-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NetworkPolicy Rules not working with Services #2088
Comments
I'm guessing based from the comment in your NetworkPolicy, that you want policy to apply to traffic coming from outside of the cluster. With a Service of type ClusterIP, any traffic (from inside the cluster) will have the client's source IP but traffic from outside the cluster will need to be SNAT'ed. There are no Kubernetes considerations for NetworkPolicy to apply to services. With Calico one thing you can do is use Host Protection to limit access to the Node and then you could create Calico GlobalNetworkPolicy to limit access to the traffic. Check out https://docs.projectcalico.org/v3.1/getting-started/bare-metal/bare-metal |
Yep, as tmjd mentioned the way to do this is using something like Calico host enforcement to control access from outside the cluster, or to use services with externalTrafficPolicy: local which won't perform SNAT on the traffic.
This is currently not feasible given that k8s NP is defined in terms of pods, not services, and so prior to hitting the kube-proxy we don't know the ultimate destination of the traffic. |
@caseydavenport @tmjd I have the same problems as @ecowden and as I understood traffic from pod network (specified in --cluster-cidr option of kube-proxy) should not be SNATed. But I have IP pool with nat-outgoing: true and I have suspection that traffic to K8s service ip range is masqueraded. If so, it would be good to get rid of this, but I need masquerading for connection to resources outside of pod- and service- networks. Any thoughts? |
Ultimately, we decided to go with an external and explicit load balancing solution. In our case, we wrote an operator using kube-builder to make the load balancer do exactly what we want, because of some very specific requirements. For a less work-intensive solution, you may want to consider a tool like metalLB. Good luck! 😁 |
NetworkPolicy Ingress rules are applied when connecting to Pods directly, but not when connecting through a Service. Services are of type ClusterIP.
For reference, the NetworkPolicy may look like,
Conversely, If I create a NetworkPolicy rule that allows traffic from the host network, however, traffic is allowed through the Service regardless of the source (wrong), and clients cannot connect directly to pods (right).
Looks the same as issue #1683.
I've verified that
kube-proxy
's--cluster-cidr=...
argument is set to the Pod network, and that it excludes the Service network.Expected Behavior
NetworkPolicy Ingress rules should be enforced based on the original client when routing through Services, not the host where
kube-proxy
is running.Current Behavior
NetworkPolicy through services is enforced based on the location of the
kube-proxy
instance.Possible Solution
Unsure.
Steps to Reproduce (for bugs)
Context
This prevents us from using Kubernetes NetworkPolicy to control access to workloads in the Kubernetes cluster.
Your Environment
Kubernetes is configured using Calico with BGP pairing to make the Pod network routable from outside the cluster.
Thanks in advance!
Edit: The original version of this issue was posted prematurely with an errant mouse click. Apologies for any confusion!
The text was updated successfully, but these errors were encountered: