CKAD-exercises
CKAD-exercises copied to clipboard
Published
20 hours ago •
dgkanatsios
dgkanatsios
[HELP] Network policy not working [Services and Networking]
In the last question of "Services and Networking":
Network policy seems not working. I am able to get responses for both the busybox commands:
controlplane $ kubectl get po --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx-f89759699-hdd27 1/1 Running 0 16m app=nginx,pod-template-hash=f89759699
nginx-f89759699-pcgbq 1/1 Running 0 16m app=nginx,pod-template-hash=f89759699
controlplane $ cat npolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: nginx
# policyTypes:
# - Ingress
ingress:
- from:
- podSelector:
matchLabels:
access: granted
Network policy created
controlplane $ kubectl get netpol -o wide
NAME POD-SELECTOR AGE
test-network-policy app=nginx 9m26s
controlplane $ kubectl run busybox --image=busybox --rm -it --restart=Never -- wget http://nginx:80 --timeout 2
Connecting to nginx:80 (10.109.201.22:80)
saving to 'index.html'
index.html 100% |********************************| 612 0:00:00 ETA
'index.html' saved
pod "busybox" deleted
controlplane $ kubectl run busybox --image=busybox --rm -it --restart=Never --labels=access=granted -- wget http://nginx:80 --timeout 2
Connecting to nginx:80 (10.109.201.22:80)
saving to 'index.html'
index.html 100% |********************************| 612 0:00:00 ETA
'index.html' saved
pod "busybox" deleted
controlplane $
controlplane $ kubectl run busybox --image=busybox --rm -it --restart=Never --labels=app=db -- wget http://nginx:80 --timeout 2
Connecting to nginx:80 (10.109.201.22:80)
saving to 'index.html'
index.html 100% |********************************| 612 0:00:00 ETA
'index.html' saved
pod "busybox" deleted
controlplane $
Can you identify what is missing here. TIA
I am having this same problem as well, where both commands are returning responses.
Not sure if it's relevant but I am using minikube, so maybe the prerequisites aren't being met?
Network Policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
creationTimestamp: "2021-08-31T20:58:43Z"
generation: 1
name: access-nginx
namespace: default
resourceVersion: "25089"
uid: 37b0087e-4d65-4ad2-8b39-27c391068173
spec:
ingress:
- from:
- podSelector:
matchLabels:
access: granted
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
service:
apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2021-08-31T20:51:48Z"
labels:
app: nginx
name: nginx
namespace: default
resourceVersion: "24761"
uid: 88635026-b066-4891-8247-d6a2d59beaf2
spec:
clusterIP: 10.96.54.89
clusterIPs:
- 10.96.54.89
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2021-08-31T20:51:39Z"
generation: 1
labels:
app: nginx
name: nginx
namespace: default
resourceVersion: "24755"
uid: 051428ca-3964-4872-9e17-fc2559e72dd7
spec:
progressDeadlineSeconds: 600
replicas: 2
revisionHistoryLimit: 10
selector:
matchLabels:
app: nginx
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: nginx
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:
availableReplicas: 2
conditions:
- lastTransitionTime: "2021-08-31T20:51:41Z"
lastUpdateTime: "2021-08-31T20:51:41Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: "2021-08-31T20:51:39Z"
lastUpdateTime: "2021-08-31T20:51:41Z"
message: ReplicaSet "nginx-6799fc88d8" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 1
readyReplicas: 2
replicas: 2
updatedReplicas: 2
output of kubectl get pods --show-labels
nginx-6799fc88d8-5srqt 1/1 Running 0 10m app=nginx,pod-template-hash=6799fc88d8
nginx-6799fc88d8-qdlcf 1/1 Running 0 10m app=nginx,pod-template-hash=6799fc88d8
output of kubectl run busybox --image=busybox --rm -it --restart=Never -- wget -O- http://nginx:80 --timeout 2
Connecting to nginx:80 (10.96.54.89:80)
writing to stdout
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
- 100% |********************************| 612 0:00:00 ETA
written to stdout
pod "busybox" deleted
output of kubectl run busybox --image=busybox --rm -it --restart=Never --labels=access=granted -- wget -O- http://nginx:80 --timeout 2
Connecting to nginx:80 (10.96.54.89:80)
writing to stdout
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
- 100% |********************************| 612 0:00:00 ETA
written to stdout
pod "busybox" deleted
I followed https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/ and was able to get it to work properly. @pkb2 is your cluster set up to allow network policies?
I followed https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/ and was able to get it to work properly. @pkb2 is your cluster set up to allow network policies?
I will check.
aqua@DESKTOP:~/e$ kubectl create deployment nginx --image=nginx --replicas=2
deployment.apps/nginx created
aqua@DESKTOP:~/e$ kubectl expose deployment nginx --port=80
service/nginx exposed
aqua@DESKTOP:~/e$ kubectl describe svc nginx
Name: nginx
Namespace: default
Labels: app=nginx
Annotations: <none>
Selector: app=nginx
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.106.133.1
IPs: 10.106.133.1
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.1.0.151:80,10.1.0.152:80
Session Affinity: None
Events: <none>
aqua@DESKTOP:~/e$ kubectl get svc nginx -o yaml
apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2021-09-23T03:34:29Z"
labels:
app: nginx
name: nginx
namespace: default
resourceVersion: "1154387"
uid: ae4bd01c-c979-443e-a216-e3fc9c0696a0
spec:
clusterIP: 10.106.133.1
clusterIPs:
- 10.106.133.1
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
aqua@DESKTOP:~/e$ nano policy.yaml
aqua@DESKTOP:~/e$ kubectl create -f policy.yaml
networkpolicy.networking.k8s.io/access-nginx created
aqua@DESKTOP:~/e$ kubectl run busybox --image=busybox --rm -it --restart=Never -- wget -O- http://nginx:80 --timeout 2
Connecting to nginx:80 (10.106.133.1:80)
writing to stdout
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
- 100% |********************************| 615 0:00:00 ETA
written to stdout
pod "busybox" deleted
aqua@DESKTOP:~/e$ kubectl run busybox --image=busybox --rm -it --restart=Never --labels=access=granted -- wget -O- http://nginx:80 --timeout 2
Connecting to nginx:80 (10.106.133.1:80)
writing to stdout
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
- 100% |********************************| 615 0:00:00 ETA
written to stdout
pod "busybox" deleted
aqua@DESKTOP:~/e$
I am having the same issue. Using docker-desktop for k8s.
start minikube with cni flag otherwise network policy will not work
minikube start --network-plugin=cni
hey, not all CNIs support network policies:
linky linky: https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/
if you are using flannel for example, at the time of writing the policy will be applied successfully, but wont be enforced.
