Hey folks my namespace has all ingress egress controlled via Rancher Users #k3s

Hey folks, my namespace has all ingress/egress con...

late-barista-75996

06/10/2024, 10:14 PM

Hey folks, my namespace has all ingress/egress controlled via network policies. However, I'm having some trouble adding a network policy that allows for egress to the API server. This doesn't work:

Copy code

egress:
    - to:
      - ipBlock:
          cidr: fda5:1234:5::1/128 # kubernetes svc is listening on fda5:1234:5::1
      ports:
      - protocol: TCP
        port: 443

Am I missing something?

late-barista-75996

06/10/2024, 10:42 PM

Given that this service isn't backed by a pod, this actually won't work at all, will it. Huh, is this impossible?

late-barista-75996

06/10/2024, 10:47 PM

Yeah, not even

- namespaceSelector: {}

works. Hmm...

late-barista-75996

06/10/2024, 10:49 PM

It works if I add my server IP and port 6443. That's... not great

creamy-pencil-82913

06/11/2024, 4:56 AM

Yeah that's not a normal service. I don't think you can target it with netpol

late-barista-75996

06/11/2024, 6:06 AM

What is the typical approach for doing this, then?

Open in Slack

Previous Next