New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Network Policies in Kubernetes 1.9 don't work #184
Comments
Hi @romeotheriault, Romana is a bit behind with the Network Policy API support. There was a change in the default behavior from k8s v1.7 to v1.8 (and v1.9). Romana v2.0.2 still only supports the v1.7 style API. Here is an example of a network policy that uses the old API. https://github.com/romana/romana/blob/master/test/kubernetes-cluster/frontend-to-backend.yml Romana v2.1 is not quite ready. Been working on other things lately. |
Thanks for the followup @chrismarino . Are the 'romana.io/segment' labels some special syntax that needs to be used? e.g. I tried with using my own labels, e.g. and it didn't seem to take. |
@romeotheriault yes, v2.0.2 does not support free form lables defined in the spec. The default lables are 'romanaTenant' and 'romana.io/segment' and are defined at install here: https://github.com/romana/romana/blob/b383faf2884a9f3bb56f090161ba20732b0c02eb/romana-install/group_vars/kube_nodes So, the default install allows only two labels: 'romana.io/segment' and 'romanaTenant' Haven't run across anyone using more than two lables, yet, but can see how that would be useful, for sure. Multiple free-form lable are part of the next release, along with the latest API support. Not sure how to change the label names, @cgilmour would have more details on what to do. |
@romeotheriault FWIW, these hard coded labels are a remnant of Romana v1.0 that had an explicit tenancy model. Romana v2 expanded that to be more flexible, but still some lingering evidence of the old v1.0 model. |
Thank you. That helps, and I think I'm getting really close but for some reason none of the rules I apply are working. As a first test I'm simply trying to have a rule between two pods in the same namespace that only allows one port to be contacted from the other pod. I applied the 'romana.io/segment' label to the containers I created, and romanaTenant appears to be getting set to the namespace of the pod. But this network policy is still allowing all communications from the dbm segment (pod) to the gw segment (pod). It's not getting restricted to only contacting port 40000 on the gw.
|
Bit more info:
|
Hi @romeotheriault, The latest version of Romana still uses the v1.7 approach to policies, which required an annotation on the namespace: This will trigger deletion of the Can you try that and report back? Thanks |
Hi @cgilmour, Thanks for the tip. I gave that a shot and it did indeed remove the AllowAllPods2Talk_xxxx policy for that namespace. But even after that is gone all of the pods within that namespace (and pods in other namespaces) can talk to the pods in that namespace. |
@romeotheriault send an email to info@romana.io to get in invite to Romana's Slack if you want. |
From our discussion on slack, there were some rules that effectively accept traffic before Romana's policy rules have a chance to make decisions. (from iptables-save)
These accept the traffic on the FORWARD chain before reaching the rules that Romana manages. This seems to be related to the change from kubernetes/kops#3977, and caused an issue for other network policy implementations (eg: kubernetes/kops#4345). I'll see what options we have for handling this better. |
@romeotheriault Did you get the NetworkPolicy's working? I'm currently trying to accomplish the same but somehow all communication between the pods keeps working (which is bad if you want to block communication). my iptables-save on the machines does not show the -A forwared ... rules show in the comment above. |
Can you provide the modified yaml with deployments and Network policies working for K8s>1.6 ? |
Hi, using k8s 1.9 with kops and romana v2.0.2. I'm trying to apply k8s network policies but they seem to have no effect. I see that the romana listener is picking them up and they are creating romana policies, but the rules are having no effect. Do k8s network policies work with romana 2.0.2? (I see in the romana 2.1 feature list that supporting new style k8s network policies is a upcoming feature.)
The text was updated successfully, but these errors were encountered: