exploring NetworkPolicy in KIND cluster
I am learning to implement NetworkPolicy in k8s clusters and I learnt something new today.
in a k3d cluster, there is a default CNI which supports NetworkPolicy, see https://medium.com/ci-cd-devops/explore-the-cni-option-used-by-k3d-a16b7f48e411
while in a KIND cluster, the default CNI doesn’t support NetworkPolicy, so if you have created a NetworkPolicy in yaml and applied to the cluster without error, it is actually a dumy one with no effect.
without cilium, after applying https://github.com/bmuschko/ckad-crash-course/blob/master/exercises/31-networkpolicy/setup.yaml
$ k get NetworkPolicy -A
NAMESPACE NAME POD-SELECTOR AGE
k2 default-deny-ingress <none> 10s
$ k get pod -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
k1 busybox 1/1 Running 0 5m27s 10.244.0.7 t1-control-plane <none> <none>
k2 nginx 1/1 Running 0 5m27s 10.244.0.8 t1-control-plane <none> <none>
kube-system coredns-565d847f94-7xd54 1/1 Running 1 (7m54s ago) 2d2h 10.244.0.2 t1-control-plane <none> <none>
kube-system coredns-565d847f94-mmrgf 1/1 Running 1 (7m54s ago) 2d2h 10.244.0.3 t1-control-plane <none> <none>
kube-system etcd-t1-control-plane 1/1 Running 1 (7m54s ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kindnet-xf5wz 1/1 Running 1 (7m54s ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kube-apiserver-t1-control-plane 1/1 Running 1 (7m54s ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kube-controller-manager-t1-control-plane 1/1 Running 1 (7m54s ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kube-proxy-4cb8v 1/1 Running 1 (7m54s ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kube-scheduler-t1-control-plane 1/1 Running 1 (7m54s ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
local-path-storage local-path-provisioner-684f458cdd-jd2m6 1/1 Running 2 (7m15s ago) 2d2h 10.244.0.4 t1-control-plane <none> <none>
$ k exec -it busybox -n k1 -- wget --timeout=5 10.244.0.8:80
Connecting to 10.244.0.8:80 (10.244.0.8:80)
saving to 'index.html'
index.html 100% |********************************| 615 0:00:00 ETA
'index.html' saved
is there a CNI implement in KIND? it seems YES, but without proper support for NetworkPolicy
$ docker exec -it t1-control-plane /bin/sh
# cd /
# find / -type f -name '*.conflist'
/etc/cni/net.d/10-kindnet.conflist
# exit
let’s add in cilium,
$ curl -L — remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-darwin-amd64.tar.gz{,.sha256sum}
$ shasum -a 256 -c cilium-darwin-amd64.tar.gz.sha256sum
$ sudo tar xzvfC cilium-darwin-amd64.tar.gz /usr/local/bin
$ rm cilium-darwin-amd64.tar.gz{,.sha256sum}
$ k delete ns k1 k2
$ k get pod -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
k1 busybox 1/1 Running 0 10s 10.244.0.163 t1-control-plane <none> <none>
k2 nginx 1/1 Running 0 10s 10.244.0.124 t1-control-plane <none> <none>
kube-system cilium-hvmv2 1/1 Running 0 97s 192.168.228.2 t1-control-plane <none> <none>
kube-system cilium-operator-5966986c94-pcchx 1/1 Running 0 97s 192.168.228.2 t1-control-plane <none> <none>
kube-system coredns-565d847f94-bbk26 1/1 Running 0 33s 10.244.0.125 t1-control-plane <none> <none>
kube-system coredns-565d847f94-v7z92 1/1 Running 0 48s 10.244.0.34 t1-control-plane <none> <none>
kube-system etcd-t1-control-plane 1/1 Running 1 (13m ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kindnet-xf5wz 1/1 Running 1 (13m ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kube-apiserver-t1-control-plane 1/1 Running 1 (13m ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kube-controller-manager-t1-control-plane 1/1 Running 1 (13m ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kube-proxy-4cb8v 1/1 Running 1 (13m ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
kube-system kube-scheduler-t1-control-plane 1/1 Running 1 (13m ago) 2d2h 192.168.228.2 t1-control-plane <none> <none>
local-path-storage local-path-provisioner-684f458cdd-jd2m6 1/1 Running 2 (12m ago) 2d2h 10.244.0.4 t1-control-plane <none> <none>
$ k exec -it busybox -n k1 -- wget --timeout=5 10.244.0.124:80
Connecting to 10.244.0.124:80 (10.244.0.124:80)
wget: download timed out
command terminated with exit code 1
let’s modify the NetworkPolicy to allow cross namespace traffic between pod,
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: k2
spec:
podSelector:
matchLabels:
role: consumer
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
role: producer
and try again,
$ k apply -f k1k2.yaml
$ k exec -it busybox -n k1 -- wget --timeout=5 10.244.0.124:80
Connecting to 10.244.0.124:80 (10.244.0.124:80)
saving to 'index.html'
index.html 100% |********************************| 615 0:00:00 ETA
'index.html' saved
yes, now it is working.