Kubernetes NetworkPolicy: Blocks all egress though no blocks are specified

Question

I have a service that I want to be able to access the internet and noother pods. However, ALL egress rules seem to block all egress.

# No NetworkPolicies
kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com'

With no NetworkPolicy my pod can access the internet. Next I make a Networkpolicy that allows egress to all IP-addresses.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all
  namespace: mytestnamespace
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0

But now curl can no longer access the internet, but WHY??????

With NetworkPolicies allowing Egress to all IPs!

kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com'

Why does this NetworkPolicy block all egress? Makes no sense!

Answer 1

It turns out that despite opening up to all IP-addresses, the networkpolicy does not allow egress to the DNS pod, which is in another namespace.

# Identifying DNS pod
kubectl get pods -A | grep dns

# Identifying DNS pod label
kubectl describe pods -n kube-system coredns-64cfd66f7-rzgwk

Next I add the dns label to the egress policy:

# network_policy.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-all
  namespace: mytestnamespace
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    - ipBlock:
        cidr: "0.0.0.0/0"
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: "kube-system"
    - podSelector:
        matchLabels:
          k8s-app: "kube-dns"

I apply the network policy and test the curl calls:

# Setting up policy
kubectl apply -f network_policy.yaml

# Testing curl call
kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com'

SUCCESS! Now I can make egress calls, next I just have to block the appropriate IP-addresses in the private network.

Answer 2

The reason is, curl attempts to form a 2-way TCP connection with the HTTP server at www.google.com. This means, both egress and ingress traffic need to be allowed on your policy. Currently, only out-bound traffic is allowed. Maybe, you'll be able to see this in more detail if you ran curl in verbose mode:

kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com' -v

You can then see the communication back and forth marked by arrows > (out-going) and < (in-coming). You'll notice only > arrows will be listed and no < traffic will be shown.

Note: If you do something simpler like ping google.com it might work, since this is a simple state-less communication.

In order to have this, you can simply add an allow-all ingress rule to your policy like:

ingress:
  - {}

Also, there's a simpler way to allow all egress traffic simply as:

egress:
  - {}

I hope this helps. You can read more about policies here.