AKS Network Policy - cannot deny traffic to namespace



  • I am trying to implement Network Policies in my test Azure Kubernetes cluster, but I cannot get them to work. I have two namespaces - default and nginx (and others as well, but they shouldn't be affecting the NP).

    I have an nginx deployment in each ns that displays a webpage with some text on '/'. (I have modified the pages slightly so I can recognize which one I'm hitting). I also have a ClusterIP service for each deployment. I deployed a Deny All Network Policy in the nginx namespace that targets all pods inside. However, when I open a shell inside the nginx pod in the default namespace and I do a curl http://servicename.namespace.svc:serviceport (which resolves to the service inside the nginx namespace) I can access the pod despite the Network Policy rule.

    Here are my manifests:

    • nginx in the nginx namespace:
        apiVersion: apps/v1
        kind: Deployment
        metadata:
          name: svet-nginx-deployment
          namespace: nginx
        spec:
          selector:
            matchLabels:
              app: nginx
          replicas: 1
          template:
            metadata:
              labels:
                app: nginx
            spec:
              containers:
              - name: nginx
                image: /samples/nginx
                ports:
                - containerPort: 80
                volumeMounts:
                - name: config-volume
                  mountPath: /usr/share/nginx/html
              volumes:
              - name: config-volume
                configMap:
                  name: svet-config
    
    • ClusterIP service in the nginx namespace:
    apiVersion: v1
    kind: Service
    metadata:
      name: ingress2
      namespace: nginx
    spec:
      selector:
        app: nginx
      ports:
        - protocol: TCP
          port: 80
          targetPort: 80
    
    • Network Policy in the nginx namespace

    I got this one from github, but I also tested with Default deny all ingress traffic from the official kubernetes https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: default-deny-ingress
      namespace: nginx
    spec:
      podSelector: {}
      policyTypes:
      - Ingress
      ingress: []
    
    • nginx in the default namespace:
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: svet-nginx-deployment
      namespace: default
    spec:
      selector:
        matchLabels:
          app: nginx
      replicas: 1
      template:
        metadata:
          labels:
            app: nginx
        spec:
          containers:
          - name: nginx
            image: .azurecr.io/samples/nginx
            ports:
            - containerPort: 80
            volumeMounts:
            - name: config-volume
              mountPath: /usr/share/nginx/html
          volumes:
          - name: config-volume
            configMap:
              name: svet-config
    

    • ClusterIP service in the default namespace:
    apiVersion: v1
    kind: Service
    metadata:
      name: ingress1
      namespace: default
    spec:
      selector:
        app: nginx
      ports:
        - protocol: TCP
          port: 80
          targetPort: 80
    

    Please ignore the bad naming - this is only a training environment

    I have tried many different iterations of the Network Policy starting with more complex and moving to the simplest denyall policy that I have pasted, but nothing seems to be working. I have enabled Azure CNI as required.

    Am I missing something?



  • If anyone else has the same issue, please double-check your AKS configuration in Azure and make sure that the Network policy filed in the Networking settings does NOT display None. It should say either Azure or Calico.

    My cluster was created with terraform and even though I had added network_plugin = "azure", I had missed the network_policy = "azure" field which meant that Network Policies would not be applied.

    Also, this setting can only be enabled when creating a new cluster. You cannot enabled it on an existing one.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2