I'm trying to create a network policy in Azure Kubernetes Service (AKS) that allows access to a specific pod from only a specific IP address range. For testing purposes, I want to start with allowing access only from my current PC's IP address.
I created an AKS cluster with the required network policy using "azure":
az aks create \
--resource-group $RESOURCE_GROUP_NAME \
--name $CLUSTER_NAME \
--node-count 1 \
--network-plugin azure \
--network-policy azure
I labeled my pod with "access-restricted":
kubectl label pods <pod-name> access=restricted
And my network policy looks like this (notice the matchLabels - that's why I labeled the pod):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-my-pc
spec:
podSelector:
matchLabels:
access: restricted
ingress:
- from:
- ipBlock:
cidr: <my-ip-address>/32
Despite applying the network policy, I still seem to have unrestricted access to the pod from any IP address. The network policy is not working as expected. Pod is running and in Ready state, Service is using Load Balancer with external IP - all is working fine, I just can't restrict it.
What am I doing wrong?
You should expose your pod through a service. Then you can just follow this exact scenario: https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#restrict-inbound-traffic-to-specific-ip-ranges
apiVersion: v1
kind: Service
metadata:
name: azure-vote-front
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: azure-vote-front
loadBalancerSourceRanges:
- MY_EXTERNAL_IP_RANGE