I have a service that I want to be able to access the internet and noother pods. However, ALL egress rules seem to block all egress.
# No NetworkPolicies
kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com'
With no NetworkPolicy my pod can access the internet. Next I make a Networkpolicy that allows egress to all IP-addresses.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: mytestnamespace
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
But now curl can no longer access the internet, but WHY??????
kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com'
Why does this NetworkPolicy block all egress? Makes no sense!
It turns out that despite opening up to all IP-addresses, the networkpolicy does not allow egress to the DNS pod, which is in another namespace.
# Identifying DNS pod
kubectl get pods -A | grep dns
# Identifying DNS pod label
kubectl describe pods -n kube-system coredns-64cfd66f7-rzgwk
Next I add the dns label to the egress policy:
# network_policy.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-all
namespace: mytestnamespace
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
egress:
- to:
- ipBlock:
cidr: "0.0.0.0/0"
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: "kube-system"
- podSelector:
matchLabels:
k8s-app: "kube-dns"
I apply the network policy and test the curl calls:
# Setting up policy
kubectl apply -f network_policy.yaml
# Testing curl call
kubectl -n mytestnamespace exec service-c-78f784b475-qsdqg -- bin/bash -c 'curl www.google.com'
SUCCESS! Now I can make egress calls, next I just have to block the appropriate IP-addresses in the private network.