Skip to content

Kubernetes network policy with node ip cidr doesn't work #12277

New issue
New issue
Closed
Closed
Kubernetes network policy with node ip cidr doesn't work#12277
Labels
kind/bugThis is a bug in the Cilium logic.pinnedThese issues are not marked stale by our issue bot.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.
@lzang

Description

@lzang
lzang
opened on Jun 24, 2020

Bug report

General Information

  • Cilium version : 1.8
  • Kernel version: 4.19

How to reproduce the issue

  1. Create a policy rule to allow a pod to talk to all nodes. cidr 10.128.0.0/20 is the node cidr.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-kubelet-from-test-pod
spec:
  podSelector:
    matchLabels:
      k8s-app: test-pod
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.128.0.0/20
    ports:
    - protocol: TCP
      port: 10255
  1. curl the node from the pod, and found that the connection is rejected, instead of being allowed.

The issue is because the node ip is translated to host identity, not the cidr identity. However, kubernetes network policy doesn't have a node selector. So to allow pods to talk to host in either direction using k8s network policy, only cidr can be used. The current behavior is inconsistent with what is supposed to work with k8s network policy.
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/api/networking/v1/types.go

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugThis is a bug in the Cilium logic.pinnedThese issues are not marked stale by our issue bot.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions