-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting opposite result #21
Comments
Hi Shreya,
This is not the case, the CoreDNS plugin will tell pods in the cluster to send their traffic to the egress gateway deployments it has launched in its namespace, which are fronted by individual Kubernetes Services for each hostname fronted by each egress gateway deployment.
This is expected, as this policy essentially requires all pods in the namespace of this policy to have an ingress policy in the egress-operator's namespace accepting their egress traffic sent via egress gateways instead.
The reason your pod cannot talk to Google via the gateway is because the format of the label you've given does not match the NetworkPolicy created for that egress gateway (https://github.com/monzo/egress-operator/blob/master/controllers/networkpolicy.go#L74). To see what label is expected, do For example, in your case if the egress gateway's name was |
I already tried this label : |
hi , Requirement curl 7.52.1 root@nginx:/# curl https://github.com -v
externalServicegit.yaml
testPod.yaml
|
@shreya-bhatnagar were you able to resolve the issue, if yes, can you explain the steps. Thanks. |
Just like issue-8 I am also getting opposite result. I have applied the external service yaml, but instead of allowing
google.com
its blocking google.com and allowing other calls. What possibly am I doing wrong ?My ExternalService.yaml
My testpod.yaml
From testpod
curl -v https://google.com
is blocking and other urls are allowed. As per operator's Readme, I need a defaut-deny-Egress K3s policy also , therefore I applied that too. but after applyingdefault-deny-Egress
policy all egress calls including google.com (the one whitelisted) is blocking from testpod.Default-Deny-All-Egress.yaml
Note:
1. I am not seeing logs in
egress-operator-controller-manager
pod while any curl command is fired from testpod, I assumed that after deploying this operator all egress calls will go viaegress-controller-manager
. Therefore it should come in logs.2. Logs of
google-76566579bc-jzggg
pod created after applyingExternalService.yaml
:3. Network policies description:
Please let me know what am I missing here and how can I make this operator work ?
The text was updated successfully, but these errors were encountered: