Closed
Description
What happened:
Named ports in ingress rules in network policies are resolved via the ports on the source pods instead of the ports on the destination pods.
What you expected to happen:
In my opinion it makes no sense to resolve the named ports via the ports on the source pods and instead the destination pods should be used.
How to reproduce it (as minimally and precisely as possible):
Apply the following K8S setup. The destination port should in my opinion be 80 and not 666.
apiVersion: v1
kind: Namespace
metadata:
name: test-server
---
apiVersion: v1
kind: Pod
metadata:
name: webserver
namespace: test-server
spec:
containers:
- name: webserver
image: nginx:latest
ports:
- containerPort: 80
name: test-port-name
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-server-default-deny
namespace: test-server
spec:
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: v1
kind: Namespace
metadata:
name: test-client
---
apiVersion: v1
kind: Pod
metadata:
name: client
namespace: test-client
spec:
containers:
- name: webserver
image: nginx:latest
ports:
- containerPort: 666
name: test-port-name
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-nginx-allow-test-client
namespace: test-server
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: test-client
ports:
- port: test-port-name
protocol: TCP
podSelector: {}
policyTypes:
- Ingress
Environment:
- Kubernetes version (use
kubectl version
): 1.27 - CNI Version: 1.15.4