port: <any> (traffic allowed to all ports)
To:
PodSelector: access=true
Policy Types: Ingress, Egress
/home/asna/YAML::kubectl describe pod nginx1-6d7876f5d4-f5xnl
Name: nginx1-6d7876f5d4-f5xnl
Namespace: default
Priority: 0
Service Account: default
Node: minikube/192.168.49.2
Start Time: Fri, 26 Jan 2024 11:51:38 +0500
Labels: app=nginx1
pod-template-hash=6d7876f5d4
/home/asna/YAML::kubectl describe pod nginx2-9498d8f59-jmwpw
Name: nginx2-9498d8f59-jmwpw
Namespace: default
Priority: 0
Service Account: default
Node: minikube/192.168.49.2
Start Time: Fri, 26 Jan 2024 11:52:14 +0500
Labels: access=true
/home/asna/YAML::kubectl describe networkpolicy default-deny-all-egress
Name: default-deny-all-egress
Namespace: default
Created on: 2024-01-29 18:45:39 +0500 PKT
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Not affecting ingress traffic
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: networking/namespace=kube-system
PodSelector: k8s-app=kube-dns
Policy Types: Egress