It looks like vpc cni doesn't respect `except` in network policy
sergei-ak opened this issue · 3 comments
sergei-ak commented
Hello! I was trying to implement network policy with VPC CNI addon and it looks like cidr with except doesn't work. I'm trying to allow access from my pod to 0.0.0.0/0 and deny access to internal subnets(including pods, services and instance meta data). And I can reach all ip's including internal services and pods so it looks like network policy agent just ignores except
.
Could you clarify if it is supported?
EKS version:
Server Version: version.Info{Major:"1", Minor:"25+", GitVersion:"v1.25.12-eks-2d98532", GitCommit:"0aa16cf4fac4da27b9e9e9ba570b990867f6a3d8", GitTreeState:"clean", BuildDate:"2023-07-28T16:52:04Z", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"}
VPC CNI info:
➜ aws eks describe-addon --cluster-name xxx --addon-name vpc-cni --query addon.addonVersion --output text
v1.15.0-eksbuild.2
➜ kubectl -n kube-system get ds aws-node -o yaml | grep network-policy
- --enable-network-policy=true
image: 602401143452.dkr.ecr.us-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.0.2-eksbuild.1
➜ kubectl -n kube-system get cm amazon-vpc-cni -o yaml | grep -i network-policy
enable-network-policy-controller: "true"
And here is the network policy:
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-everything-but-rfc1918
spec:
podSelector:
matchLabels:
app: network-policy-test
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.169.254/32
jayanthvn commented
Hi, this is fixed on the nodeagent master branch and we will be releasing a new cni/nodeagent version with the fix this week. Ref - aws/aws-network-policy-agent#58
sergei-ak commented
Thank you @jayanthvn looking forward to it!
sergei-ak commented
Yep, it works, thank you!