https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# k3d
a
This message was deleted.
m
I read in https://k3d.io/v5.4.1/usage/advanced/calico/?h=networkpolicy:
If you want to use NetworkPolicy you can use Calico in k3s instead of Flannel.
Which implies that when I don't use calico then network policies don't work. Is that correct?
w
Hey πŸ‘‹ Exactly, K3s comes with pure Flannel by default, see also https://rancher.com/docs/k3s/latest/en/installation/network-options/ (it's a K3s config, not k3d)
m
Thanks for the quick response! I'm not familiar with all of these things yet, so I'll have to ask some basic questions. Are network policies not applied/in effect when using Flannel?
w
No, Flannel does not support Network policies. It's required to at least combine it with e.g. Calico to use Network policies. See the last section in "Networking Details" here: https://github.com/flannel-io/flannel
m
Thanks! πŸ™‚
πŸ‘ 1
I'm not using calico or similar as far as I can see, but I'm experiencing that a network policy is actually in effect regardless. Could that be possible?
w
Can you provide any more details? Also, since this seems to be K3s itself, you may want to post to #k3s as well πŸ‘
m
Ah ok, thanks! So the fact that I'm using k3d here should not really matter?
w
Key inside is still the same, yep. But I also don't know yet what issue you're having.
From the K3s docs:
Most CNI plugins come with their own network policy engine, so it is recommended to set --disable-network-policy as well to avoid conflicts
--disable-network-policy (components) Disable k3s default network policy controller
So there is a network policy controller
m
My frontend application (running in namespace 
client
) logs this:
Copy code
FetchError: request to <http://api.api.svc.cluster.local:8000/organizations> failed, reason: connect ECONNREFUSED 10.42.0.13:8000
My api (running in namespace 
api
) has this network policy right now:
Copy code
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: api-network-policy
  namespace: api
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Ingress
    - Egress
  ingress: []
#    - ports:
#        - protocol: TCP
#          port: 8000
My test here is to see what happened when I commented out the 
ingress
-part of my network policy. With those lines commented out, the frontend gets a 
connect ECONNREFUSED
then trying to talk with my api. --- When I have those lines not commented out (I'm recreating the local cluster just to be sure), my frontend is indeed able to communicate with the api. (i.e. it does not log that connect econnrefused-thing)
Ah, that explains it! These is an default network policy controller! Thanks! πŸ™‚
w
m
Yeah looks like others have been confused like me: https://github.com/k3s-io/k3s/issues/1308#issuecomment-620635948
😁 1
w
Yeah, new for me as well as I never used it in k3d πŸ€·β€β™‚οΈ
m
Thank you very much for your time!
w
You're welcome
Thank you very much for your support! πŸ™‚β˜•
πŸ™ 1
c
I think we mention it in the docs, but we include the network policy controller from kube-router
πŸ‘ 1
m
Thorsten: Does it make sense to change the wording of https://k3d.io/v5.4.1/usage/advanced/calico/?h=networkpolicy%3A? I find
If you want to use NetworkPolicy you can use Calico in k3s instead of Flannel.
Confusing when network policies are actually enforced by default. Want me to submit a pr to change the wording?
w
Oh yes, I guess that makes sense. Also I saw it doesn't mention setting 
--disable-network-policy
which is required to use Calico's NetworkPolicy functionality and disable the K3s' built-in one. I'll happily accept a PRπŸ™‚
m
https://github.com/k3d-io/k3d/pull/1081 - please feel free to nitpick
❀️ 1
Out of curiosity: When is https://k3d.io/v5.4.3/usage/advanced/calico/ updated? Is it when this github action is triggered? https://github.com/k3d-io/k3d/actions/runs/2456178260 - If so: How is that triggered?
w
Usually only on tag/release, but I will update it manually
m
More off-topic, for my own curiosity: Is there a way to update docs for old versions? My change just now applies to multiple versions of k3d. Will my change be visible on multiple version docs? For ex these: β€’ https://k3d.io/v5.4.3/usage/advanced/calico/ β€’ https://k3d.io/v5.4.2/usage/advanced/calico/ β€’ https://k3d.io/v5.4.1/usage/advanced/calico/ Or will it only be visible in the "latest" one?
w
It's active πŸ‘
πŸ™ 1
m
I see now that it's visible in https://k3d.io/v5.4.3/usage/advanced/calico/ but not in https://k3d.io/v5.4.2/usage/advanced/calico/. I guess that's ok πŸ™‚
Thanks!
w
Change will only be active for the most recent version. It would require some Git Fu to update older versions
πŸ‘Œ 1
Thank you!
m
A shortcoming of mkdocs and similar that's hard to fix without a lot of complexity, I guess?
w
Well, docs are stored in the same repo as the code, meaning also versioned the same. To get your commit into the v5.4.1 docs for example, we would have to insert it just before/after the v5.4.1 tag, so it won't include v5.4.2 docs. Then use 
mike
to re-deploy that version of the docs. Then rebase all the commits after that onto the newly inserted one.
Mkdocs itself doesn't do versioning. 
mike
is used for that πŸ‘
πŸ‘Œ 1
(alternatively, one could checkout the gh-pages branch and copy the rendered html from one version folder to the other, which would be a pretty bad thing to do)
m
Thanks!
195 Views
Open in Slack
PreviousNext
Powered by