Gah, I could kick myself!
I was expecting that
- from:
- namespaceSelector:
matchLabels:
name: kube-system
would match
kind: Namespace
metadata:
name: kube-system
Which of course it won't... only when the label name: kube-system is applied
kind: Namespace
metadata:
name: kube-system
labels:
name: kube-system
Apologies for hijacking the thread, now to go and see if I can get this
working with the istio-ingress after all!
On Sunday, 29 April 2018 20:25:04 UTC+2, Mark NS wrote:
>
> Hi,
> I also seem to be unable to configure a network policy to allow pod
> ingress only from an nginx ingress-controller
>
> Here is what I did (GKE 1.8.8-gke.0):
> $ kubectl run web --image=gcr.io/google-samples/hello-app:1.0 --port=8080
> $ kubectl expose deployment web --target-port=8080 --type=NodePort
> $ helm install stable/nginx-ingress --name nginx-ingress --namespace
> kube-system
> --set rbac.create=true
>
> $ cat <<'EOF' | kubectl create -f -
> apiVersion: extensions/v1beta1
> kind: Ingress
> metadata:
> annotations:
> kubernetes.io/ingress.class: nginx
> name: basic-ingress
> namespace: default
> spec:
> backend:
> serviceName: web
> servicePort: 8080
> EOF
>
> $ cat <<'EOF' | kubectl create -f -
> apiVersion: extensions/v1beta1
> kind: NetworkPolicy
> metadata:
> name: web-np
> namespace: default
> spec:
> policyTypes:
> - Ingress
> podSelector: {}
> ingress:
> - from:
> - namespaceSelector:
> matchLabels:
> name: kube-system
> ports:
> - protocol: TCP
> port: 8080
> EOF
>
> I think this should allow a connection from the nginx-controller running
> in kube-system namespace to the "web" pod running in default. However
> that's not successful:
> $ curl x.y.z:80
> <html>
> <head><title>504 Gateway Time-out</title></head>
> <body bgcolor="white">
> <center><h1>504 Gateway Time-out</h1></center>
> <hr><center>nginx/1.13.5</center>
> </body>
> </html>
>
> However, if I open the network policy to allow all traffic
> podSelector: {}
> ingress:
> - {}
>
> then I can successfully connect to the pod:
> $ curl x.y.z:80
> Hello, world!
> Version: 1.0.0
> Hostname: web-6498765b79-b6866
>
> Also want to note that I've had a similar issue with the Istio ingress
> controller
> <https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/istio-users/8-7J3fAu9aU/5kBl0pAVBAAJ>
> :
>
> Is it possible to restrict ingress traffic to only the ingress controller?
>
> Thanks,
> Mark
>
>
>
> On Tuesday, 24 April 2018 12:38:03 UTC+2, mrpanigale wrote:
>>
>> When editing an already published network policy the namespace field is
>> automatically populated.
>>
>> On Saturday, March 10, 2018 at 1:13:24 AM UTC+1, Igor Cicimov wrote:
>>>
>>> This is missing `namespace:` in metadata
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
