Defalut deny in Azure network policy is not working with Loadbalancer service (internal/external) #1088
Description
What happened:
Create a network policy to block all ingress and egress traffic to a namespace, it is not working for lb IP's, means lb IP's are able to access the resource of that namespace, though it has default deny policy.
What you expected to happen:
I have tested same scenario with calcio, if we apply default deny policy it should block all traffic to that namespace whether its internal or external loadbalancer ingress
How to reproduce it:
Create a namespace
kubectl create ns elf
create a deployment in ns elf
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: elf
spec:
selector:
matchLabels:
app: nginx
replicas: 2 # tells deployment to run 2 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
create internal lb
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
namespace: elf
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: nginx
create a default deny network policy (allowed port 53 for DNS)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: elf
spec:
egress:
- ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
podSelector: {}
policyTypes:
- Ingress
- Egress
create debug pod to test the traffic and traffic is allowed to that ns using lb IP.
kubectl exec -it ubuntu -- bash
curl <internall-lb-ip>
Kubernetes Version:
AKS v1.20.9
Kernel (e.g. uname -a):
#uname -a
Linux aks-agentpool-23187946-vmss000004 5.4.0-1061-azure #64~18.04.1-Ubuntu SMP Thu Oct 7 21:00:58 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Anything else we need to know?:
The same setup working fine with calico network policy, which means it should also block loadbalancer traffic.