Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network Policies don't have a selector on them #764

Closed
pbradly opened this issue Jan 22, 2021 · 5 comments
Closed

Network Policies don't have a selector on them #764

pbradly opened this issue Jan 22, 2021 · 5 comments

Comments

@pbradly
Copy link

pbradly commented Jan 22, 2021

The Network policies deployed as a part of flux intstall don't have any pod selectors defined on them, meaning if they are deployed into a namespace that has other pods running, it blocks all traffic to other pods in that namespace.

flux2/manifests/policies/deny-ingress.yaml

Line 11 in 6add511

- podSelector: {}

flux2/manifests/policies/deny-ingress.yaml

Line 14 in 6add511

podSelector: {}

Ideally, these policies should only be applied to the flux pods and not across everything in the namespace that flux has been deployed into.

We also discovered that when uninstalling flux v2, if you don't delete the namespace it doesn't remove these network policies.
@stefanprodan
Copy link
Member

Ideally, these policies should only be applied to the flux pods and not across everything in the namespace that flux has been deployed into.

Why would deploy other things than Flux in flux-system namespace?

We also discovered that when uninstalling flux v2, if you don't delete the namespace it doesn't remove these network policies.

flux uninstall deletes the namespace for you

@pbradly
Copy link
Author

pbradly commented Jan 22, 2021

Why would deploy other things than Flux in flux-system namespace?

We didn't deploy other pods into flux-system but instead deployed flux into an already existing namespace. We understand that flux-system is the default if --namespace is not defined.

flux uninstall deletes the namespace for you

Yes this makes sense if flux is deployed into a namespace it creates, but if it's deployed into an already existing namespace, it shouldn't delete that namespace since it didn't create it.

@stefanprodan
Copy link
Member

Yes this makes sense if flux is deployed into a namespace it creates, but if it's deployed into an already existing namespace, it shouldn't delete that namespace since it didn't create it.

Fixed in #891

@stefanprodan
Copy link
Member

We also discovered that when uninstalling flux v2, if you don't delete the namespace it doesn't remove these network policies.

Fixed in #891

@hiddeco
Copy link
Member

hiddeco commented Feb 12, 2021

As there are no plans to add pod selectors to the network policies at this moment and the other concerns have been addressed, I am closing this issue.

If you still feel they should be added and/or that your request has not been fulfilled, feel free to re-open. ✨

@hiddeco hiddeco closed this as completed Feb 12, 2021
ybelleguic pushed a commit to ybelleguic/flux2 that referenced this issue Jan 9, 2023
Merge pull request fluxcd#764 from sympatheticmoose/patch-1
2a52056 
Update link to v1beta2 in the API spec
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stefanprodan @hiddeco @pbradly