calicokubernetes-networkpolicy

Kubernetes Network policy issue

Doing where: Minikube in local with calico plugin enabled

Two namespaces: feature1-namespace and feature2-namespace

Network Policy Condition: Services in feature1-namespace can communicate with other services in same namespace but cannot communicate with services in feature2-namespace. Similarly services in feature2-namespace can communicate within themselves in same namespace but not with feature1-namespace

Problem: Either it blocks all the communication within namespace and outside namespace or it allows all communications as if like the policy doesn't exist. I have checked the labels nothing helps

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-ingress-from-feature1
  namespace: feature2-namespace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: feature2-namespace
    - namespaceSelector:
        matchLabels:
          name: feature1-namespace
      podSelector:
        matchLabels:
          name: feature1-namespace


apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-ingress-from-feature1
  namespace: feature1-namespace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: feature1-namespace
    - namespaceSelector:
        matchLabels:
          name: feature2-namespace
      podSelector:
        matchLabels:
          name: feature2-namespace
Solution

  • There are a few issues to be fixed. Here follows an explanation of the problems and how you can correct the network policies:

    Current Problems

    1. Policies are not properly set up to allow communication within their respective namespaces, but block inter-namespace communications.

    2. The policies use a namespaceSelector and podSelector in ways that will make them behave in unexpected ways.

    3. Policy does not explicitly deny traffic coming from other namespaces.

    Amendments

    Feature1-namespace:

    ```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: feature1-namespace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector: {}
```

Feature2-namespace:

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: feature2-namespace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector: {}
```

    As can be seen, these policies allow all pods in the same namespace to communicate and implicitly deny all ingress traffic from other namespaces.

    Also by not specifying rules for other namespaces, this denies all other traffic by default.

    Though I'm sure you've already done so, check that Calico is correctly installed and running in your Minikube cluster. i.e.

    kubectl get pods -n kube-system | grep calico