default deny Calico global network policy not working

[der-ali]

I wanted to evaluate the calico network policies, so i followed the documentation here and create a global deny policy. Then i created a busybox pod in the default namespace to test if the network traffic is blocked. I was suprised that both network resolution and traffic to other pods and services is still allowed.

Expected Behavior

Pod is not able to access k8s services or do DNS resolution

Steps to Reproduce (for bugs)

1. Create a minikube cluster

minikube start -p demo  --kubernetes-version=1.22.0 --container-runtime=containerd --nodes 2 --memory 2048 --cpus 2 --enable-default-cni=false

2. Deploy Calico operator

kubectl create -f https://projectcalico.docs.tigera.io/manifests/tigera-operator.yaml
cat <<EOF | kubectl apply -f -
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  calicoNetwork:
    ipPools:
    - blockSize: 26
      cidr: 10.244.0.0
      encapsulation: VXLANCrossSubnet
      natOutgoing: Enabled
      nodeSelector: all()
EOF

3. Create a default deny network policy

cat <<EOF | calicoctl apply -f -
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: deny-all
spec:
  selector: all()
  types:
    - Ingress
    - Egress
EOF

4. Test dns resolution or use nc to check if a port is open on a k8s svc

Your Environment

• Calico version v3.23.3
• K8s 1.22.0

[mgleung]

Hi @der-ali , for step 4, are you running your nc commands inside of your busybox pod? Global network policy does not police traffic from the host -> workload for some pragmatic reasons (i.e. it allows the kubelet to access health checks on pods). Your global network policy should block traffic from your busybox pod to other pods (or the other way around) though. Can you try that and see if that works?

[der-ali]

Yes, from busybox pod. I decided for K8s network policies, as they were more reliable in my case. I could give it neverless a try again in the next days.