Kubernetes — Debugging NetworkPolicy (Part 2)

Debugging from the egress point is easier than debugging from the ingress point

For egress traffic, check your container logs

>kubectl -n local-demo-debugnetworkpolicy-ns logs my-deployment-5cccff8466-zmthp -c do-wget 
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
curl: (28) Resolving timed out after 1000 milliseconds

Allowing all containers to access DNS

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-allpods-to-dns
spec:
policyTypes:
- Egress
podSelector: {}
egress:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP

Allowing application-specific traffic

>kubectl -n local-demo-debugnetworkpolicy-ns logs my-deployment-5cccff8466-zmthp -c do-wget
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (28) Failed to connect to example.com port 80 after 703 ms: Operation timed out
apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy
metadata:
name: allow-deployment-to-examplecom
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: my-deployment
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 93.184.216.34/32

ports:
- protocol: TCP
port: 80

Allowing all “external” IPs that are managed by other network infrastructure while still blocking “internal” IPs by default

apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy
metadata:
name: default-block-private-networks
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: my-deployment
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16

ports:
- protocol: TCP
port: 80

Conclusion

Distinguished Architect at Sun Life Financial. Focused on containers & Kubernetes. Views & opinions expressed here are my own, not necessarily those of Sun Life

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Have you checked programming of YOURSELF lately?

So your renewing your GCP Cloud solutions architect certification!

iOST RECAP MAY 2020

SupraPartners #101 — SupraOracles partners with Totem, a web3 identity and dashboard operating…

Data Structure and Algorithms- Solving Algorithms 101

Taming Video Delivery Through HTTP Live Streaming

Part 2: Building a Financial Advisor dApp on Avalanche

OpenShift Networking and Network Policies

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Paul Dally

Paul Dally

Distinguished Architect at Sun Life Financial. Focused on containers & Kubernetes. Views & opinions expressed here are my own, not necessarily those of Sun Life

More from Medium

Kubernetes — Debugging NetworkPolicy (Part 3)

Let’s talk about Container Security

Velero.io — Kubernetes DataProtection made easy! (Part2)

GitOps Quick Start with Kubernetes KIND Cluster