namespaceSelector not working on RKE(rancher kubernetes engine) with CNI calico

mak241265 commented 3 weeks ago

Hello everyone..i have seen a few post complaining about namespaceSelector in network policy.i still have this problem and can not figure it out.

I have installed redis from bitnami and inside of helm chart i have enabled network policy with some customization:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  annotations:
    meta.helm.sh/release-name: redis-test
    meta.helm.sh/release-namespace: default
  creationTimestamp: "2024-10-28T12:21:16Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: redis-test
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: redis
    helm.sh/chart: redis-17.9.5
  name: redis-test
  namespace: default
  resourceVersion: "32158854"
  uid: cce1065f-aed3-4312-aaaa-989be50591ab
spec:
  egress:
  - ports:
    - port: 53
      protocol: UDP
  - ports:
    - port: 6379
      protocol: TCP
    to:
    - podSelector:
        matchLabels:
          app.kubernetes.io/instance: redis-test
          app.kubernetes.io/name: redis
  ingress:
  - from:
    - podSelector:
        matchLabels:
          redis-test-client: "true"
    - podSelector:
        matchLabels:
          app.kubernetes.io/instance: redis-test
          app.kubernetes.io/name: redis
    - namespaceSelector:
        matchLabels:
          redis: external
      podSelector:
        matchLabels:
          redis-client: allow
    ports:
    - port: 6379
      protocol: TCP
  - ports:
    - port: 9121
      protocol: TCP
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: redis-test
      app.kubernetes.io/name: redis
  policyTypes:
  - Ingress
  - Egress
status: {}

Expected Behavior

from my understanding any pods which is in namespace which has a label called redis: external and also the pods its self with label redis-client: allow can connect to redis on port 6379

Current Behavior

....i had conducted many tests and everything works well if the pod its self is inside the same namespace with redis

Your Environment

My info enviornment is below: rke version: v1.4.6 k8s version: v1.26.4 calico version: v3.25.1 Os version: ubuntu 22.04

mak241265 commented 3 weeks ago

It seems that if the redis client is on the same node as redis instance, then the connection can be set without problem but on different nodes then no connection. my calico ippool configuration is:

ipPools:
- blockSize: 26
  cidr: 10.180.0.0/16
  encapsulation: IPIP
  natOutgoing: "Enabled"     
  nodeSelector: all()

caseydavenport commented 2 weeks ago

then the connection can be set without problem but on different nodes then no connection.

This seems to suggest that the problem isn't so much with network policy, but with the cross-node networking configuration. A few potential things:

It could just be the cross host networking is broken. However I'd expect this to be much more obvious in this case.
It could be that NAT is being performed somewhere when communicating across hosts, which would cause the arriving packet to not be recognized by the network policy rules.

I suspect the latter is more likely - would be worth trying to do a packet capture, or verify that there is or is not NAT occurring when sending packets to redis when the client is on a different node.

projectcalico / calico