Network policy not working

[rauizab]

What happened: Trying to apply network policies in kubo-deployment v0.27.0 and v0.28.0. I followed these examples https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/

What you expected to happen: Pods do not have connectivity to other pods

How to reproduce it (as minimally and precisely as possible): Deploy kubo v0.28.0 in openstack. Follow https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/ example. With the policy created the pod is still able to access the target pod.

Anything else we need to know?: I am using bosh-dns as an addon. Otherwise I have connectivity problems and the deployment fails without it. Ops files used:

bosh int manifests/cfcr.yml \
  -o manifests/ops-files/misc/single-master.yml \
  -o manifests/ops-files/add-hostname-to-master-certificate.yml \
  -o manifests/ops-files/allow-privileged-containers.yml \
  -o manifests/ops-files/rename.yml \
  -o manifests/ops-files/misc/local-config-server.yml \
  -o manifests/ops-files/vm-types.yml \
  -o manifests/ops-files/worker_count.yml \

Environment:

• Deployment Info (bosh -d <deployment> deployment):

  Name      Release(s)       Stemcell(s)                                      Config(s)           Team(s)
  testRaul  bosh-dns/1.10.0  bosh-openstack-kvm-ubuntu-xenial-go_agent/250.4  89 runtime/default  -
        bpm/1.0.2                                                         88 cloud/default
        cfcr-etcd/1.9.0
        docker/33.0.1
        kubo/0.28.0

• Environment Info (bosh -e <environment> environment):

  Version            268.4.0 (00000000)
  Director Stemcell  ubuntu-xenial/170.24
  CPI                openstack_cpi
  Features           compiled_package_cache: disabled
                 config_server: enabled
                 local_dns: enabled
                 power_dns: disabled
                 snapshots: disabled
  User               admin

• Kubernetes version (kubectl version):

  Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.3", GitCommit:"a4529464e4629c21224b3d52edfe0ea91b072862", GitTreeState:"clean", BuildDate:"2018-09-10T11:44:36Z", GoVersion:"go1.11", Compiler:"gc", Platform:"darwin/amd64"}
  Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.3", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"clean", BuildDate:"2019-02-01T20:00:57Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}

• Cloud provider (e.g. aws, gcp, vsphere): openstack

[tvs]

Hi @rauizab,

CFCR ships with Flannel as the network provider, which doesn't support network policies. As mentioned in the docs, you'd need to configure Kubernetes to use something like Calico, but that would have to happen through your own effort for now. We've had a few discussions about figuring out how we can make the network providers more pluggable, but nothing that has really taken hold so far.