Network Policy, elastic-operator eck k8s Openshift

Elastic Orchestration Elastic Cloud on Kubernetes (ECK)
1

Hi team,

We are stuck with the networkPolicy between elastic-operator and to our respective namespace for elastic stack.

The communication between elastic-operator and elastic-agent and kibana works fine but elasticsearch is not working.

Here is the conifiguration

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: elastic-operator-networkpolicy
  namespace: openshift-operators
spec:
  egress:
  - ports:
    - port: 53
      protocol: UDP
  - ports:
    - port: 443
      protocol: TCP
    - ipBlock:
        cidr: 10.11.12.11/32
    - ipBlock:
        cidr: 10.11.12.12/32
    - ipBlock:
        cidr: 10.11.12.13/32
  - ports:
    - port: 9200
      protocol: TCP
    - port: 5601
      protocol: TCP
    - port: 8220
      protocol: TCP
    to:
    - namespaceSelector:
        matchExpressions:
        - key: eck.k8s.elastic.co/tenant
          operator: In
          values:
          - elastic-dev
          - elastic-test
          - elastic-prod
      podSelector:
        matchLabels:
          common.k8s.elastic.co/type: elasticsearch
  ingress:
  - from:
    - ipBlock:
        cidr: 10.11.12.11/32
    - ipBlock:
        cidr: 10.11.12.12/32
    - ipBlock:
        cidr: 10.11.12.13/32
    ports:
    - port: 9443
      protocol: TCP
  podSelector:
    matchLabels:
      control-plane: elastic-operator
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: eck-elasticsearch
  namespace: elastic-dev
spec:
  egress:
  - ports:
    - port: 9300
      protocol: TCP
    to:
    - namespaceSelector:
        matchLabels:
          eck.k8s.elastic.co/tenant: elastic-dev
      podSelector:
        matchLabels:
          common.k8s.elastic.co/type: elasticsearch
  - ports:
    - port: 53
      protocol: UDP
  ingress:
  - from:
    - ipBlock:
        cidr: 10.11.12.11/32
    - ipBlock:
        cidr: 10.11.12.12/32
    - ipBlock:
        cidr: 10.11.12.13/32
    - namespaceSelector:
        matchLabels:
          eck.k8s.elastic.co/operator-name: elastic-operator
      podSelector:
        matchLabels:
          app.kubernetes.io/name: elastic-operator
    - namespaceSelector:
        matchLabels:
          eck.k8s.elastic.co/tenant: elastic-dev
    ports:
    - port: 9200
      protocol: TCP
  - from:
    - namespaceSelector:
        matchLabels:
          eck.k8s.elastic.co/tenant: elastic-dev
      podSelector:
        matchLabels:
          common.k8s.elastic.co/type: elasticsearch
    ports:
    - port: 9300
      protocol: TCP
  podSelector:
    matchLabels:
      common.k8s.elastic.co/type: elasticsearch

The operator logs shows that it's couldn't connect to the elasticsearch pods in elastic-dev namespace.

When I run oc get es, it says applying changes and the operator is not able to manage the resource because of the network policy.

When I delete the network Policy and restart the elastic-operator pod it works fine.

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.