Kubernetes: fix global network policy (#1235)

YuryHrytsuk · web-flow · commit 566d3bfb0950 · 2025-10-20T10:10:50.000+02:00
global network policy was misconfigured so that it allowed all traffic. By setting correct value structure this is fixed. Proper global network policy discovered a wrong RUT network policy that was correctly adjusted. Bonus: * Imrpove calico network policy debug documentation Related issue/s * #1226
diff --git a/charts/calico-configuration/README.md b/charts/calico-configuration/README.md
@@ -15,6 +15,7 @@ if calico version 3.30+ is installed
 
 if calico version <= 3.29
 * create network policy with action log (read more https://docs.tigera.io/calico/latest/network-policy/policy-rules/log-rules)
+* WARNING: these logs are shown in journalctl **of the node where restricted workload (POD / Container) is running**
   ```yaml
   apiVersion: projectcalico.org/v3
   kind: NetworkPolicy
diff --git a/charts/calico-configuration/templates/globalpolicy.yaml b/charts/calico-configuration/templates/globalpolicy.yaml
@@ -26,10 +26,11 @@ spec:
     # IP from https://github.com/kubernetes-sigs/kubespray/blob/v2.24.1/roles/kubespray-defaults/defaults/main/main.yml#L108
     - action: Allow
       protocol: UDP
-      nets:
-        - 169.254.25.10/32
-      ports:
-        - 53
+      destination:
+        nets:
+          - 169.254.25.10/32
+        ports:
+          - 53
     - action: Allow
       protocol: TCP
       destination:
@@ -38,7 +39,8 @@ spec:
           - 53
     - action: Allow
       protocol: TCP
-      nets:
-        - 169.254.25.10/32
-      ports:
-        - 53
+      destination:
+        nets:
+          - 169.254.25.10/32
+        ports:
+          - 53
diff --git a/charts/simcore-charts/resource-usage-tracker/templates/networkpolicy.yaml b/charts/simcore-charts/resource-usage-tracker/templates/networkpolicy.yaml
@@ -25,18 +25,20 @@ spec:
     - action: Allow
       protocol: TCP
       destination:
-        nets:
-          - 10.0.0.0/8
-          - 192.168.0.0/16
-          - 172.16.0.0/12
+        # currently public IPs are used
+        # nets:
+        #   - 10.0.0.0/8
+        #   - 192.168.0.0/16
+        #   - 172.16.0.0/12
         ports:
           - {{ .Values.networkPolicyEgressPorts.redis }}
     - action: Allow
       protocol: TCP
       destination:
-        nets:
-          - 10.0.0.0/8
-          - 192.168.0.0/16
-          - 172.16.0.0/12
+        # currently public IPs are used
+        # nets:
+        #   - 10.0.0.0/8
+        #   - 192.168.0.0/16
+        #   - 172.16.0.0/12
         ports:
           - {{ .Values.networkPolicyEgressPorts.rabbit }}
