Calico CNI networkPolicy not affecting pods running on nodes

0
votes

I've been trying to implement a network policy on my cluster (k8s bare-metal) and no policies seem to be implemented on pods running on cluster nodes, only on pods running directly on the master.

What I've tried:

  • A single namespace with a master+node and calico CNI with calicoctl with k8s datastore (I can see the calico/calicoctl containers running on both nodes)
  • Both networkPolicy types (networking.k8s.io/v1 & projectcalico.org/v3)
  • Applying a simple deny any ingress/egress policy and testing ping to 8.8.8.8 (pod on master gets blocked, pods on other nodes can still ping)

Appreciate your help

1
kubernetesproject-calicocni
Unless you show what you've written in your network policy, it'll be really difficult to pin point the root cause of your trouble.Mayank Verma
You're right, sorry for not posting the config. Yesterday finally managed to find a solution.Daniel

1 Answers

1
votes

Found the problem was with the deployment where I've used 'hostNetwork' which uses a subnet that is not part of the pod network (thus Calico is unaware of).

Removing the 'hostNetwork: true' param made the container get a suitable IP and network policies applied to it.