Postgres can't access KubeAPI with NetworkPolicies in place

[Nold360]

Hi,

i'm running my cnpg in a namespace with NetworkPolicies in place. I tried allowing the IP (10.43.0.1:443) & namespace/port of the Kubeapi but nothing helps. Somehow the network connection doesn't even show up in cilium/hubble.

Any advice what i need to allow to make the DB work?

IMHO Somehow it's "not cool" that the DB calls the API directly, thought that's what the operator is for..

{"level":"info","ts":1671002792.2669437,"logger":"setup","msg":"Starting CloudNativePG Instance Manager","logging_pod":"nextcloud-db-1","version":"1.18.0","build":{"Version":"1.18.0","Commit":"2f6d1cef","Date":"2022-11-10"}}
{"level":"error","ts":1671002822.2689383,"msg":"Failed to get API Group-Resources","error":"Get \"https://10.43.0.1:443/api?timeout=32s\": dial tcp 10.43.0.1:443: i/o timeout","stacktrace":"sigs.k8s.io/controller-runtime/pkg/cluster.New\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.13.1/pkg/cluster/cluster.go:160\nsigs.k8s.io/controller-runtime/pkg/manager.New\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.13.1/pkg/manager/manager.go:344\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/instance/run.runSubCommand\n\tinternal/cmd/manager/instance/run/cmd.go:100\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/instance/run.NewCmd.func1.1\n\tinternal/cmd/manager/instance/run/cmd.go:76\nk8s.io/client-go/util/retry.OnError.func1\n\tpkg/mod/k8s.io/client-go@v0.25.3/util/retry/util.go:51\nk8s.io/apimachinery/pkg/util/wait.ConditionFunc.WithContext.func1\n\tpkg/mod/k8s.io/apimachinery@v0.25.3/pkg/util/wait/wait.go:222\nk8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtectionWithContext\n\tpkg/mod/k8s.io/apimachinery@v0.25.3/pkg/util/wait/wait.go:235\nk8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtection\n\tpkg/mod/k8s.io/apimachinery@v0.25.3/pkg/util/wait/wait.go:228\nk8s.io/apimachinery/pkg/util/wait.ExponentialBackoff\n\tpkg/mod/k8s.io/apimachinery@v0.25.3/pkg/util/wait/wait.go:423\nk8s.io/client-go/util/retry.OnError\n\tpkg/mod/k8s.io/client-go@v0.25.3/util/retry/util.go:50\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/instance/run.NewCmd.func1\n\tinternal/cmd/manager/instance/run/cmd.go:75\ngithub.com/spf13/cobra.(*Command).execute\n\tpkg/mod/github.com/spf13/cobra@v1.6.1/command.go:916\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tpkg/mod/github.com/spf13/cobra@v1.6.1/command.go:1044\ngithub.com/spf13/cobra.(*Command).Execute\n\tpkg/mod/github.com/spf13/cobra@v1.6.1/command.go:968\nmain.main\n\tcmd/manager/main.go:64\nruntime.main\n\t/opt/hostedtoolcache/go/1.18.7/x64/src/runtime/proc.go:250"}
{"level":"error","ts":1671002822.2692435,"logger":"setup","msg":"unable to set up overall controller manager","logging_pod":"nextcloud-db-1","error":"Get \"https://10.43.0.1:443/api?timeout=32s\": dial tcp 10.43.0.1:443: i/o timeout","stacktrace":"github.com/cloudnative-pg/cloudnative-pg/pkg/management/log.(*logger).Error\n\tpkg/management/log/log.go:127\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/instance/run.runSubCommand\n\tinternal/cmd/manager/instance/run/cmd.go:119\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/instance/run.NewCmd.func1.1\n\tinternal/cmd/manager/instance/run/cmd.go:76\nk8s.io/client-go/util/retry.OnError.func1\n\tpkg/mod/k8s.io/client-go@v0.25.3/util/retry/util.go:51\nk8s.io/apimachinery/pkg/util/wait.ConditionFunc.WithContext.func1\n\tpkg/mod/k8s.io/apimachinery@v0.25.3/pkg/util/wait/wait.go:222\nk8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtectionWithContext\n\tpkg/mod/k8s.io/apimachinery@v0.25.3/pkg/util/wait/wait.go:235\nk8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtection\n\tpkg/mod/k8s.io/apimachinery@v0.25.3/pkg/util/wait/wait.go:228\nk8s.io/apimachinery/pkg/util/wait.ExponentialBackoff\n\tpkg/mod/k8s.io/apimachinery@v0.25.3/pkg/util/wait/wait.go:423\nk8s.io/client-go/util/retry.OnError\n\tpkg/mod/k8s.io/client-go@v0.25.3/util/retry/util.go:50\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/instance/run.NewCmd.func1\n\tinternal/cmd/manager/instance/run/cmd.go:75\ngithub.com/spf13/cobra.(*Command).execute\n\tpkg/mod/github.com/spf13/cobra@v1.6.1/command.go:916\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tpkg/mod/github.com/spf13/cobra@v1.6.1/command.go:1044\ngithub.com/spf13/cobra.(*Command).Execute\n\tpkg/mod/github.com/spf13/cobra@v1.6.1/command.go:968\nmain.main\n\tcmd/manager/main.go:64\nruntime.main\n\t/opt/hostedtoolcache/go/1.18.7/x64/src/runtime/proc.go:250"}
{"level":"info","ts":1671002822.2808444,"logger":"setup","msg":"Starting CloudNativePG Instance Manager","logging_pod":"nextcloud-db-1","version":"1.18.0","build":{"Version":"1.18.0","Commit":"2f6d1cef","Date":"2022-11-10"}}

Example [non-working] NetPol:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: nextcloud-allow-cnpg
  namespace: nextcloud
spec:
  egress:
  - ports:
    - port: 443
      protocol: TCP
    - port: 6443
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.43.0.1/32
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: default
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
  podSelector: {}
  policyTypes:
  - Egress

[Nold360]

Cluster Config:

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: nextcloud-db
  namespace: nextcloud
spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:15

  bootstrap:
    initdb:
      import:
        type: microservice
        databases:
          - nextcloud
        source:
          externalCluster: nextcloud

  backup:
    barmanObjectStore:
      destinationPath: "s3://nextcloud-db/"
      endpointURL: "http://minio.minio.svc.cluster.local:9000"
      s3Credentials:
        accessKeyId:
          name: bucket
          key: accesskey
        secretAccessKey:
          name: bucket
          key: secretkey
      wal:
        compression: gzip
        #encryption: AES256
      data:
        compression: gzip
        #encryption: AES256
    retentionPolicy: "90d"

  resources:
    requests:
      memory: "64Mi"
      cpu: "50m"
    limits:
      memory: "1Gi"
      cpu: "1"

  storage:
    size: 10Gi

  externalClusters:
    - name: nextcloud
      connectionParameters:
        host: nextcloud-postgresql.nextcloud.svc.cluster.local
        user: nextcloud
        dbname: nextcloud
      password:
        name: nextcloud-postgres
        key: postgresql-password

PS: Deleting all networkpolicies in the namespace solves the issue and the DB starts as expected

[sxd]

Hi @Nold360

This is not the DB calling the API it's the manager inside that needs to communicate the state of the instance to the Kubernetes API, it's not the database at all.

You need to allow the communication in your network policy of the pods with the Kubernetes API, that's required and mandatory for the operator to work properly.

I'm converting this into a discussion since it's not an issue

[Nold360]

You need to allow the communication in your network policy of the pods with the Kubernetes API, that's required and mandatory for the operator to work properly.

That's exactly the question, how would this netpol look like?

I'm converting this into a discussion since it's not an issue

I think it's at least an issue in the docs, as i can't seem to find this communication here: https://cloudnative-pg.io/documentation/current/security/#container

[sxd]

@Nold360

How the network policy will look like it's related to your own cluster implementation, it's not the same for every one, but if you're going to deny the access to the Kubernetes API, you just need to add an exception to that rule.

Related to the documentation, probably you should look here https://cloudnative-pg.io/documentation/current/security/#network-policies

[jcpunk]

I wonder is something like:

networkPolicy:
  enabled: true
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53
    - port: 443
      protocol: TCP

Would work for permitting API server access...