Namespace isolation not works

[hswong3i]

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT

Environment:

• Cloud provider or hardware configuration:
  Ubuntu 16.04 LTS on Aliyun

• OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"):

Linux 4.13.0-36-generic x86_64
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

• Version of Ansible (ansible --version):

ansible 2.4.3.0
  config file = None
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 20160609]

Kubespray version (commit) (git rev-parse --short HEAD):
https://github.com/hswong3i/kubespray/tree/master
I patched with something, but basically rebased with latest master branch :-P

Network plugin used:
Calico

Copy of your inventory file:
root@c11:/opt/kubespray# cat inventory/c11/hosts

[all]
node11 	 ansible_host=172.31.54.1 ip=172.31.54.1
node12 	 ansible_host=172.31.54.2 ip=172.31.54.2
node13 	 ansible_host=172.31.54.3 ip=172.31.54.3
node14 	 ansible_host=172.31.54.4 ip=172.31.54.4
node15 	 ansible_host=172.31.54.5 ip=172.31.54.5
node16 	 ansible_host=172.31.54.6 ip=172.31.54.6
node17 	 ansible_host=172.31.54.7 ip=172.31.54.7
node18 	 ansible_host=172.31.54.0 ip=172.31.54.0

[kube-master]
node11 	 
node12 	 

[kube-node]
node11 	 
node12 	 
node13 	 
node14 	 
node15 	 
node16 	 
node17 	 
node18 	 

[etcd]
node11 	 
node12 	 
node13 	 

[k8s-cluster:children]
kube-node 	 
kube-master 	 

[calico-rr]

[vault]
node11 	 
node12 	 
node13 

Command used to invoke ansible:

ansible-playbook -i inventory/c11/hosts cluster.yml --diff

Output of ansible run:

No error message, the deployment basically works.

Anything else do we need to know:

root@c11:/opt/kubespray# cat inventory/c11/group_vars/all.yml

bootstrap_os: none
etcd_data_dir: /var/lib/etcd
bin_dir: /usr/local/bin
kubelet_load_modules: true
docker_storage_options: -s overlay2
docker_version: edge
kubelet_fail_swap_on: false
disable_ipv6_dns: true

Core changes for this issue on inventory/c11/group_vars/k8s-cluster.yml :

enable_network_policy: true
kube_proxy_mode: ipvs
ingress_nginx_enabled: true

I have 2 namespace, production and staging, which target to have isolation setup as mentioned as below:

• DENY all traffic from other namespaces
• ALLOW all traffic from a namespace

Therefore expected result should be:

• Pods traffic between production and staging are blocked
• Pods traffic inside the same namespace are allowed
• Allow pods from namespace ingress-nginx to access both production and staging as ingress controller

BTW, once setup the first NetworkPolicy as DENY all traffic from other namespaces, all traffic INSIDE the same namespace also get blocked.

Anyone try similar setup with Kubespray before and able to get it works with Calico?

[hswong3i]

Ok it is not working now for both Calico and Weave:

• Network policy isolation between namespaces does not prevent access  projectcalico/calico#1049
• DENY all traffic from other namespaces weaveworks/weave#3222