advanced-policy won't work
xeor opened this issue · 3 comments
I have an on-premise test cluster using the newest versions of kubernetes, canal to-date.
Doing default kubernetes NetworkPolicy works, but using calicoctl and trying to add more advanced rules does not.
Everything works as expected as I see it, but calico is weird.
- It does not add any profiles (
calicoctl get profile), at all..- Nor do I see any under
etcdctl ls /calico/v1/policy --recursive
- Nor do I see any under
- I can create policies, but the cluster acts as them is not there.. Even a deny all policy does nothing.
- I can't find any changes in the iptables rules after adding policies, on any of the hosts.
- There are no logs in
canal-* calico-nodewhen usingcalicoctl, but I see log entries when usingNetworkPolicy.
It feels like calicoctl writes to it's own etcd, that is not the same as kubernetnes uses.
I can only find 1 etcd running on my hosts, the default 127.0.0.1:2379
I tried setting FELIX_LOGSEVERITYSYS to debug, but it does still show me only INFO logs, even tho I've verified that the environment is actually debug.. Another bug?
How can I debug further?
Hey @xeor - if you're using this manifest (kubernetes datastore driver) then the advanced policy features of Calico aren't yet available, but will be in a future release of Calico.
If you'd like to use the advanced policy features, you'll need to use the etcd datastore driver version of canal, which supports the full set of Calico policy APIs.
thanks for the reply @caseydavenport! Should it say a line or two about that in the docs?
I'm on the experimenting fase of kubernetes, so I'll probably wait till canal supports it out of the box.
Do you have any idea how high on the priority-list that feature is? I can't find any issue tracking that..