Skip to content

azure-npm networking policies are not compatible with Kubernetes Network Policy #465

New issue
New issue
Closed
#468
Closed
azure-npm networking policies are not compatible with Kubernetes Network Policy#465
#468
Assignees
jaer-tsun
@onatm

Description

@onatm
onatm
opened on Dec 20, 2019

Is this a request for help?: NO

Is this an ISSUE or FEATURE REQUEST? (choose one): ISSUE

Which release version?: v1.0.30

Which component (CNI/IPAM/CNM/CNS): NPM

Which Operating System (Linux/Windows): Linux

For Linux: Include Distro and kernel version using "uname -a"

Linux aks-nodepool1-XXXXXXX-vmss000000 4.15.0-1061-azure #66-Ubuntu SMP Thu Oct 3 02:00:50 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Which Orchestrator and version (e.g. Kubernetes, Docker)

Kubernetes 1.14.8

What happened:

To make things simple I am providing a minimal subset of our networking policies. First, we apply a restrictive set of networking policies and then allow some internal communication along with egress to specified out of cluster IPs, etc.

The following network policy to block all inbound and outbound traffic.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress-egress
  namespace: our-namespace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

then we allow DNS

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: dns
  namespace: our-namespace
spec:
  podSelector: {}
  egress:
  - to:
    - namespaceSelector: {}
    ports:
    - protocol: UDP
      port: 53

this is fine until azure-npm starts to diverge from the other networking policy managers (which is not mentioned in the documentation)

if we apply the following policy inbound traffic remains blocked

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-nginx-ingress
  namespace: our-namespace
spec:
  podSelector:
    matchLabels:
      app: nginx-ingress
  ingress:
  - {}

to make it work, we had to change this policy to this

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-nginx-ingress
  namespace: our-namespace
spec:
  podSelector:
    matchLabels:
      app: nginx-ingress
  ingress:
  - from: []
    ports:
    - protocol: TCP

We had to update all of our policies to define the protocol in all of them. However, even we do so, things start to fall over after a while and we couldn't find the reason and decided to switch another networking policy manager.

What you expected to happen:

I expect azure-npm to be compatible with Kubernetes Network Policy

How to reproduce it (as minimally and precisely as possible):

You can apply the above networking policies to reproduce it. If you need a more precise example I can provide it by creating a new repository

Anything else we need to know:

We already have an open ticket on Azure Portal about azure-npm and azure-ip-masq-agent.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions