NetworkPolicys using except are not recognised by the plugin

[nabeelpaytrix]

What happened:
I have created a NetworkPolicy which should allow all outbound traffic from pods in the same namespace, except for traffic to a specific IP range (169.254.169.254). However when applying this policy and testing, the explicitly denied IP range is still accessible from all pods in the namespace.

Here is the networkPolicy I used:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-ec2-metadata
spec:
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
            - 169.254.169.254/32
  podSelector:
    matchLabels: {}
  policyTypes:
    - Egress

Here is an excerpt from the node logs (this is an EKS managed node which hosted the pod I was testing from):

/var/log/aws-routed-eni/network-policy-agent.log

{"level":"info","timestamp":"2023-10-09T10:01:34.774Z","logger":"ebpf-client","msg":"Flow Info:  ","Src IP":"****","Src Port":50878,"Dest IP":"169.254.169.254",
"Dest Port":80,"Proto":"TCP","Verdict":"ACCEPT"}

What you expected to happen:
The communication from the pod to the IP 169.254.169.254 should have timed out and the /var/log/aws-routed-eni/network-policy-agent.log file should have printed that the call was DENY rather than ACCEPT

How to reproduce it (as minimally and precisely as possible):

• In an EKS cluster running Kubernetes version v1.25. Also with the VPC CNI plugin v1.15.0 .

• Create a busybox pod in a namespace of your choice. Apply the below manifest:

apiVersion: v1
kind: Pod
metadata:
  name: busybox-pod
  labels:
    app: busybox
spec:
  containers:
  - name: busybox
    image: busybox
    command:
      - sleep
      - "3600"

• Apply the NetworkPolicy manifest mentioned above:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-ec2-metadata
spec:
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
            - 169.254.169.254/32
  podSelector:
    matchLabels: {}
  policyTypes:
    - Egress

• Exec into the busybox pod and test the connection to the restricted IP:

%   kubectl exec -it busybox-pod -- sh

/ #   wget 169.254.169.254

• The response from wget will be a code other than 5xx, indicating that the restricted IP is still reachable.
• View the /var/log/aws-routed-eni/network-policy-agent.log on the host node for the busybox pod. You will notice that a connection to the denied IP was allowed

Anything else we need to know?:

• I have tried adding an explicit deny NetworkPolicy on top of my own policy, just to ensure that the excepted IP still follows the default behaviour which is to DENY the traffic: kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies.files/default-deny.yaml

• Certain NetworkPolicies do work with my current setup, e.g. I can successfully restrict Egress traffic to a specific IP range. But the except field doesn't appear to do anything with the VPC CNI NetworkPolicy controller.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: this-works-as-expected
spec:
  egress:
    - to:
      - ipBlock:
          cidr: 10.12.0.0/16
  podSelector:
    matchLabels: {}
  policyTypes:
    - Egress

Environment:

• Kubernetes version (use kubectl version): 1.25
• CNI Version: 1.15.0
• OS (e.g: cat /etc/os-release): Amazon Linux 2
• Kernel (e.g. uname -a): Linux ip-****.eu-west-2.compute.internal 5.10.186-179.751.amzn2.x86_64 aws/amazon-vpc-cni-k8s#1 SMP Tue Aug 1 20:51:38 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

[jayanthvn]

The issue is fixed and PR (#58) is merged to master. We will be cutting a release this week. I will be moving this issue to the network policy agent repo.

[jdn5126]

Closing now that VPC CNI v1.15.1 is released on GitHub: https://github.com/aws/amazon-vpc-cni-k8s/releases/tag/v1.15.1. This release contains the Network Policy agent v1.0.4 image tag