In some cases k8s NetworkPolicy is not enforced when accessing a Service #3285
Comments
|
I think the behaviour is deliberate because the rules for NetworkPolicy used to explicitly state that anything from the host was allowed. However when I last checked I couldn't find that text. What mark are you thinking of? |
I was thinking about the one set in KUBE-MARK-MASQ, but from further inspection it's not applicable in all cases. |
Aye, https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#networkpolicyingressrule-v1-networking-k8s-io : "Traffic is allowed to a pod <..> if the traffic source is the pod's local node" |
|
However, we should do something about the 10th case: https://github.com/weaveworks/weave/blob/master/docs/k8s-src-ip.md |
In some cases a packet sent to a k8s Service won't enter the
filter/FORWARD/WEAVE-NPCchain which means that a NetworkPolicy can be bypassed. Such cases are listed in the table found at #3284.One way to fix this is to create the rule
-t filter -A OUTPUT -o weave -j WEAVE-NPC. However, this would make the k8s health checks to enter the WEAVE-NPC chain. We could probably use iptables marks set by k8s to distinguish between health checks and a regular traffic.The text was updated successfully, but these errors were encountered: