You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
host machine: Linux #1 SMP Sat Oct 7 17:52:50 CST 2023 x86_64 x86_64 x86_64 GNU/Linux k3s container machine: Linux #1 SMP Sat Oct 7 17:52:50 CST 2023 x86_64 GNU/Linux
Cluster Configuration:
I launched k3s using docker-compose.yaml .
Describe the bug:
When I apply the network policy, the busybox pod in the default namespace can access the svc in default namespace except the API Server SVC(kubernetes svc).
Steps To Reproduce:
Installed K3s:
the docker-compose.yaml is as follows:
run the command: kubectl -n sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 run busybox --image=busybox -- /bin/sh -c "sleep 36000"
run the command: kubectl get svc
run the command: kubectl -n sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 exec -it busybox -- telnet 10.43.0.1 443
run the command: kubectl -n sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 exec -it busybox -- telnet 10.43.128.218 9000
run the command: kubectl apply -f netpol.yaml
run the command: kubectl -n sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 get netpol
run the command: kubectl -n sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 exec -it busybox -- telnet 10.43.0.1 443
run the command: kubectl -n sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 exec -it busybox -- telnet 10.43.128.218 9000
Expected behavior:
From the results of the screenshots at step 9 and step 10, the busybox pod in sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 namespace can access the API Server SVC(10.43.0.1) and the minio svc(10.43.128.218);
After applying the netpol.yaml, the busybox pod in sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 namespace should be able to access the all svc in default namespace(including API Server SVC);
Actual behavior:
But after applying the netpol.yaml, the busybox pod in sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 namespace can access the minio svc(step 14), but can not access the API Server SVC(10.43.0.1) (step 13). The minio svc and the API Server SVC are both in default namespace!
Additional context / logs:
there is no other netpolicy;
I really want to know why the busybox pod in sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 namespace cannot access the API Server SVC, and how can I modify the netpol.yaml so that the pod can access all services in default namespace? I’ve been puzzled for a long time, thanks a lot!
The text was updated successfully, but these errors were encountered:
Thanks for the detailed explanation. The kubernetes service is a bit special because it is pointing to the nodeIP and not to a typical pod IP. If you query kubectl get endpoints , you'll see the IP of "real" process implementing it, which is the same as the node.
To make it work, additionally to your current network policy, you should use an ipBlock including the IP of the node to allow that communication. This is the typical way to grant communication with hostNetwork pods in egress network policies
Environmental Info:
K3s Version: v1.28.8-k3s1
Node(s) CPU architecture, OS, and Version:
host machine: Linux #1 SMP Sat Oct 7 17:52:50 CST 2023 x86_64 x86_64 x86_64 GNU/Linux
k3s container machine: Linux #1 SMP Sat Oct 7 17:52:50 CST 2023 x86_64 GNU/Linux
Cluster Configuration:
I launched k3s using docker-compose.yaml .
Describe the bug:
When I apply the network policy, the busybox pod in the default namespace can access the svc in default namespace except the API Server SVC(kubernetes svc).
Steps To Reproduce:
the docker-compose.yaml is as follows:
run the command: kubectl -n sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 run busybox --image=busybox -- /bin/sh -c "sleep 36000"
run the command: kubectl get svc
Expected behavior:
From the results of the screenshots at step 9 and step 10, the busybox pod in sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 namespace can access the API Server SVC(10.43.0.1) and the minio svc(10.43.128.218);
After applying the netpol.yaml, the busybox pod in sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 namespace should be able to access the all svc in default namespace(including API Server SVC);
Actual behavior:
But after applying the netpol.yaml, the busybox pod in sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 namespace can access the minio svc(step 14), but can not access the API Server SVC(10.43.0.1) (step 13). The minio svc and the API Server SVC are both in default namespace!
Additional context / logs:
there is no other netpolicy;
I really want to know why the busybox pod in sandbox-73e2db8d-3310-4822-a447-47c0dc2711e9 namespace cannot access the API Server SVC, and how can I modify the netpol.yaml so that the pod can access all services in default namespace? I’ve been puzzled for a long time, thanks a lot!
The text was updated successfully, but these errors were encountered: