DENY all traffic from other namespaces
raniatriki opened this issue · comments
Hello,
I am trying to deny traffic from other pods from other namespaces but that doesn't work for me!!
I'm using Weave-Net like Network plugin and i'm following this document: https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/04-deny-traffic-from-other-namespaces.md
Any help!!
Thank you
@raniatriki as you can imagine, your error report isn't very useful to me.
Please tell more about:
- what you tried (link to your manifests and policy you deployed) and
- "what" didn't work, what were you expecting, what happened
Maybe is a good idea to create an issue template for this awesome repo!
Maybe.
I'm not sure I want this repo to turn into a "network policy support forum". I may therefore actually turn off the issue tracker, and if they think something is broken, they can send a PR.
For now it’s too extreme as I'm not getting too many issues. For the problem above, I'm fairly confident that the policy is correct. So it's either (1) PEBKAC (2) some issue with Weave or its configuration.
@ahmetb i'm trying this network policy yaml file :
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: secondary
name: web-deny-other-namespaces
spec:
podSelector:
matchLabels:
ingress:
- from:
- podSelector: {}
Then when I query the web service (that i have created before in a namespace called secondary) , the traffic is not blocked from another namespace
Do other policies work fine? (Do you know network policies are working at all in your cluster?)
The policy you pasted blocks traffic to ALL pods in secondary from other namespaces.
I’ve reason to believe Weave is broken.
The following configuration is supposed to select ONLY the pods in the current namespace:
ingress:
- from:
- podSelector: {}
Do you have other network policies that perhaps whitelist this traffic?
I recommend you to file a bug with Weave.
ubuntu@:$ kubectl apply -f web-deny-other-namespaces.yaml
networkpolicy "deny-from-other-namespaces" created
ubuntu@: kubectl run test-$RANDOM --namespace=default --rm -i -t --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.secondary
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
/ #
@raniatriki what should I understand from your comment? You already said the policy isn't taking effect.
I said "I've reason to believe Weave is broken, I recommend you to file a bug with Weave"
I also "Do you have other network policies that perhaps whitelist this traffic?" which you didn't answer.
It works on Calico network plugin. Please follow up with Weave.