Hello,
We have setup our K8s Cluster on OpenStack environment using stacks. Our requirement is to have multiple interfaces so we are using multus CNI which further uses Calico CNI as primary networking plugin.
Now with this configuration when I try to setup NetworkPolicy based on a namespace then it works perfectly for the default eth0 interface but the policy rules are not applied to other interfaces created by multus i.e. net0, net1 etc (mapped to eth1, eth2… inside the Pod)
I am testing with a basic deny all NetworkPolicy:
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: default-deny
namespace: development
spec:
selector: all()
types:
- Ingress
- Egress
When I try to test with s simple ICMP ping. The policy is working for the default interface
bash-4.2# ping 192.153.4.238
PING 192.153.4.238 (192.153.4.238) 56(84) bytes of data.
^C
--- 192.153.4.238 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3076ms
But it doesn’t seem to work for additional interfaces in the same Pod
bash-4.2# ping 192.145.7.137
PING 192.145.7.137 (192.145.7.137) 56(84) bytes of data.
64 bytes from 192.145.7.137: icmp_seq=1 ttl=64 time=1.38 ms
64 bytes from 192.145.7.137: icmp_seq=2 ttl=64 time=0.680 ms
64 bytes from 192.145.7.137: icmp_seq=3 ttl=64 time=0.507 ms
^C
--- 192.145.7.137 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2036ms
rtt min/avg/max/mdev = 0.507/0.855/1.380/0.378 ms
Can anyone please suggest if anything is missing or is this an expected behaviour?
Regards
Deepak