[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

OKD 3.11 Networkpolicy



Hi, its kind a hard to explain my problem but, i am trying to get to work network policy in OKD 3.11, but seems it doesn’t work as i it should. Is it working different way as in kubernetes?

I am using ovs-networkpolicy plugin.

 

The problem is related to  pod labels which seems doesnt work as they are documented in kubernetes doc. (https://kubernetes.io/docs/concepts/services-networking/network-policies/)

  • podSelector:

matchLabels:

              app: <name>

 

For example i have two projects A and B. In project A i have pod with label app: web and in project B i have pod with label app: db.

I have labeled project B with label project: B, and project A with label project A,  also labeled pods.

It still doesn’t work.

 

Now i create network policy which should be able to allow this access.

 

kind: NetworkPolicy

apiVersion: networking.k8s.io/v1

metadata:

  name: allow-from-B-to-A

spec:

  podSelector:

    matchLabels:

      app: web

  ingress:

    - from:

        - podSelector:

            matchLabels:

              app: DB

        - namespaceSelector:

            matchLabels:

              project: B

 

 

I read in documentaiton:

Only the v1 NetworkPolicy features are available in OKD. This means that egress policy types, IPBlock, and combining podSelector and namespaceSelector are not available in OKD.

 

It is working if i use only namespaceSelector so it allow access from specific namespace TO specific pod inside project, NOT from specific pod from another project to pod inside different project as i mentioned before.

I tried to allow access only using podSelector without namespaceSelector, but still without success.

Is there are any workaround or solution to allow/restrict access between different projects/namespaces specific pods labels?

 

-- 

 

Best,

 

Alexander Kozhemyakin

System Engineer, SRE

 

Tel: + 372 58167904

alexander kozhemyakin bigbank ee

 

Bigbank I www.bigbank.ee

Riia 2, 51004, Tartu, Estonia

 

KONFIDENTSIAALSUSTEADE: Käesolev e-kiri võib sisaldada konfidentsiaalset informatsiooni. Selle informatsiooni kasutamine on keelatud kõigile peale e-kirja adressaadi. Informatsiooni avaldamine võib olla seadusega keelatud. Kui Te saite käesoleva e-kirja ekslikult, palun kontakteeruge saatjaga ning kustutage saadud materjal alaliselt.

 

CONFIDENTIALITY DISCLAIMER: This e-mail may contain confidential information. It is prohibited to use this information by anyone else than the addressee. Disclosure of such information may be prohibited by law. If you received this in error, please contact the sender and delete the material permanently.

 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]