Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NetworkPolicy not applying exception to Egress rule #78

Closed
treyhyde opened this issue Sep 29, 2023 · 1 comment
Closed

NetworkPolicy not applying exception to Egress rule #78

treyhyde opened this issue Sep 29, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@treyhyde
Copy link

What happened:

We have a network policy to disallow access to the cluster (IP ranges changed) but allow to the internet. Effectively an untrusted workload.

egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 192.168.0.0/24
    ports:
    - protocol: TCP
      port: 443
    - protocol: TCP
      port: 80

The allow portion of this takes effect but it also does not block the items in the except list.
This was working as desired under Calico. This seems like the only rule we have with the behavior difference between calico and vpc-cni-k8s and as such unable to proceed with the migration.

Attach logs

^^ this appears to not exist in the official containers.

What you expected to happen:
The "except" range to be blocked.

How to reproduce it (as minimally and precisely as possible):
Apply the network policy

Anything else we need to know?:

Environment:
EKS
Client Version: v1.28.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.4-eks-2d98532
Bottlerocket OS 1.15.0 (aws-k8s-1.27) 5.15.128

@treyhyde treyhyde added the bug Something isn't working label Sep 29, 2023
@jdn5126 jdn5126 transferred this issue from aws/amazon-vpc-cni-k8s Sep 29, 2023
@jayanthvn
Copy link
Contributor

This is fixed with this PR - #58. We will be cutting a release probably by Oct mid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants