couchdb-helm icon indicating copy to clipboard operation
couchdb-helm copied to clipboard

Published 20 hours ago verified publisher icon apache

Pods gets crashing if you have deny-all network policy in place

Open gurunathsane opened this issue 4 years ago • 0 comments

Describe the bug If your namespace has a deny-all network policy in place pods get crashing. If the chart has the option to enable networking it should set correct network policies:

  • Chart has ingress settings for couch pod - pod communication but does not have egress allowed
  • Readiness and liveness probe fails because kube-dns can not communicate. (because of the deny-all policy)

I think its standard practice to have deny-all traffic, maybe other users faced similar problems before.

Version of Helm and Kubernetes: Helm version: v3.2.1 k8s version: 1.18

What happened: Chart not setting correct network policies as described in the description above.

What you expected to happen: The chart should set correct network policies. Keeping in mind cluster has deny-all policy set already.

How to reproduce it (as minimally and precisely as possible): Create deny-all network policy and try to install chart. Pods get crashing all the time for readiness probe.

Anything else we need to know: I have a fix :P It should include these policies based on some flag maybe

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: allow-egress-to-kube-dns
spec:
  egress:
  - ports:
    - port: 53
      protocol: UDP
    to:
    - namespaceSelector:
        matchLabels:
          kube-system: "true"
  podSelector:
    matchLabels:
      app: couchdb
      release: aptrack-db
  policyTypes:
  - Egress
 ---
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: allow-pod-to-pod
  namespace: aptrack-db-int
spec:
  egress:
  - ports:
    - port: 5984
      protocol: TCP
  - ports:
    - port: 9100
      protocol: TCP
    - port: 4369
      protocol: TCP
    to:
    - podSelector:
        matchLabels:
          app: couchdb
          release: aptrack-db
  podSelector:
    matchLabels:
      app: couchdb
      release: aptrack-db
  ingress:
  - ports:
    - port: 5984
      protocol: TCP
  - from:
    - podSelector:
        matchLabels:
          app: couchdb
          release: aptrack-db
    ports:
    - port: 9100
      protocol: TCP
    - port: 4369
      protocol: TCP
  podSelector:
    matchLabels:
      app: couchdb
      release: aptrack-db
  policyTypes:
  - Ingress
  - Egress

gurunathsane avatar Jan 28 '21 16:01 gurunathsane