- Newest
- Most votes
- Most comments
I want to update you on that. I was able to solve the issue by upgrading the VPC CNI to v1.18.3-eksbuild.1 from v1.18.1-eksbuild.3 and adding the following parameters in the configuration:
{
"enableNetworkPolicy": "true",
"nodeAgent": {
"healthProbeBindAddr": "8163",
"metricsBindAddr": "8162"
}
}
Foreseeing possible accusations in my oversight, I must to say that before opening this request I manually modified the manifest of the aws-node Daemonset, changing the value of the --enable-network-policy from false to true. And of course, I waited for the Daemonset to roll over the new version. For those, who are interested, in the node itself, the logs are written to /var/log/aws-routed-eni/network-policy-agent.log. You can execute something as follows to get to them:
POD_HOSTIP_1=$(kubectl get po --selector app.kubernetes.io/component=service -n orders -o json | jq -r '.items[0].spec.nodeName')
kubectl debug node/$POD_HOSTIP_1 -it --image=ubuntu
tail -f /var/log/aws-routed-eni/network-policy-agent.log
Anywho, I am going to close this question, still unsure, was it the version of the VPC CNI or just the parameters that I added there to the add-on.
My apologies, I believe that I just copied the wrong policy. This is the policy to block all ingresses:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
This is how I test it. I have one pod exporting port 8888, then I started the netshoot pod (
kubectl run netshoot --image nicolaka/netshoot --command sleep 10000
) and connected to it (
kubectl exec -it netshoot -- bash
), and from there I use the curl for the service (
curl HTTP://exposed-service:8888
).
These two pods reside in the same default namespace.
Hi,
The policy created is an egress policy, but you are expecting an ingress policy that's like this from k8s docs: https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
Relevant content
- asked 5 months ago
- asked 6 months ago
- asked 3 years ago
- Accepted Answerasked 6 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a month ago
Did you install it as a self-managed addon or as EKS addon ? there is some diffrences in configuration