How to check if network policy have been applied to pod?
GKE uses calico for implementing network policy. You need to enable network network policy for master and nodes before applying network policy. You can verify whether calico is enabled by looking for calico pods in kube-system namespace.
kubectl get pods --namespace=kube-system
For verifying the network policies you can see the following commands.
kubectl get networkpolicy
kubectl describe networkpolicy <networkpolicy-name>
When you run you can check the label used for a POD selector:
k describe netpol <networkpolicy-name>
Name: <networkpolicy-name>
Namespace: default
Created on: 2020-06-08 15:19:12 -0500 CDT
Labels: <none>
Annotations: Spec:
PodSelector: app=nginx
Pod selector will show you which labels this netpol applied too. Then you can present all the pods with this label by:
k get pods -l app=nginx
NAME READY STATUS RESTARTS AGE
nginx-deployment-f7b9c7bb-5lt8j 1/1 Running 0 19h
nginx-deployment-f7b9c7bb-cf69l 1/1 Running 0 19h
nginx-deployment-f7b9c7bb-cxghn 1/1 Running 0 19h
nginx-deployment-f7b9c7bb-ppw4t 1/1 Running 0 19h
nginx-deployment-f7b9c7bb-v76vr 1/1 Running 0 19h
Debug with the netcat(nc):
$ kubectl exec <openvpnpod> -- nc -zv -w 5 <domain> <port>
P.S: To deny all egress traffic, do not need to declare the spec.egress
key as an empty array, however it affects same:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: policy-openvpn
namespace: default
spec:
podSelector:
matchLabels:
app: openvpn
policyTypes:
- Egress
ref: https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/network-policy-v1/
- egress ([]NetworkPolicyEgressRule) ... If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). ...