search

loft-sh / vcluster

vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
https://www.vcluster.com
Apache License 2.0
6.26k stars 398 forks source link

Network Policies don't work #155

Closed fritterhoff closed 2 years ago

fritterhoff commented 2 years ago

I'm playing around with the vcluster and recognized that network polices don't work. Is this an known bug/not working feature?

I created (only) a simple deployment and a super stupid policy. Executing an apt update inside the pod is stil working. Where is my error?

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
  labels:
    app: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
        - name: container
          image: ubuntu:20.10
          args:
            - sleep
            - "infinity"
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: demo-deny
spec:
  podSelector:
    matchLabels:
      app: demo
  policyTypes:
    - Ingress
    - Egress
LukasGentele commented 2 years ago

We're currently working on supporting network policies but for now, they are ignored inside the vcluster. I assume we will have a new release that will add support for them in about a month from now.

fritterhoff commented 2 years ago

@LukasGentele thanks for the quick reply! Are there any (further) resources that get ignored at the moment or is there some sort of overview which resources are (not) supported/ignored right now?

FabianKramm commented 2 years ago

@fritterhoff you can take a look at https://github.com/loft-sh/vcluster/tree/main/pkg/controllers/resources to see which resources are synced to the host cluster. Since vcluster is a certified kubernetes distribution all core functionality resources are supported. However, network policies and pod disruption budgets are currently the 2 resources that are not supported by vcluster. Creating new nodes within the vcluster is also not supported.

fritterhoff commented 2 years ago

@fritterhoff you can take a look at https://github.com/loft-sh/vcluster/tree/main/pkg/controllers/resources to see which resources are synced to the host cluster. Since vcluster is a certified kubernetes distribution all core functionality resources are supported. However, network policies and pod disruption budgets are currently the 2 resources that are not supported by vcluster. Creating new nodes within the vcluster is also not supported.

Great thanks! That helps a lot!

fritterhoff commented 2 years ago

Hello again, @LukasGentele do you maybe have an update/information, when the new release will be published?

LukasGentele commented 2 years ago

@fritterhoff We will likely have something in place in the next 4 weeks.