Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
emashev2020-12-29 00:17:00
Kubernetes
emashev, 2020-12-29 00:17:00

How to allow access to NodePort through network policy?

Hello, I have k8s raised on baremetal with external balancers.
Termination of ssl on them passes, and applications go out, through NodePort at the VIP address.
It was necessary to limit the traffic between the namespace and prohibit some pods from accessing the Internet.

If I apply this policy, namespace is isolated, but access to NodePort falls off.
All policies apply to specific namespaces, by default everything should be allowed.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

If you add
ports to the policy:
- port: 8080

port 8080, this is the internal port of the application, then access to the NodePort will open, but for all namespaces with the same policy.

The policy below just allows Internet access only for pods with the appropriate label.
But putting it all together is impossible.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: deny-from-public-net
spec:
 podSelector: {}
 ingress:
 - from:
   - ipBlock:
       cidr: 0.0.0.0/0
 egress:
 - to:
   - ipBlock:
       cidr: 192.168.0.0/16
   - ipBlock:
       cidr: 172.16.0.0/12
   - ipBlock:
       cidr: 10.0.0.0/8

---

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-public-network-for-labels
spec:
  podSelector:
    matchLabels:
      public-network: "true"
  ingress:
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
E
emashev, 2021-01-27
@emashev

apparently without crutches - no way)
Even through calicoctl with an allowing rule, it was not possible to open access to NodePort.

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-from-other-namespaces
  namespace: np1
spec:
  selector: all()
  types:
  - Ingress
  - Egress
  ingress:
  - action: Allow
    source:
      selector: all()
---
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-nodeport
spec:
  preDNAT: true
  applyOnForward: true
  order: 10
  ingress:
    - action: Allow
      protocol: TCP
      destination:
        selector: has(node-role.kubernetes.io/master)
        ports: [30000:32000]
  selector: has(node-role.kubernetes.io/master)

Perhaps the prohibition rules took precedence.
As a result, it was decided to gradually migrate to the nginx ingress controller.

Similar questions
H
haviras2020-06-08 14:38:44
How to assign an IAM role to create an EKS cluster? 1Reply
I
i-pushkin2021-09-06 14:28:58
Kubernetes dynamic persistent volume in vmware? 1Reply
K
kurtgn2018-06-22 14:36:09
How to deploy a system of several microservices in the internal perimeter of an organization without Docker? 3Reply
V
Vadim2020-07-06 19:37:00
How to explain routing table on Kubernetes worker node? 0Reply
V
Vadim2020-07-06 19:46:04
How do I get the Calico CNI configuration and how does it work? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question