I've been working on adding network policies to an existing application and
have run into a few issues. I'm currently using the network policy
capabilities within Google Kubernetes Engine.
This was my initial attempt was the following network policy, intended to
allow communication between the pods in the cluster but nowhere else.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-internal
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
egress:
- to:
- podSelector: {}
ingress:
- from:
- podSelector: {}
The first issue I ran into is with liveness/readiness probes on pods. My
initial policy doesn't seem to allow traffic from the kubelet, I'm guessing
because it runs on the underlying host rather than as a pod. Adding an
allowed CIDR range of 10.0.0.0/8 to the ingress rules fixed the issue, but
is more permissive than I would like ideally. Is there a way to
specifically whitelist traffic from the kubelet?
The other issue I ran into is that I wasn't able to find a way to allow
traffic specifically to the Kubernetes master. This came up while trying to
use kube-state-metrics with Prometheus. Is there a way to whitelist traffic
specifically for the Kubernetes master? Running within GKE, whitelisting
10.0.0.0/8 didn't work since the master nodes are managed separately and
are not in the local network (though that makes the following error message
from kube-state-metrics a bit confusing, perhaps the kubernetes service
that is just an endpoint for the master in GKE is also obeying the network
policy, and that's what is failing?).
F1206 14:46:57.274207 1 main.go:187] Failed to create client: ERROR
communicating with apiserver: Get https://10.123.123.1:443/version: dial
tcp 10.123.123.1:443: i/o timeout
--
You received this message because you are subscribed to the Google Groups
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
