NetworkPolicy azure won't use kubernetes network policies

[BrendanThompson]

Is this a request for help?:

---

Type: ISSUE

---

What version of acs-engine?: v0.20.0

---

Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm) Kubernetes, v1.11.1

What happened:

ACS-Engine was declared with networkPolicy: "azure" and now when applying Kubernetes Network Policies, whether they be using podSelectors or namespaces the policies have no effect.

What you expected to happen: The kubernetes network policies to be enforced.

How to reproduce it (as minimally and precisely as possible):

1. Create cluster using v0.20.0 acs-engine
2. Create a kubernetes deployment, and ensure that there is a networkPolicy that restricts access to the pod from another deployment ( or namespace )
3. Attempt to connect to the pod in the other deployment / namespace

Anything else we need to know: This ACS-Engine deployment is using a Customer VNET, as such the Pods exist within an addressable subnet.

[coreywagehoft]

Has anyone else been to confirm this issue?

[BrendanThompson]

@coreywagehoft – I resolved this issue by rebuilding the cluster using networkPlugin: azure and networkPolicy: calico.

[coreywagehoft]

@BrendanThompson Are you deploying a Linux only cluster or a hybrid windows/linux cluster?

[BrendanThompson]

hahah Brendan Burns 🌮 . My cluster is Linux only, fortunately don't have any experience with a Windows or hybrid cluster.

[coreywagehoft]

Thanks @BrendanThompson we are working with a hybrid deployment. I guess I will have to try things out and see what happens with NetworkPolicy with Windows.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contribution. Note that acs-engine is deprecated--see https://github.com/Azure/aks-engine instead.