We have setup our K8s Cluster on OpenStack environment using stacks. Our requirement is to have multiple interfaces so we are using multus CNI which further uses Calico CNI as primary networking plugin.
Now with this configuration when I try to setup NetworkPolicy based on a namespace then it works perfectly for the default eth0 interface but the policy rules are not applied to other interfaces created by multus i.e. net0, net1 etc (mapped to eth1, eth2… inside the Pod)
I am testing with a basic deny all NetworkPolicy:
apiVersion: projectcalico.org/v3 kind: NetworkPolicy metadata: name: default-deny namespace: development spec: selector: all() types: - Ingress - Egress
When I try to test with s simple ICMP ping. The policy is working for the default interface
bash-4.2# ping 184.108.40.206 PING 220.127.116.11 (18.104.22.168) 56(84) bytes of data. ^C --- 22.214.171.124 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3076ms
But it doesn’t seem to work for additional interfaces in the same Pod
bash-4.2# ping 126.96.36.199 PING 188.8.131.52 (184.108.40.206) 56(84) bytes of data. 64 bytes from 220.127.116.11: icmp_seq=1 ttl=64 time=1.38 ms 64 bytes from 18.104.22.168: icmp_seq=2 ttl=64 time=0.680 ms 64 bytes from 22.214.171.124: icmp_seq=3 ttl=64 time=0.507 ms ^C --- 126.96.36.199 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2036ms rtt min/avg/max/mdev = 0.507/0.855/1.380/0.378 ms
Can anyone please suggest if anything is missing or is this an expected behaviour?