weave-npc does not support kubernetes 1.7 NetworkPolicy semantics

[deitch]

Opening per request for @bboreham in #3083

In Kubernetes pre-1.7, the network policy semantics were as follows:

• In a namespace, by default, allow all connections into all pods, whether or not a policy is defined
• If a namespace has the DefaultDeny annotation, block all traffic to all pods, except for those that have a NetworkPolicy allowing access to the specific pods (by label, etc.)

In Kubernetes 1.7+, the semantics are as follows:

• In a namespace, by default, allow all connections into all pods, if no policy is defined
• If a pod has a NetworkPolicy attached to it, then deny all connections into that pod, except for those explicitly allowed by the policy
• If a namespace has the DefaultDeny annotation, block all traffic to all pods, except for those that have a NetworkPolicy allowing access to the specific pods (by label, etc.) (unchanged)

The changes are in the middle one: If no annotation is set but a network policy applies to a pod, then block all connections to that pod except for those explicitly allowed by the policy.

As pointed out by @bboreham, weave-npc currently implements the pre-1.7 semantics, rather than the 1.7+. weave-npc should implement the 1.7+ semantics (or possibly check the kubernetes version and implement the appropriate semantics).

[bboreham]

Since it's disappeared from the Kubernetes documentation, I'll note here that the workaround is to say:

kubectl annotate ns <my-namespace> "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}"

[stevesloka]

The extra single quotes has an issue, this works for me:

kubectl annotate ns <my-namespace> "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}"

[bboreham]

Sorry about that; I'll edit my comment.

[ceridwen]

I have weave running on minikube, which is running Kubernetes 1.7. I have a namespace with the DefaultDeny annotation, but connections are allowed to pods in that namespace whether there's a NetworkPolicy set or not. No combination of annotation or NetworkPolicy, expecting 1.6 or 1.7 semantics, seems to get weave to deny connections on my minikube setup. As in the original bug, the weave-npc logs indicate that weave sees the namespace. Is this the same bug, or should I file a separate issue?

[bboreham]

@ceridwen please open a new issue and include the logs.

[bboreham]

Some thoughts about implementation:
Currently we have an ipset for every pod in a namespace, and if the namespace is DefaultAllow then we add a rule accepting that ipset.
There are three cases:

• DefaultDeny: just have rules for policies.
• DefaultAllow 1.6 semantics: add rule accepting ipset containing every pod in namespace.
• DefaultAllow 1.7 semantics: add rule accepting ipset containing every pod in namespace not touched by a policy.

We need to take care when policies are added and removed, since that will change the set.

[brb]

FYI you can find PR at #3151.

[SharpEdgeMarshall]

Just a clarification, actually are you saying that with weave 2.0.5 and k8s 1.7 or 1.8 if i need to isolate a pod i must isolate the entire namespace before?
So if i need to isolate the kubernetes-dashboard in the kube-system namespace from external pods i must DefaultDeny the entire namespace and then apply NetworkPolicy to enable each service in kube-system just to protect the dashboard?

[bboreham]

@SharpEdgeMarshall yes, that was how network policies worked in Kubernetes when the current implementation was written.