I also made the same incorrect assumptions. Thanks for identifying it, I
will also give it a try.
many kind regards,
Andrew
On Monday, April 30, 2018 at 8:34:13 AM UTC+2, Mark NS wrote:
>
> Gah, I could kick myself!
>
> I was expecting that
>
> - from:
> - namespaceSelector:
> matchLabels:
> name: kube-system
>
> would match
>
> kind: Namespace
> metadata:
> name: kube-system
>
> Which of course it won't... only when the label name: kube-system is
> applied
>
> kind: Namespace
> metadata:
> name: kube-system
> labels:
> name: kube-system
>
> Apologies for hijacking the thread, now to go and see if I can get this
> working with the istio-ingress after all!
>
>
> On Sunday, 29 April 2018 20:25:04 UTC+2, Mark NS wrote:
>>
>> Hi,
>> I also seem to be unable to configure a network policy to allow pod
>> ingress only from an nginx ingress-controller
>>
>> Here is what I did (GKE 1.8.8-gke.0):
>> $ kubectl run web --image=gcr.io/google-samples/hello-app:1.0 --port=8080
>> $ kubectl expose deployment web --target-port=8080 --type=NodePort
>> $ helm install stable/nginx-ingress --name nginx-ingress --namespace kube
>> -system --set rbac.create=true
>>
>> $ cat <<'EOF' | kubectl create -f -
>> apiVersion: extensions/v1beta1
>> kind: Ingress
>> metadata:
>> annotations:
>> kubernetes.io/ingress.class: nginx
>> name: basic-ingress
>> namespace: default
>> spec:
>> backend:
>> serviceName: web
>> servicePort: 8080
>> EOF
>>
>> $ cat <<'EOF' | kubectl create -f -
>> apiVersion: extensions/v1beta1
>> kind: NetworkPolicy
>> metadata:
>> name: web-np
>> namespace: default
>> spec:
>> policyTypes:
>> - Ingress
>> podSelector: {}
>> ingress:
>> - from:
>> - namespaceSelector:
>> matchLabels:
>> name: kube-system
>> ports:
>> - protocol: TCP
>> port: 8080
>> EOF
>>
>> I think this should allow a connection from the nginx-controller running
>> in kube-system namespace to the "web" pod running in default. However
>> that's not successful:
>> $ curl x.y.z:80
>> <html>
>> <head><title>504 Gateway Time-out</title></head>
>> <body bgcolor="white">
>> <center><h1>504 Gateway Time-out</h1></center>
>> <hr><center>nginx/1.13.5</center>
>> </body>
>> </html>
>>
>> However, if I open the network policy to allow all traffic
>> podSelector: {}
>> ingress:
>> - {}
>>
>> then I can successfully connect to the pod:
>> $ curl x.y.z:80
>> Hello, world!
>> Version: 1.0.0
>> Hostname: web-6498765b79-b6866
>>
>> Also want to note that I've had a similar issue with the Istio ingress
>> controller
>> <https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/istio-users/8-7J3fAu9aU/5kBl0pAVBAAJ>
>> :
>>
>> Is it possible to restrict ingress traffic to only the ingress
>> controller?
>>
>> Thanks,
>> Mark
>>
>>
>>
>> On Tuesday, 24 April 2018 12:38:03 UTC+2, mrpanigale wrote:
>>>
>>> When editing an already published network policy the namespace field is
>>> automatically populated.
>>>
>>> On Saturday, March 10, 2018 at 1:13:24 AM UTC+1, Igor Cicimov wrote:
>>>>
>>>> This is missing `namespace:` in metadata
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
