Calico, when running under Minikube, doesn’t enforce Network Policies by default, leaving your pods wide open.
# First, let's see what policies are currently being enforced (likely none)
kubectl get networkpolicies --all-namespaces
# You'll probably see an empty list. Now, let's enable Calico's network policy enforcement.
# This involves modifying the Calico configuration within your Minikube cluster.
# The exact command depends on how you installed Minikube and Calico, but typically
# you'll be modifying a ConfigMap or a Custom Resource Definition (CRD).
# For a standard Minikube setup with Calico installed via its operator,
# you'll likely edit the CalicoConfig CR.
kubectl edit calicoconfig default -n kube-system
# Look for a section like this:
# apiVersion: operator.tigera.io/v1
# kind: Installation
# metadata:
# name: default
# spec:
# calicoNetwork:
# ipPools:
# - cidr: 192.168.0.0/16
# encapsulation: VXLAN
# natOutgoing: Enabled
# nodeSelector: all()
# # This is the crucial part to enable network policies
# policy:
# type: Calico
# If 'policy.type' is commented out or set to 'None', change it to 'Calico'.
# The full entry should look like this:
# policy:
# type: Calico
# Save and exit the editor. Kubernetes will detect the change and Calico pods
# will be reconfigured. This might take a minute or two.
# After the change, you should see the Calico pods restart in the kube-system namespace.
kubectl get pods -n kube-system | grep calico
# Once the Calico pods are back up and running, let's verify that network policies
# are now being enforced. We'll create a simple test case.
# First, deploy two sample applications, 'frontend' and 'backend'.
kubectl create deployment frontend --image=nginx --port=80
kubectl create deployment backend --image=nginx --port=80
# Expose them as services.
kubectl expose deployment frontend --port=80 --target-port=80 --name=frontend-svc
kubectl expose deployment backend --port=80 --target-port=80 --name=backend-svc
# Now, let's create a Network Policy that DENIES all ingress traffic to the 'backend' pods.
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress-to-backend
namespace: default
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
# By not specifying any ingress rules, all ingress is denied.
EOF
# Attempt to access the backend service from the frontend pod.
# First, get the cluster IP of the backend service.
BACKEND_CLUSTER_IP=$(kubectl get service backend-svc -o jsonpath='{.spec.clusterIP}')
# Now, try to curl the backend service from a shell inside the frontend pod.
kubectl exec -it deploy/frontend -- curl -s http://$BACKEND_CLUSTER_IP
# This command should FAIL (timeout or connection refused), indicating the NetworkPolicy
# is working. If it succeeds, something is still not right with the Calico configuration.
# To allow traffic from frontend to backend, you'd add a rule:
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: default
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 80
EOF
# Now, try the curl command again:
kubectl exec -it deploy/frontend -- curl -s http://$BACKEND_CLUSTER_IP
# This should SUCCEED.
# The reason this works is that Calico, by default, operates in a mode where it
# understands and enforces Kubernetes NetworkPolicy resources. When you edit the
# CalicoConfig CR and set `policy.type: Calico`, you're telling the Calico CNI
# plugin to actively inspect incoming and outgoing traffic for pods and to drop
# packets that violate any defined NetworkPolicy. Without this setting, Calico
# might be installed but not configured to act as a firewall.
# If you encounter issues after this, the next error you'll likely hit is related
# to DNS resolution if your NetworkPolicies are too restrictive and inadvertently
# block access to CoreDNS.