This repository was archived by the owner on Jun 20, 2024. It is now read-only.
This repository was archived by the owner on Jun 20, 2024. It is now read-only.
NetworkPolicy only enforced in pod-to-pod traffic, not when using services #3452
Open
Description
What you expected to happen?
When following the kubernetes tutorial on declaring network policies, I expect wget
from a unlabelled pod to the nginx service to timeout.
What happened?
When using wget
on the service hostname, the nginx pod can be reached. When accessing it directly via pod IP access is blocked.
$ kubectl get pod,svc,networkpolicy -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
pod/nginx-6f858d4d45-dt6fw 1/1 Running 0 35m 10.32.0.2 thesis-test-node-0 <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 37m <none>
service/nginx ClusterIP 10.96.140.192 <none> 80/TCP 35m run=nginx
NAME POD-SELECTOR AGE
networkpolicy.extensions/access-nginx run=nginx 36m
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider -T 1 nginx
Connecting to nginx (10.96.140.192:80)
/ # wget --spider -T 1 10.32.0.2
Connecting to 10.32.0.2 (10.32.0.2:80)
wget: download timed out
/ #
How to reproduce it?
As in the tutorial:
kubectl run nginx --image=nginx --expose --port 80
- Store the policy:
$ echo 'kind: NetworkPolicy
> apiVersion: networking.k8s.io/v1
> metadata:
> name: access-nginx
> spec:
> podSelector:
> matchLabels:
> run: nginx
> ingress:
> - from:
> - podSelector:
> matchLabels:
> access: "true"' > nginx-policy.yaml
- And apply it:
kubectl apply -f nginx-policy.yaml
- Finally test it:
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider -T 1 nginx
Connecting to nginx (10.96.140.192:80)
/ # wget --spider -T 1 10.32.0.2
Connecting to 10.32.0.2 (10.32.0.2:80)
wget: download timed out
Anything else we need to know?
- Run on an Openstack cluster created using kubernetes-on-openstack , removing the commands to apply Calico in lines 516 and 517 of master.cfg.tpl and installing the weave kubernetes addon afterwards using
kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
- Might be related to In some cases k8s NetworkPolicy is not enforced when accessing a Service #3285
- I could not reproduce the error in katacoda's kubernetes playground, so it might be related to my setup. I could not find anything helpful on that, though (except possibly race between weave-kube and kube-proxy can allow all traffic through Service VIP #3230 )
Versions:
$ kubectl exec -n kube-system weave-net-cr5ng -c weave -- /home/weave/weave --local status
Version: 2.5.0 (up to date; next check at 2018/11/19 17:36:29)
Service: router
Protocol: weave 1..2
Name: 42:21:66:1c:43:ea(thesis-test-node-0)
Encryption: disabled
PeerDiscovery: enabled
Targets: 2
Connections: 2 (1 established, 1 failed)
Peers: 2 (with 2 established connections)
TrustedSubnets: none
Service: ipam
Status: ready
Range: 10.32.0.0/12
DefaultSubnet: 10.32.0.0/12
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-30T21:39:16Z", GoVersion:"go1.11.1", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.3", GitCommit:"a4529464e4629c21224b3d52edfe0ea91b072862", GitTreeState:"clean", BuildDate:"2018-09-09T17:53:03Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Logs:
$ kubectl logs -n kube-system weave-net-cr5ng weave
INFO: 2018/11/19 10:26:19.277194 Command line options: map[docker-api: port:6783 expect-npc:true nickname:thesis-test-node-0 ipalloc-range:10.32.0.0/12 name:42:21:66:1c:43:ea no-dns:true conn-limit:100 db-prefix:/weavedb/weave-net http-addr:127.0.0.1:6784 ipalloc-init:consensus=2 metrics-addr:0.0.0.0:6782 datapath:datapath host-root:/host]
INFO: 2018/11/19 10:26:19.277535 weave 2.5.0
INFO: 2018/11/19 10:26:19.413898 Bridge type is bridged_fastdp
INFO: 2018/11/19 10:26:19.413917 Communication between peers is unencrypted.
