How to allow ClusterIP by selector?

jc-lab · November 14, 2020, 10:01am

Hi,

I want to allow external access to ClusterIP of specific services.
I tried as follows, but the Rule is created as Pod IP.

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: rook-ceph-allow-cluster-ip
spec:
  order: 10
  applyOnForward: true
  ingress:
  - action: Allow
    destination:
      namespaceSelector: namespace.cluster.local.io == 'rook-ceph'
      selector: app == 'rook-ceph-mon'
  preDNAT: true
  selector: has(host-endpoint)

Name: cali40s:wDHQoEWkVYY1xFSxA1sTwvL
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 1048576
Size in memory: 640
References: 1
Number of entries: 3
Members:
172.25.173.219 (Pod IP)
172.19.15.237 (Pod IP)
172.25.173.211 (Pod IP)

lwr20 · November 16, 2020, 9:10am

It is expected that the rule would be created with Pod IPs. The Cluster IP gets DNATted by a rule installed by kube-proxy (if you’re running in iptables mode) to the Pod IP, so it is correct to use the pod IP in the rule.

Are you seeing an actual problem? What happens when you access the pod IP from outside the cluster? (I’m wondering if you need to advertise the service IP).

jc-lab · November 16, 2020, 2:52pm

Thank you for response.
PodIP cannot be accessed from outside the cluster.
I will open a new discussion for how to PodIP routing.

jc-lab · November 24, 2020, 11:05pm

I want to reopen this discuss.
When access ClusterIP(k8s Service) from outside, has situation need access control.