I've been working on adding network policies to an existing application and have run into a few issues. I'm currently using the network policy capabilities within Google Kubernetes Engine.
This was my initial attempt was the following network policy, intended to allow communication between the pods in the cluster but nowhere else. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-internal spec: podSelector: {} policyTypes: - Ingress - Egress egress: - to: - podSelector: {} ingress: - from: - podSelector: {} The first issue I ran into is with liveness/readiness probes on pods. My initial policy doesn't seem to allow traffic from the kubelet, I'm guessing because it runs on the underlying host rather than as a pod. Adding an allowed CIDR range of 10.0.0.0/8 to the ingress rules fixed the issue, but is more permissive than I would like ideally. Is there a way to specifically whitelist traffic from the kubelet? The other issue I ran into is that I wasn't able to find a way to allow traffic specifically to the Kubernetes master. This came up while trying to use kube-state-metrics with Prometheus. Is there a way to whitelist traffic specifically for the Kubernetes master? Running within GKE, whitelisting 10.0.0.0/8 didn't work since the master nodes are managed separately and are not in the local network (though that makes the following error message from kube-state-metrics a bit confusing, perhaps the kubernetes service that is just an endpoint for the master in GKE is also obeying the network policy, and that's what is failing?). F1206 14:46:57.274207 1 main.go:187] Failed to create client: ERROR communicating with apiserver: Get https://10.123.123.1:443/version: dial tcp 10.123.123.1:443: i/o timeout -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.