From cf80f24b4abe4c3cf7b97ce424c2f8f58bc5f5d2 Mon Sep 17 00:00:00 2001 From: Nadia Pinaeva Date: Tue, 7 Mar 2023 17:03:18 +0100 Subject: [PATCH] Clarify network policy behaviour for hostNetwork pods Signed-off-by: Nadia Pinaeva --- .../services-networking/network-policies.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/content/en/docs/concepts/services-networking/network-policies.md b/content/en/docs/concepts/services-networking/network-policies.md index 7f747e134b..b4704c6b4e 100644 --- a/content/en/docs/concepts/services-networking/network-policies.md +++ b/content/en/docs/concepts/services-networking/network-policies.md @@ -354,6 +354,46 @@ For example, a newly-created pod that is supposed to be able to reach both Pod A on Node 1 and Pod B on Node 2 may find that it can reach Pod A immediately, but cannot reach Pod B until a few seconds later. +## NetworkPolicy and `hostNetwork` pods + +NetworkPolicy behaviour for `hostNetwork` pods is undefined, but it should be limited to 2 possibilities: +- The network plugin can distinguish `hostNetwork` pod traffic from all other traffic + (including being able to distinguish traffic from different `hostNetwork` pods on + the same node), and will apply NetworkPolicy to `hostNetwork` pods just like it does + to pod-network pods. +- The network plugin cannot properly distinguish `hostNetwork` pod traffic, + and so it ignores `hostNetwork` pods when matching `podSelector` and `namespaceSelector`. + Traffic to/from `hostNetwork` pods is treated the same as all other traffic to/from the node IP. + (This is the most common implementation.) + +This applies when +1. a `hostNetwork` pod is selected by `spec.podSelector`. + + ```yaml + ... + spec: + podSelector: + matchLabels: + role: client + ... + ``` + +2. a `hostNetwork` pod is selected by a `podSelector` or `namespaceSelector` in an `ingress` or `egress` rule. + + ```yaml + ... + ingress: + - from: + - podSelector: + matchLabels: + role: client + ... + ``` + +At the same time, since `hostNetwork` pods have the same IP addresses as the nodes they reside on, +their connections will be treated as node connections. For example, you can allow traffic +from a `hostNetwork` Pod using an `ipBlock` rule. + ## What you can't do with network policies (at least, not yet) As of Kubernetes {{< skew currentVersion >}}, the following functionality does not exist in the