INFO: 2018/11/19 10:26:19.420441 Our name is 42:21:66:1c:43:ea(thesis-test-node-0)
INFO: 2018/11/19 10:26:19.420486 Launch detected - using supplied peer list: [172.16.0.14 172.16.0.7]
INFO: 2018/11/19 10:26:19.442706 Unable to fetch ConfigMap kube-system/weave-net to infer unique cluster ID
INFO: 2018/11/19 10:26:19.442735 Checking for pre-existing addresses on weave bridge
INFO: 2018/11/19 10:26:19.567869 [allocator 42:21:66:1c:43:ea] No valid persisted data
INFO: 2018/11/19 10:26:19.588340 [allocator 42:21:66:1c:43:ea] Initialising via deferred consensus
INFO: 2018/11/19 10:26:19.588408 Sniffing traffic on datapath (via ODP)
INFO: 2018/11/19 10:26:19.588911 ->[172.16.0.14:6783] attempting connection
INFO: 2018/11/19 10:26:19.589128 ->[172.16.0.7:6783] attempting connection
INFO: 2018/11/19 10:26:19.590644 ->[172.16.0.7:50067] connection accepted
INFO: 2018/11/19 10:26:19.591129 ->[172.16.0.14:6783] error during connection attempt: dial tcp4 :0->172.16.0.14:6783: connect: connection refused
INFO: 2018/11/19 10:26:19.591649 ->[172.16.0.7:50067|42:21:66:1c:43:ea(thesis-test-node-0)]: connection shutting down due to error: cannot connect to ourself
INFO: 2018/11/19 10:26:19.591986 ->[172.16.0.7:6783|42:21:66:1c:43:ea(thesis-test-node-0)]: connection shutting down due to error: cannot connect to ourself
INFO: 2018/11/19 10:26:19.594747 Listening for HTTP control messages on 127.0.0.1:6784
INFO: 2018/11/19 10:26:19.595033 Listening for metrics requests on 0.0.0.0:6782
INFO: 2018/11/19 10:26:20.165387 [kube-peers] Added myself to peer list &{[{42:21:66:1c:43:ea thesis-test-node-0}]}
DEBU: 2018/11/19 10:26:20.182226 [kube-peers] Nodes that have disappeared: map[]
INFO: 2018/11/19 10:26:22.343955 ->[172.16.0.14:6783] attempting connection
INFO: 2018/11/19 10:26:22.344454 ->[172.16.0.14:6783] error during connection attempt: dial tcp4 :0->172.16.0.14:6783: connect: connection refused
INFO: 2018/11/19 10:26:22.733128 ->[172.16.0.14:58157] connection accepted
INFO: 2018/11/19 10:26:22.743480 ->[172.16.0.14:58157|c6:6f:93:00:ed:2d(thesis-test-master)]: connection ready; using protocol version 2
INFO: 2018/11/19 10:26:22.743769 overlay_switch ->[c6:6f:93:00:ed:2d(thesis-test-master)] using fastdp
INFO: 2018/11/19 10:26:22.743898 ->[172.16.0.14:58157|c6:6f:93:00:ed:2d(thesis-test-master)]: connection added (new peer)
INFO: 2018/11/19 10:26:22.773344 ->[172.16.0.14:58157|c6:6f:93:00:ed:2d(thesis-test-master)]: connection fully established
10.32.0.1
INFO: 2018/11/19 10:26:22.811699 Discovered remote MAC c6:d8:31:34:af:1a at c6:6f:93:00:ed:2d(thesis-test-master)
INFO: 2018/11/19 10:26:22.812119 Discovered remote MAC 0a:f6:76:45:66:f4 at c6:6f:93:00:ed:2d(thesis-test-master)
172.16.0.14
172.16.0.7
DEBU: 2018/11/19 10:26:23.141074 registering for updates for node delete events
INFO: 2018/11/19 10:26:23.231335 Discovered remote MAC c6:6f:93:00:ed:2d at c6:6f:93:00:ed:2d(thesis-test-master)
INFO: 2018/11/19 10:26:23.249378 EMSGSIZE on send, expecting PMTU update (IP packet was 60028 bytes, payload was 60020 bytes)
INFO: 2018/11/19 10:26:23.251890 sleeve ->[172.16.0.14:6783|c6:6f:93:00:ed:2d(thesis-test-master)]: Effective MTU verified at 8888
INFO: 2018/11/19 10:58:04.192022 Discovered remote MAC 0a:f6:76:45:66:f4 at c6:6f:93:00:ed:2d(thesis-test-master)
INFO: 2018/11/19 11:00:48.028707 Discovered remote MAC c6:d8:31:34:af:1a at c6:6f:93:00:ed:2d(thesis-test-master)
WARN: 2018/11/19 11:00:57.189662 Vetoed installation of hairpin flow FlowSpec{keys: [EthernetFlowKey{src: 42:21:66:1c:43:ea, dst: 92:77:a6:28:80:15} InPortFlowKey{vport: 1}], actions: [OutputAction{vport: 1}]}
INFO: 2018/11/19 11:06:15.735723 Discovered remote MAC c6:6f:93:00:ed:2d at c6:6f:93:00:ed:2d(thesis-test-master)
INFO: 2018/11/19 11:28:06.466739 Discovered remote MAC 0a:f6:76:45:66:f4 at c6:6f:93:00:ed:2d(thesis-test-master)
INFO: 2018/11/19 11:34:39.677498 Discovered remote MAC c6:d8:31:34:af:1a at c6:6f:93:00:ed:2d(thesis-test-master)
INFO: 2018/11/19 11:45:35.058523 Discovered remote MAC c6:6f:93:00:ed:2d at c6:6f:93:00:ed:2d(thesis-test-master)
Network:
$ ip route
$ ip -4 -o addr
$ sudo iptables-save
Activity