From 4243823ba59cc5ffe51dd37abf7fcb3dfdbd1a1c Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 7 Dec 2024 09:28:44 -0600 Subject: [PATCH] invoice-ninja: Fix network policy for ingress Since the IP address assigned to the ingress controller is now managed by keepalived and known to Kubernetes, the network policy needs to allow access to it by pod namespace rather than IP address. It seems that the former takes precedence over the latter, so even though the IP address was explicitly allowed, traffic was not permitted because it was destined for a Kubernetes service that was not. --- invoice-ninja/network-policy.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/invoice-ninja/network-policy.yaml b/invoice-ninja/network-policy.yaml index ccc6f3a..111e826 100644 --- a/invoice-ninja/network-policy.yaml +++ b/invoice-ninja/network-policy.yaml @@ -29,8 +29,9 @@ spec: ports: - port: 25 - to: - - ipBlock: - cidr: 172.30.0.147/32 + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx ports: - port: 80 - port: 443