Terraform-provider-kubernetes: Looks like the kubernetes_network_policy resource creates a syntactically incorrect policy.

Created on 18 Mar 2019  路  9Comments  路  Source: hashicorp/terraform-provider-kubernetes

Summary

I wrote a kubernetes_network_policy with an egress for opening one port, with namespace and pod selectors:

Terraform Version

Terraform v0.11.13
provider.kubernetes v1.5.2

Affected Resource(s)

  • kubernetes_network_policy

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

egress = [
      {
        ports = [
          {
            port     = "2579"
            protocol = "TCP"
          },
        ]

        to = [
          {
            namespace_selector {
              match_labels = {
                name = "default"
              }
            }
          },
          {
            pod_selector {
              match_labels = {
                component = "nmi"
              }
            }
          },
        ]
      },
    ]

Expected Behavior

I expect a valid network policy

Actual Behavior

The code deploys a valid network policy at first look, but it doesn't work(

Here is how the deployed with terraform block looks like (from kubectl edit mode):

scn-20190318-191331-cem1p

And here is how I edited it to make it work (kubectl edit mode):

scn-20190318-191223-voniv

So, the reason that the policy did not work was found in that dash near "to" block and it's indent...

Is there any logic or syntax error in my code?
Or is this just a bug?

Thank you in advance!

picture AndreyChugunkovDevPro

All 9 comments

Hi @AndreyChugunkovDevPro,

the YAML examples you are showing are just two different network policies.

You should be able to achieve what you want by changing your partial configuration example to the following definition:

egress = [
      {
        ports = [
          {
            port     = "2579"
            protocol = "TCP"
          },
        ]
      },
      {
        to = [
          {
            namespace_selector {
              match_labels = {
                name = "default"
              }
            }
          },
          {
            pod_selector {
              match_labels = {
                component = "nmi"
              }
            }
          },
        ]
      },
    ]
pdecat picture pdecat on 19 Mar 2019
👍1

Thank you @pdecat !

Looks like it works for me.

Can you please explain the logical difference between my examples?
Because we also have some policies configured like the 1st example and it seems they works ok...

AndreyChugunkovDevPro picture AndreyChugunkovDevPro on 19 Mar 2019
👍1

The first policy applies an and operator to the egress rules while the second applies an or operator.

Are you using multiple namespaces?

~If that's the case, your issue could be that you're trying to use a pod_selector in a to rule to select pods in another namespace but last time I checked, that is not yet supported by kubernetes CNI plugins.~

pdecat picture pdecat on 19 Mar 2019
👍1

A very good reference on how network policies work: https://github.com/ahmetb/kubernetes-network-policy-recipes/

pdecat picture pdecat on 19 Mar 2019

The first policy applies an _and_ operator to the egress rules while the second applies an _or_ operator.

Are you using multiple namespaces?

If that's the case, your issue could be that you're trying to use a pod_selector in a to rule to select pods in another namespace but last time I checked, that is not yet supported by kubernetes CNI plugins.

Yes, I'm using multiple namespaces.

I have dns network policy which looks like this:

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  creationTimestamp: 2019-03-18T17:28:19Z
  generation: 3
  name: test-io-dns
  namespace: test-io
  resourceVersion: "45025"
  selfLink: /apis/extensions/v1beta1/namespaces/test-io/networkpolicies/test-io-dns
  uid: 3906068a-49a3-11e9-884b-769caf4c9de0
spec:
  egress:
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
    to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
  podSelector:
    matchLabels:
      app: test-io
      release: test-io
  policyTypes:
  - Egress

So, the policy itself belongs to test-io namespace
And in block "to" there are selectors for "kube-system" namespace.

This policy seems like works fine, because when I remove it, I'm not able to resolve any dns in test-io namespace...

Is this is what you meant regarding unsopperted function of selecting pods in another namespace in kubernetes CNI plugins.?

I'm a bit confused, because if this dns policy works, so my egress policy with 1st syntax ("and" operator) should also work...

AndreyChugunkovDevPro picture AndreyChugunkovDevPro on 19 Mar 2019

My bad, turns out this is now supported since kubernetes 1.11 https://github.com/kubernetes/kubernetes/pull/60452

Depends on the CNI plugin implementation though.

pdecat picture pdecat on 19 Mar 2019
👍1

Anyway, that's really an issue with kubernetes usage, not with the terraform provider as the generated kubernetes manifests are correct.

pdecat picture pdecat on 19 Mar 2019

Anyway, that's really an issue with kubernetes usage, not with the terraform provider as the generated kubernetes manifests are correct.

Agree)

Thank you again for you help!

AndreyChugunkovDevPro picture AndreyChugunkovDevPro on 19 Mar 2019
1

@AndreyChugunkovDevPro can this issue be closed? (I cannot do it myself)

pdecat picture pdecat on 28 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dmitry-mightydevops picture dmitry-mightydevops  路  3Comments
ragelo picture ragelo  路  3Comments
landorg picture landorg  路  3Comments
hashibot[bot] picture hashibot[bot]  路  4Comments
noahbirrer-8451 picture noahbirrer-8451  路  3Comments