amazon-network-policy-controller-k8s icon indicating copy to clipboard operation
amazon-network-policy-controller-k8s copied to clipboard

Published 20 hours ago verified publisher icon aws

IP address (CIDR) exceptions in one rule affect other rules

Open pgier opened this issue 7 months ago • 1 comments

I have a use case that I want to allow DNS port 53 to any IP address, but I want to restrict all other ports to only non-private IP addresses. I have the following policy which works fine using Calico. Switching to the AWS EKS VPC CNI addon, this policy no longer works. The second rule restricts the first rule so that DNS can no longer be accessed in the private network ranges.

  egress:
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
    to:
    - ipBlock:
        cidr: 0.0.0.0/0
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16

This behavior conflicts with the Kubernetes documentation which states that:

Network policies do not conflict; they are additive. If any policy or policies apply to a given pod for a given direction, the connections allowed in that direction from that pod is the union of what the applicable policies allow.

https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-two-sorts-of-pod-isolation

pgier avatar Jul 11 '24 15:07 pgier