Hi Giancarlo, Thanks for replying. In terms of architecture, I'm using Kops to deploy a single master / two worker nodes (all v.1.7.2) across 2 x AWS AZs (eu-west-1), This is purely a test environment which I have torn down and re-created specifying various network providers, including weave, calico and canal. There are no production pods deployed, so I'm only looking at running the test pods described in the Kubernetes documentation referenced in the original post.
Thanks to a private-reply suggestion I've re-created the cluster specifying the kube-router CNI plug-in, and this time network policies work as described in the documentation. I think what's happening here is the semantics for stating network policies have changed in v.1.7 of kubernetes but the version of CNI plug-ins deployed by Kops are not yet in-step with implementing default-deny, except through annotations (see https://github.com/weaveworks/weave/issues/3105 for a better explanation of what I mean). The answer then is to upgrade CNI plug-ins as and when support for 1.7 netpol semantics is implemented, or build from the off with plug-ins that already support it! On Wednesday, 13 September 2017 07:28:19 UTC+1, Giancarlo Rubio wrote: > > What network provider are you using? Please provide more info about your > scenario like architecture, your networkpolicy, pods, etc.. > > In case you're using calico, check your daemonset > calico-policy-controller. Start the daemonset with log level "verbose" and > read the logs. > > On Tuesday, 12 September 2017 15:25:24 UTC+2, Prys Williams wrote: >> >> I'm building an AWS-hosted Kubernetes cluster using kops (kops version >> 1.7.0). Kops creates a kubernetes cluster v1.7.2 and I have kubectl v1.7.4. >> >> I'm following Kubernetes documentation to declare network policies (see >> https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/ >> but similar step-by-step given at >> https://github.com/ahmetb/kubernetes-networkpolicy-tutorial/blob/master/01-deny-all-traffic-to-an-application.md). >> >> However the network policies to deny access to pods do not have any affect >> and I continue to be able to access from other pods. I have tried this >> specifying various kops networking options (e.g. weave / calico / canal >> etc) but network policy does not seem to be applied with any of them. >> >> Is anyone able to shed any light on this, please? >> >> >> >> >> -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
