https://rancher.com/ logo
Join Slack
Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Powered by Linen
Title
m

melodic-market-42092

06/07/2022, 11:22 AM
Are network policies applied/in effect by default with k3d when I start the cluster with 
k3d cluster create $CLUSTER_NAME
and without any configuration files?
I read in https://k3d.io/v5.4.1/usage/advanced/calico/?h=networkpolicy:
If you want to use NetworkPolicy you can use Calico in k3s instead of Flannel.
Which implies that when I don't use calico then network policies don't work. Is that correct?
w

wide-garage-9465

06/07/2022, 11:24 AM
Hey πŸ‘‹ Exactly, K3s comes with pure Flannel by default, see also https://rancher.com/docs/k3s/latest/en/installation/network-options/ (it's a K3s config, not k3d)
m

melodic-market-42092

06/07/2022, 11:25 AM
Thanks for the quick response! I'm not familiar with all of these things yet, so I'll have to ask some basic questions. Are network policies not applied/in effect when using Flannel?
w

wide-garage-9465

06/07/2022, 11:29 AM
No, Flannel does not support Network policies. It's required to at least combine it with e.g. Calico to use Network policies. See the last section in "Networking Details" here: https://github.com/flannel-io/flannel
m

melodic-market-42092

06/07/2022, 11:31 AM
Thanks! πŸ™‚
πŸ‘ 1
I'm not using calico or similar as far as I can see, but I'm experiencing that a network policy is actually in effect regardless. Could that be possible?
w

wide-garage-9465

06/07/2022, 11:53 AM
Can you provide any more details? Also, since this seems to be K3s itself, you may want to post to #k3s as well πŸ‘
m

melodic-market-42092

06/07/2022, 11:53 AM
Ah ok, thanks! So the fact that I'm using k3d here should not really matter?
w

wide-garage-9465

06/07/2022, 11:54 AM
Key inside is still the same, yep. But I also don't know yet what issue you're having.
From the K3s docs:
Most CNI plugins come with their own network policy engine, so it is recommended to set --disable-network-policy as well to avoid conflicts
--disable-network-policy (components) Disable k3s default network policy controller
So there is a network policy controller
m

melodic-market-42092

06/07/2022, 11:58 AM
My frontend application (running in namespace 
client
) logs this: 
FetchError: request to <http://api.api.svc.cluster.local:8000/organizations> failed, reason: connect ECONNREFUSED 10.42.0.13:8000
My api (running in namespace 
api
) has this network policy right now: 
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: api-network-policy
  namespace: api
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Ingress
    - Egress
  ingress: []
#    - ports:
#        - protocol: TCP
#          port: 8000
My test here is to see what happened when I commented out the 
ingress
-part of my network policy. With those lines commented out, the frontend gets a 
connect ECONNREFUSED
then trying to talk with my api. --- When I have those lines not commented out (I'm recreating the local cluster just to be sure), my frontend is indeed able to communicate with the api. (i.e. it does not log that connect econnrefused-thing)
Ah, that explains it! These is an default network policy controller! Thanks! πŸ™‚
w

wide-garage-9465

06/07/2022, 12:00 PM
https://github.com/k3s-io/k3s/issues/1308
m

melodic-market-42092

06/07/2022, 12:00 PM
Yeah looks like others have been confused like me: https://github.com/k3s-io/k3s/issues/1308#issuecomment-620635948
😁 1
w

wide-garage-9465

06/07/2022, 12:00 PM
Yeah, new for me as well as I never used it in k3d πŸ€·β€β™‚οΈ
m

melodic-market-42092

06/07/2022, 12:01 PM
Thank you very much for your time!
w

wide-garage-9465

06/07/2022, 12:01 PM
You're welcome
Thank you very much for your support! πŸ™‚β˜•
πŸ™ 1
c

creamy-pencil-82913

06/07/2022, 3:20 PM
I think we mention it in the docs, but we include the network policy controller from kube-router
πŸ‘ 1
m

melodic-market-42092

06/07/2022, 5:47 PM
Thorsten: Does it make sense to change the wording of https://k3d.io/v5.4.1/usage/advanced/calico/?h=networkpolicy%3A? I find
If you want to use NetworkPolicy you can use Calico in k3s instead of Flannel.
Confusing when network policies are actually enforced by default. Want me to submit a pr to change the wording?
w

wide-garage-9465

06/07/2022, 5:53 PM
Oh yes, I guess that makes sense. Also I saw it doesn't mention setting 
--disable-network-policy
which is required to use Calico's NetworkPolicy functionality and disable the K3s' built-in one. I'll happily accept a PRπŸ™‚
m

melodic-market-42092

06/07/2022, 6:04 PM
https://github.com/k3d-io/k3d/pull/1081 - please feel free to nitpick
❀️ 1
Out of curiosity: When is https://k3d.io/v5.4.3/usage/advanced/calico/ updated? Is it when this github action is triggered? https://github.com/k3d-io/k3d/actions/runs/2456178260 - If so: How is that triggered?
w

wide-garage-9465

06/07/2022, 6:28 PM
Usually only on tag/release, but I will update it manually
m

melodic-market-42092

06/07/2022, 6:30 PM
More off-topic, for my own curiosity: Is there a way to update docs for old versions? My change just now applies to multiple versions of k3d. Will my change be visible on multiple version docs? For ex these: β€’ https://k3d.io/v5.4.3/usage/advanced/calico/ β€’ https://k3d.io/v5.4.2/usage/advanced/calico/ β€’ https://k3d.io/v5.4.1/usage/advanced/calico/ Or will it only be visible in the "latest" one?
w

wide-garage-9465

06/07/2022, 6:30 PM
It's active πŸ‘
πŸ™ 1
m

melodic-market-42092

06/07/2022, 6:31 PM
I see now that it's visible in https://k3d.io/v5.4.3/usage/advanced/calico/ but not in https://k3d.io/v5.4.2/usage/advanced/calico/. I guess that's ok πŸ™‚
Thanks!
w

wide-garage-9465

06/07/2022, 6:31 PM
Change will only be active for the most recent version. It would require some Git Fu to update older versions
πŸ‘Œ 1
Thank you!
m

melodic-market-42092

06/07/2022, 6:32 PM
A shortcoming of mkdocs and similar that's hard to fix without a lot of complexity, I guess?
w

wide-garage-9465

06/07/2022, 8:35 PM
Well, docs are stored in the same repo as the code, meaning also versioned the same. To get your commit into the v5.4.1 docs for example, we would have to insert it just before/after the v5.4.1 tag, so it won't include v5.4.2 docs. Then use 
mike
to re-deploy that version of the docs. Then rebase all the commits after that onto the newly inserted one.
Mkdocs itself doesn't do versioning. 
mike
is used for that πŸ‘
πŸ‘Œ 1
(alternatively, one could checkout the gh-pages branch and copy the rendered html from one version folder to the other, which would be a pretty bad thing to do)
m

melodic-market-42092

06/08/2022, 9:06 AM
Thanks!
View count: 34
Back to #k3dJoin thread in Slack