-
Notifications
You must be signed in to change notification settings - Fork 230
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AKS: edge case in Azure NPM policy enforcement #2786
Comments
Hi @oOraph, thanks for authoring this issue. In general, NPM does enforce policies properly, but it sounds like you discovered an edge case with NPM. Trying to decipher this scenario: it seems like we can reduce the problem to a NetworkPolicy allowing egress to all IPs/ports except your Node's private IP? So the NetworkPolicy should drop traffic from the Pod to its Node? Please let me know if I misinterpreted. |
you're right. Allowing anything but sth related to local node will show the issue (policy won't be enforced for pods deployed on the said node, but for others, filtering will be effective) |
This issue is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days |
comment anti-stale |
Hi @oOraph, would you be able to validate your scenario on an AKS cluster with Cilium? If that solves your problem, we would recommend using Cilium to enforce your network policies going forward. |
@huntergregory I tested with calico and did not reproduce. For cilium I did not test but I would bet it's not concerned either as many people use it with kubernetes for policy enforcement. Also note that switching the np manager on an existing aks cluster is not possible. One needs to remove it first (leaving the cluster with no policy enforcement for the migration time), then select the new one, with no node pool rolling upgrade, causing workload downtimes... |
Please reference this documentation: Upgrade an existing cluster to Azure CNI Powered by Cilium |
I should have specified "not possible without workload and, worse, policy enforcement downtime" (see note and warning in the doc page you point to) |
What happened:
Azure network policy manager does not enforce defined network policies on the local node.
For example if you define a network policy to filter out all egress traffic from the pod, the traffic going toward the local node private ip (not the public one if any) won't be filtered out.
Consequently any listening service on the private ip can be connected to (containerd, kubelet, ssh…).
What you expected to happen:
All specified traffic to be filtered out properly with no exception (other than the ones requested by the customer)
How to reproduce it:
Kubernetes Version:
The one proposed with AKS by default, at the time of reporting the issue (1.28 or so)
Kernel (e.g.
uname -a
):The one of azure aks nodes
The text was updated successfully, but these errors were encountered: