You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In some cases a packet sent to a k8s Service won't enter the filter/FORWARD/WEAVE-NPC chain which means that a NetworkPolicy can be bypassed. Such cases are listed in the table found at #3284.
One way to fix this is to create the rule -t filter -A OUTPUT -o weave -j WEAVE-NPC. However, this would make the k8s health checks to enter the WEAVE-NPC chain. We could probably use iptables marks set by k8s to distinguish between health checks and a regular traffic.
The text was updated successfully, but these errors were encountered:
I think the behaviour is deliberate because the rules for NetworkPolicy used to explicitly state that anything from the host was allowed. However when I last checked I couldn't find that text.
In some cases a packet sent to a k8s Service won't enter the
filter/FORWARD/WEAVE-NPC
chain which means that a NetworkPolicy can be bypassed. Such cases are listed in the table found at #3284.One way to fix this is to create the rule
-t filter -A OUTPUT -o weave -j WEAVE-NPC
. However, this would make the k8s health checks to enter the WEAVE-NPC chain. We could probably use iptables marks set by k8s to distinguish between health checks and a regular traffic.The text was updated successfully, but these errors were encountered: