AKS Network Policy - cannot deny traffic to namespace

Mystic

I am trying to implement Network Policies in my test Azure Kubernetes cluster, but I cannot get them to work. I have two namespaces - default and nginx (and others as well, but they shouldn't be affecting the NP).

I have an nginx deployment in each ns that displays a webpage with some text on '/'. (I have modified the pages slightly so I can recognize which one I'm hitting). I also have a ClusterIP service for each deployment. I deployed a Deny All Network Policy in the nginx namespace that targets all pods inside. However, when I open a shell inside the nginx pod in the default namespace and I do a curl http://servicename.namespace.svc:serviceport (which resolves to the service inside the nginx namespace) I can access the pod despite the Network Policy rule.

Here are my manifests:

• nginx in the nginx namespace:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: svet-nginx-deployment
      namespace: nginx
    spec:
      selector:
        matchLabels:
          app: nginx
      replicas: 1
      template:
        metadata:
          labels:
            app: nginx
        spec:
          containers:
          - name: nginx
            image: /samples/nginx
            ports:
            - containerPort: 80
            volumeMounts:
            - name: config-volume
              mountPath: /usr/share/nginx/html
          volumes:
          - name: config-volume
            configMap:
              name: svet-config

• ClusterIP service in the nginx namespace:

apiVersion: v1
kind: Service
metadata:
  name: ingress2
  namespace: nginx
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80

• Network Policy in the nginx namespace

I got this one from github, but I also tested with Default deny all ingress traffic from the official kubernetes https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: nginx
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress: []

• nginx in the default namespace:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: svet-nginx-deployment
  namespace: default
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: .azurecr.io/samples/nginx
        ports:
        - containerPort: 80
        volumeMounts:
        - name: config-volume
          mountPath: /usr/share/nginx/html
      volumes:
      - name: config-volume
        configMap:
          name: svet-config

• ClusterIP service in the default namespace:

apiVersion: v1
kind: Service
metadata:
  name: ingress1
  namespace: default
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80

Please ignore the bad naming - this is only a training environment

I have tried many different iterations of the Network Policy starting with more complex and moving to the simplest denyall policy that I have pasted, but nothing seems to be working. I have enabled Azure CNI as required.

Am I missing something?

Trenton

If anyone else has the same issue, please double-check your AKS configuration in Azure and make sure that the Network policy filed in the Networking settings does NOT display None. It should say either Azure or Calico.

My cluster was created with terraform and even though I had added network_plugin = "azure", I had missed the network_policy = "azure" field which meant that Network Policies would not be applied.

Also, this setting can only be enabled when creating a new cluster. You cannot enabled it on an existing one.