Doesn't NetworkPolicy work?

[aii-nozomu-oki]

What happened:

I installed Calico and Liqo in K3s with the below documents. https://docs.liqo.io/en/v0.8.1/installation/install.html#liqo-and-calico https://docs.tigera.io/calico/latest/getting-started/kubernetes/k3s/quickstart NetworkPolicy works in the local cluster but doesn't work in the remote cluster (Pods in the remote cluster are still accessible despite setting NetworkPolicy). calico-node is OffloadingBackOff status towards the remote cluster, so it is an expected behavior, I think.

The Liqo documentation suggests that Calico works, so if NetworkPolicy doesn't work, we should state so.

And, is the implementation of NetworkPolicy or a NetworkPolicy-like function possible in Liqo?

Environment:

• Liqo version: v0.8.1
• Kubernetes version (use kubectl version): v1.26.4+k3s1
• Cloud provider or hardware configuration: Google Compute Engine
• Network plugin and version: Calico v3.25.1
• Install tools: liqoctl
• Others:

[aii-nozomu-oki]

If I install Calico on the remote cluster and apply the same NetworkPolicy applied to the local cluster, the NetworkPolicy seems to work on the remote cluster as well. So, implementation of NetworkPolicy reflection may solve this problem.

On the other hand, when Calico is installed, communication via service between remote clusters doesn't seem to be possible. I think this is an another issue, but I'm continuing to investigate.

[aleoli]

Hi @aii-nozomu-oki, I think that if you apply a NetworkPolicy to the remote cluster, this will not enforce traffic between offloaded and not offloaded pods. And if you deny traffic from the liqo namespace, it will drop all the inter-cluster traffic. That is not a simple problem; if you have the entire application in a single cluster (local or remote), the netpol reflection will solve your problem, otherwise not.

We are working on a solution to isolate the traffic with a per-cluster granularity, so at the moment, we don't achieve the same granularity of the k8s NetwrkPolicies