New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
weave-npc does not support kubernetes 1.7 NetworkPolicy semantics #3105
Comments
Since it's disappeared from the Kubernetes documentation, I'll note here that the workaround is to say:
|
The extra single quotes has an issue, this works for me:
|
Sorry about that; I'll edit my comment. |
I have weave running on minikube, which is running Kubernetes 1.7. I have a namespace with the DefaultDeny annotation, but connections are allowed to pods in that namespace whether there's a NetworkPolicy set or not. No combination of annotation or NetworkPolicy, expecting 1.6 or 1.7 semantics, seems to get weave to deny connections on my minikube setup. As in the original bug, the weave-npc logs indicate that weave sees the namespace. Is this the same bug, or should I file a separate issue? |
@ceridwen please open a new issue and include the logs. |
Some thoughts about implementation:
We need to take care when policies are added and removed, since that will change the set. |
FYI you can find PR at #3151. |
Implement Kubernetes 1.7 NetworkPolicy semantics
Just a clarification, actually are you saying that with weave 2.0.5 and k8s 1.7 or 1.8 if i need to isolate a pod i must isolate the entire namespace before? |
@SharpEdgeMarshall yes, that was how network policies worked in Kubernetes when the current implementation was written. |
Opening per request for @bboreham in #3083
In Kubernetes pre-1.7, the network policy semantics were as follows:
DefaultDeny
annotation, block all traffic to all pods, except for those that have aNetworkPolicy
allowing access to the specific pods (by label, etc.)In Kubernetes 1.7+, the semantics are as follows:
DefaultDeny
annotation, block all traffic to all pods, except for those that have aNetworkPolicy
allowing access to the specific pods (by label, etc.) (unchanged)The changes are in the middle one: If no annotation is set but a network policy applies to a pod, then block all connections to that pod except for those explicitly allowed by the policy.
As pointed out by @bboreham, weave-npc currently implements the pre-1.7 semantics, rather than the 1.7+. weave-npc should implement the 1.7+ semantics (or possibly check the kubernetes version and implement the appropriate semantics).
The text was updated successfully, but these errors were encountered: