I have a namespace named myns with a MultiNetworkPolicy that allows pods inside that namespace (and only those) to communicate with one another (both as an ingress & egress policy) using the mynet network attachment definition. The policy looks like this:
I then create a first pod (podA) in that namespace. I see rules are created allowing traffic in/out using podA's IP address. So far, so good.
However, when I add another pod (podB) to the namespace, I see rules are created for podB, allowing traffic from/to podA & podB (also good), but the rules for podA are never updated, meaning that traffic going from podA to podB is dropped (due to the lack of a corresponding egress rule in podA) and traffic from podB to podA is also dropped (due to the lack of a corresponding ingress rule for podA).
The iptables rules apply to IP sets (e.g. -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChPgUaGF_$}G;WdH~~TK)o src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j WEAVE-NPC-EGRESS-ACCEPT). The content of such a set is similar to the following extract from ipset list :
Name: weave-s_+ChPgUaGF_$}G;WdH~~TK)o
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 1238
References: 1
Number of entries: 6
Members:
10.11.12.20 comment "namespace: default, pod: prometheus-kube-state-metrics-6723ds345-63435d"
Pods are added/removed to/from the matching IP sets when they are created/updated/deleted.
Is there a similar mechanism in multi-networkpolicy-iptables / is there a way to update the rules for existing pods when new pods are added to a namespace ?
Hello,
My use case is this:
myns
with aMultiNetworkPolicy
that allows pods inside that namespace (and only those) to communicate with one another (both as an ingress & egress policy) using themynet
network attachment definition. The policy looks like this:For comparison, I see that some CNI plugins (e.g. Weave Net) use the IP sets framework to handle that:
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChPgUaGF_$}G;WdH~~TK)o src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j WEAVE-NPC-EGRESS-ACCEPT
). The content of such a set is similar to the following extract fromipset list
:Is there a similar mechanism in multi-networkpolicy-iptables / is there a way to update the rules for existing pods when new pods are added to a namespace ?
Best regards, François