Describe the bug
Add an ACNP, as example:
apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
name: default-ns-isolation
spec:
priority: 2
tier: baseline
appliedTo:
- namespaceSelector: {} # Selects all Namespaces in the cluster
ingress:
- action: Allow
from:
- namespaces:
match: self # Allow from Pods from same Namespace
name: AllowFromSameNS
enableLogging: false
- action: Drop
from:
- namespaceSelector: {} # Drop from Pods from other all Namespaces
name: DropFromAllOtherNS
enableLogging: true
egress:
- action: Allow
to:
- namespaces:
match: self # Allow to Pods from same Namespace
name: AllowToSameNS
enableLogging: false
- action: Drop
to:
- namespaceSelector: {} # Drop to Pods from all other Namespaces
name: DropToAllOtherNS
enableLogging: true
But the pods in the same namespace also can not to ping each other.
[root@node-04 ~]# kubectl get po -A -owide |grep test
test-1 test-app-1-6bdx5 1/1 Running 6 55d 10.224.1.5 tos-06 <none> <none>
test-1 test-app-1-brmzs 1/1 Running 6 55d 10.224.0.5 tos-04 <none> <none>
test-1 test-app-1-zrcgr 1/1 Running 6 55d 10.224.2.10 tos-05 <none> <none>
[root@node-04 ~]# kubectl exec -ti -n test-1 test-app-1-brmzs -- ping 10.224.1.5
PING 10.224.1.5 (10.224.1.5) 56(84) bytes of data.
^C
--- 10.224.1.5 ping statistics ---
925 packets transmitted, 0 received, 100% packet loss, time 1120ms
The current supported NamespaceMatchType is Self. so follow the configuration in the guide document https://antrea.io/docs/v1.4.0/docs/antrea-network-policy/ will not work well.
// NamespaceMatchType describes Namespace matching strategy.
type NamespaceMatchType string
const (
NamespaceMatchSelf NamespaceMatchType = "Self"
)
Versions:
Antrea 1.4.0
Describe the bug
Add an ACNP, as example:
But the pods in the same namespace also can not to ping each other.
The current supported NamespaceMatchType is
Self. so follow the configuration in the guide document https://antrea.io/docs/v1.4.0/docs/antrea-network-policy/ will not work well.Versions:
Antrea 1.4.0