search

projectcalico / calico

Cloud native networking and network security
https://docs.tigera.io/calico/latest/about/
Apache License 2.0
6.02k stars 1.34k forks source link

Advanced network policy is missing a kubernetes network policy to allow traffic to the kube-system namespace #1043

Closed andrewmyhre closed 7 years ago

andrewmyhre commented 7 years ago

If you follow the advanced network policy tutorial for kubernetes you are asked to create a default-deny policy which isolates all pods. You are then asked to create an nginx deployment and open a network policy to it which you test with the command wget -q --timeout nginx -O -. The example won't work because it also needs a network policy allowing traffic to kube-system so that the dns lookup on nginx can succeed.

Expected Behavior

After creating the access-nginx network policy the command nslookup nginx should succeed from a pod launched in the advanced-policy-demo namespace.

Current Behavior

When a busybox pod is launched in the advanced-policy-demo namespace an nslookup nginx command times out trying to reach the cluster dns.

Possible Solution

User needs to add the following policy in addition to the default-deny policy to allow access to kube-system pods:

kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: allow-kube-system
  namespace: kube-system
spec:
  podSelector:
  ingress:
  - {}

Steps to Reproduce (for bugs)

  1. Follow the tutorial up to and including the "Define Kubernetes policy" step to create the access-nginx network policy. The wget -q --timeout=5 nginx -O - command will fail. The command nslookup nginx will also fail.
  2. Create the network policy shown above.
  3. nslookup nginx1 andwget -q --timeout=5 nginx -O -` now succeed.

Context

This is a problem for people following the advanced network policy tutorial.

Your Environment

tmjd commented 7 years ago

I thought when we were working through this on slack that you determined that the 2.0 selector was different and that was the problem.

okay the difference between the 2.0 and 2.4 tutorials are is:selector: has(calico/k8s_ns) vs selector: calico/k8s_ns == 'advanced-policy-demo' the 2.4 one works for me

It is true that the 2.0 tutorial does not work with Calico 2.4 but we would not want to update the 2.0 tutorial for the 2.4 release. Am I misunderstanding something?

tmjd commented 7 years ago

@andrewmyhre I'm going to close this issue as I believe we resolved the issue in slack, it was due to using an old version of the tutorial with a newer version of Calico. If I am incorrect here please comment and I will reopen the issue.