Introduction:
Im trying to create two global policies
1 Allow every egress communication in the scope, in order to have nothing important blocked
2 Deny egress communication to our namespace
- i know this can be done in an easier way, i have to solve a more complicated problem and dont understand why it behaves that way
Expected behavior: policies get applied in order and communication is blocked, as the second policy is applied after the first one and so it denies the traffic.
Our behavior:
No traffic is blocked if i curl from the nginx namespace to our namespace
If i swicht the order ,so the second policy gets the lower ordered one, its blocking the content, even though has an allow afterwards with policy one.
Following the dokumentation our policys should work in the first case " control the order/sequence of applying network policies, you can use the order field (with precedence from the lowest value to highest). Defining policy order is important when you include both action: allow and action: deny rules that may apply to the same endpoint.
In the following example, the policy allow-cluster-internal-ingress (order: 10) will be applied before the policy drop-other-ingress (order: 20)."
We use Calico version: v3.21.6 in AKS
Policy one:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: a-all
spec:
selector: projectcalico.org/namespace == "ingress-nginx"
order: 3000
types:
- Egress
egress:
- action: Allow
Policy two:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: d-all
spec:
selector: projectcalico.org/namespace == "ingress-nginx"
order: 4000
types:
- Egress
egress:
- action: Deny
destination:
selector: projectcalico.org/namespace == "our_namespace"