rockylinux k3s calico GlobalNetworkPolicy not working

[exfly]

Expected Behavior

centos7.9 timeout rockylinux 8 timeout rockylinux 9 timeout ubuntu 20.04 timeout

Current Behavior

nc -vz ip 30000

centos7.9 timeout rockylinux 8 Connection to ip port 30000 [tcp/] succeeded! rockylinux 9 Connection to ip port 30000 [tcp/] succeeded! ubuntu 20.04 timeout

Possible Solution

None.

Steps to Reproduce (for bugs)

export DATASTORE_TYPE=kubernetes KUBECONFIG=~/.kube/config

echo "step 1. patch calico kubeconfig configuration to enable auto hostEndpoint"
kubectl patch kubecontrollersconfiguration default --patch='{"spec": {"controllers": {"node": {"hostEndpoint": {"autoCreate": "Enabled"}}}}}' --type=merge

echo "step 2. check calico hostendpoint is created"
calicoctl get heps

echo "step 3. patch felixconfiguration defaultAction to Accept"
kubectl patch felixconfiguration default --patch='{"spec": {"defaultEndpointToHostAction": "Accept"}}' --type=merge

echo "step 4. create default harden policy"
calicoctl apply -f - <<EOF
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: block-external-access-to-registry
spec:
  selector: has(kubernetes-host)
  preDNAT: true
  applyOnForward: true
  ingress:
  - action: Allow
    destination:
      nets:
      - 127.0.0.0/8
  - action: Deny
    protocol: TCP
    source:
      notSelector: "has(kubernetes-host) || all()"
    destination:
      ports:
        - 30000
        - 9100
EOF

nc -vz ip 30000

Context

Your Environment

• Calico version v3.27.4
• Orchestrator version (e.g. kubernetes, mesos, rkt): k3s version v1.27.10+k3s2 (5b2ac881)
• Operating System and version: Rocky Linux 9.2

[caseydavenport]

Could you please give a bit more explanation as to what you're trying to do?

centos7.9 timeout
rockylinux 8 Connection to ip port 30000 [tcp/] succeeded!
rockylinux 9 Connection to ip port 30000 [tcp/] succeeded!
ubuntu 20.04 timeout

What does this mean? Are you running 4 different nodes with different distros and seeing different results? Or different clusters?

[caseydavenport]

would also be good to see the actual host endpoints in question:

kubectl get hostendpoints -o yaml

[exfly]

would also be good to see the actual host endpoints in question:

kubectl get hostendpoints -o yaml

apiVersion: v1
items:
- apiVersion: crd.projectcalico.org/v1
  kind: HostEndpoint
  metadata:
    annotations:
      projectcalico.org/metadata: '{"uid":"a62b4c42-9001-41b7-b608-87b65a15f865","creationTimestamp":"2024-08-19T10:31:20Z"}'
    creationTimestamp: "2024-08-19T10:31:20Z"
    generation: 1
    labels:
      beta.kubernetes.io/arch: amd64
      beta.kubernetes.io/instance-type: k3s
      beta.kubernetes.io/os: linux
      kubernetes.io/arch: amd64
      kubernetes.io/hostname: k3s-master-1
      kubernetes.io/os: linux
      node-role.cosmos/backup: "true"
      node-role.cosmos/pg: "true"
      node-role.kubernetes.io/control-plane: "true"
      node-role.kubernetes.io/etcd: "true"
      node-role.kubernetes.io/master: "true"
      node.kubernetes.io/instance-type: k3s
      projectcalico.org/created-by: calico-kube-controllers
    name: k3s-master-1-auto-hep
    resourceVersion: "2499"
    uid: 53a8e761-b5e6-4d14-afa3-232ac075fd8b
  spec:
    expectedIPs:
    - 10.2.84.52
    - 10.42.206.0
    interfaceName: '*'
    node: k3s-master-1
    profiles:
    - projectcalico-default-allow
kind: List
metadata:
  resourceVersion: ""

[exfly]

Could you please give a bit more explanation as to what you're trying to do?您能否对您想要做什么提供更多解释？

centos7.9 timeout
rockylinux 8 Connection to ip port 30000 [tcp/] succeeded!
rockylinux 9 Connection to ip port 30000 [tcp/] succeeded!
ubuntu 20.04 timeout

What does this mean? Are you running 4 different nodes with different distros and seeing different results? Or different clusters?这意味着什么？您是否正在使用不同的发行版运行 4 个不同的节点并看到不同的结果？还是不同的集群？

Deploy different k3s clusters on each distribution