cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
AndrewC666
Flight Engineer
Flight Engineer
yesterday
  • 67 Views

Network policy question - Worth saying I'm doing this on CRC 

 I've created two projects and labeled them network=red, network=blue respectively

andrew@fed:~/play$ oc get project blue --show-labels
NAME DISPLAY NAME STATUS LABELS
blue Active kubernetes.io/metadata.name=blue,network=blue,networktest=blue,pod-security.kubernetes.io/audit-version=latest,pod-security.kubernetes.io/audit=restricted,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted
andrew@fed:~/play$ oc get project red --show-labels
NAME DISPLAY NAME STATUS LABELS
red Active kubernetes.io/metadata.name=red,network=red,pod-security.kubernetes.io/audit-version=latest,pod-security.kubernetes.io/audit=restricted,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted

Created a apache and an nginx container and put them on different ports

Created 2 ubuntu containers to test from, one in the blue project one in the red project. From the blue and red projects I can access if I dont have a network policy.
```
root@blue:/# curl -I http://nginx-example.blue:8888
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sat, 13 Dec 2025 19:11:12 GMT
Content-Type: text/html
Content-Length: 37451
Last-Modified: Sat, 13 Dec 2025 19:08:19 GMT
Connection: keep-alive
ETag: "693db9a3-924b"
Accept-Ranges: bytes

root@blue:/# curl -I http://httpd-example.blue:8080
HTTP/1.1 200 OK
Date: Sat, 13 Dec 2025 19:11:23 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Last-Modified: Sat, 13 Dec 2025 18:55:34 GMT
ETag: "924b-645d9ec3e7580"
Accept-Ranges: bytes
Content-Length: 37451
Content-Type: text/html; charset=UTF-8

root@blue:/#
```

```
root@red:/# curl -I http://httpd-example.blue:8080
HTTP/1.1 200 OK
Date: Sat, 13 Dec 2025 19:35:24 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Last-Modified: Sat, 13 Dec 2025 18:55:34 GMT
ETag: "924b-645d9ec3e7580"
Accept-Ranges: bytes
Content-Length: 37451
Content-Type: text/html; charset=UTF-8

root@red:/# curl -I http://nginx-example.blue:8888
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sat, 13 Dec 2025 19:35:29 GMT
Content-Type: text/html
Content-Length: 37451
Last-Modified: Sat, 13 Dec 2025 19:08:19 GMT
Connection: keep-alive
ETag: "693db9a3-924b"
Accept-Ranges: bytes

root@red:/#

```

Then I add a network policy.

oc get networkpolicies.networking.k8s.io/andrew-blue-policy -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  creationTimestamp: "2025-12-13T19:19:18Z"
  generation: 1
  name: andrew-blue-policy
  namespace: blue
  resourceVersion: "190887"
  uid: a4a7f41a-7ae9-41a6-938d-990f54e84b4b
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network: red
      podSelector: {}
    - podSelector: {}
          namespaceSelector:
            matchLabels:
              network: blue
  podSelector: {}
  policyTypes:
  - Ingress

I create another project and put another ubuntu vm in try to access and cant; this is what I expect because I didnt label it.

root@pink:/# curl -I http://httpd-example.blue:8080

I then delete that policy; I just wanted it there to show something was working and add a port.
I was hoping that that would allow port 8080 from either the red or blue labeled network but it
 seems to still allow everything ?

```oc get networkpolicies/allow8080toblue -n blue -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  creationTimestamp: "2025-12-13T19:36:34Z"
  generation: 4
  name: allow8080toblue
  namespace: blue
  resourceVersion: "193399"
  uid: 427f7cee-d94a-4091-9bc2-abc1ad52f879
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network: blue
      podSelector: {}
    - namespaceSelector:
        matchLabels:
          network: red
      podSelector: {}
    ports:
    - port: 8080
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress
```

but it when I query from red or blue it allows everything ?

root@red:/# curl -I http://httpd-example.blue:8080
HTTP/1.1 200 OK
Date: Sat, 13 Dec 2025 19:51:58 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Last-Modified: Sat, 13 Dec 2025 18:55:34 GMT
ETag: "924b-645d9ec3e7580"
Accept-Ranges: bytes
Content-Length: 37451
Content-Type: text/html; charset=UTF-8

root@red:/# curl -I http://nginx-example.blue:8888
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sat, 13 Dec 2025 19:52:00 GMT
Content-Type: text/html
Content-Length: 37451
Last-Modified: Sat, 13 Dec 2025 19:08:19 GMT
Connection: keep-alive
ETag: "693db9a3-924b"
Accept-Ranges: bytes

root@red:/#

What am I misunderstanding about this ?

andrew@fed:~/play$ oc get pods -n red
NAME   READY   STATUS    RESTARTS   AGE
red    1/1     Running   0          66m
andrew@fed:~/play$ oc get pods -n blue
NAME                             READY   STATUS      RESTARTS   AGE
blue                             1/1     Running     0          66m
httpd-example-1-build            0/1     Completed   0          58m
httpd-example-5654894d5f-zjzm8   1/1     Running     0          57m
nginx-example-1-build            0/1     Completed   0          45m
nginx-example-7bd8768ffd-2cxlw   1/1     Running     0          45m
andrew@fed:~/play$
Created two projects and labeled them network=red, network=blue respectively

```
andrew@fed:~/play$ oc get project blue --show-labels
NAME   DISPLAY NAME   STATUS   LABELS
blue                  Active   kubernetes.io/metadata.name=blue,network=blue,networktest=blue,pod-security.kubernetes.io/audit-version=latest,pod-security.kubernetes.io/audit=restricted,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted
andrew@fed:~/play$ oc get project red --show-labels
NAME   DISPLAY NAME   STATUS   LABELS
red                   Active   kubernetes.io/metadata.name=red,network=red,pod-security.kubernetes.io/audit-version=latest,pod-security.kubernetes.io/audit=restricted,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted
andrew@fed:~/play$
```

Created a apache and an nginx container and put them on different ports

andrew@fed:~/play$ oc get services
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
httpd-example   ClusterIP   10.217.5.60    <none>        8080/TCP   21m
nginx-example   ClusterIP   10.217.4.165   <none>        8888/TCP   8m23s
andrew@fed:~/play$ oc project
Using project "blue" on server "https://api.crc.testing:6443".
andrew@fed:~/play$


Created 2 ubuntu containers to test from, one in the blue project one in the red project. From the blue and red projects I can access if I dont have a network policy.
```
root@blue:/# curl -I http://nginx-example.blue:8888
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sat, 13 Dec 2025 19:11:12 GMT
Content-Type: text/html
Content-Length: 37451
Last-Modified: Sat, 13 Dec 2025 19:08:19 GMT
Connection: keep-alive
ETag: "693db9a3-924b"
Accept-Ranges: bytes

root@blue:/# curl -I http://httpd-example.blue:8080
HTTP/1.1 200 OK
Date: Sat, 13 Dec 2025 19:11:23 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Last-Modified: Sat, 13 Dec 2025 18:55:34 GMT
ETag: "924b-645d9ec3e7580"
Accept-Ranges: bytes
Content-Length: 37451
Content-Type: text/html; charset=UTF-8

root@blue:/#
```

```
root@red:/# curl -I http://httpd-example.blue:8080
HTTP/1.1 200 OK
Date: Sat, 13 Dec 2025 19:35:24 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Last-Modified: Sat, 13 Dec 2025 18:55:34 GMT
ETag: "924b-645d9ec3e7580"
Accept-Ranges: bytes
Content-Length: 37451
Content-Type: text/html; charset=UTF-8

root@red:/# curl -I http://nginx-example.blue:8888
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sat, 13 Dec 2025 19:35:29 GMT
Content-Type: text/html
Content-Length: 37451
Last-Modified: Sat, 13 Dec 2025 19:08:19 GMT
Connection: keep-alive
ETag: "693db9a3-924b"
Accept-Ranges: bytes

root@red:/#

```

Then I add a network policy.

oc get networkpolicies.networking.k8s.io/andrew-blue-policy -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  creationTimestamp: "2025-12-13T19:19:18Z"
  generation: 1
  name: andrew-blue-policy
  namespace: blue
  resourceVersion: "190887"
  uid: a4a7f41a-7ae9-41a6-938d-990f54e84b4b
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network: red
      podSelector: {}
    - podSelector: {}
          namespaceSelector:
            matchLabels:
              network: blue
  podSelector: {}
  policyTypes:
  - Ingress

I create another project and put another ubuntu vm in try to access and cant; this is what I expect because I didnt label it.

root@pink:/# curl -I http://httpd-example.blue:8080

I then delete that policy; I just wanted it there to show something was working and add a port.
I was hoping that that would allow port 8080 from either the red or blue labeled network but it
 seems to still allow everything ?

```oc get networkpolicies/allow8080toblue -n blue -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  creationTimestamp: "2025-12-13T19:36:34Z"
  generation: 4
  name: allow8080toblue
  namespace: blue
  resourceVersion: "193399"
  uid: 427f7cee-d94a-4091-9bc2-abc1ad52f879
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network: blue
      podSelector: {}
    - namespaceSelector:
        matchLabels:
          network: red
      podSelector: {}
    ports:
    - port: 8080
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress
```

but it when I query from red or blue it allows everything ?

root@red:/# curl -I http://httpd-example.blue:8080
HTTP/1.1 200 OK
Date: Sat, 13 Dec 2025 19:51:58 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Last-Modified: Sat, 13 Dec 2025 18:55:34 GMT
ETag: "924b-645d9ec3e7580"
Accept-Ranges: bytes
Content-Length: 37451
Content-Type: text/html; charset=UTF-8

root@red:/# curl -I http://nginx-example.blue:8888
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sat, 13 Dec 2025 19:52:00 GMT
Content-Type: text/html
Content-Length: 37451
Last-Modified: Sat, 13 Dec 2025 19:08:19 GMT
Connection: keep-alive
ETag: "693db9a3-924b"
Accept-Ranges: bytes

root@red:/#


andrew@fed:~/play$ oc get pods -n red
NAME   READY   STATUS    RESTARTS   AGE
red    1/1     Running   0          66m
andrew@fed:~/play$ oc get pods -n blue
NAME                             READY   STATUS      RESTARTS   AGE
blue                             1/1     Running     0          66m
httpd-example-1-build            0/1     Completed   0          58m
httpd-example-5654894d5f-zjzm8   1/1     Running     0          57m
nginx-example-1-build            0/1     Completed   0          45m
nginx-example-7bd8768ffd-2cxlw   1/1     Running     0          45m
andrew@fed:~/play$


What am I misunderstanding about this ? I thought that the namespace selector says anything coming from the namespace with the network=blue can access the port 8080.. not 8080 and 8888 ? 
Thanks,


andrew@fed:~/play$ oc get services
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
httpd-example   ClusterIP   10.217.5.60    <none>        8080/TCP   21m
ng

inx-example   ClusterIP   10.217.4.165   <none>        8888/TCP   8m23s
andrew@fed:~/play$ oc project
Using project "blue" on server "https://api.crc.testing:6443".
andrew@fed:~/play$
Labels (1)
Labels
0 Kudos
Join the discussion
0 Replies
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright @ 2025 Red Hat Privacy statement Terms of service Community Guidelines