AAD-Pod-Identity with Network Policy Egress

[OvidiuBorlean]

Hi,

I will appreciate any ideas regarding implementation of aad-pod-id with Egress rules on a AKS Cluster. The rules for egress are as follows:

• allow traffic to clusters subnet
• allow traffic to 169.254.169.254/32
• allow traffic to service cidr

With egres applied is not working, by disabling Egress everything is ok. Is there any other endpoint that should be added to Egress rules in order to make it work?
With the following netpol on the demo pod the log entries seem to be correct and I get a valid response from IMDS:
spec:
egress:
- {}
podSelector:
matchLabels:
name: demo
policyTypes:

• Egress

If I change the policy to the following snippet, I get a timeout:
spec:
egress:

• to:
  • ipBlock:
    cidr: 10.6.0.0/16 # VNET
• to:
  • ipBlock:
    cidr: 10.0.0.0/16 # Service CIDR
• to:
  • ipBlock:
    cidr: 169.254.169.254/32
    podSelector:
    matchLabels:
    name: demo
    policyTypes:
• Egress

The error:
E0112 19:45:19.883931 1 main.go:117] Get http://169.254.169.254/metadata/instance?api-version=2017-08-01: dial tcp 169.254.169.254:80: i/o timeout
E0112 19:45:20.384678 1 main.go:57] failed to acquire a token from IMDS using user-assigned identity, error: MSI not available
E0112 19:45:20.885417 1 main.go:82] failed to acquire a token from IMDS using user-assigned identity, error: MSI not available
E0112 19:45:20.885457 1 main.go:48] Tokens acquired from IMDS with and without identity client ID do not match
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x62ec8e]

goroutine 1 [running]:
main.main()
/go/src/github.com/Azure/aad-pod-identity/cmd/demo/main.go:50 +0x3ee
So basically the same outcome as already observed with the real service pod.

Thank you in advance for your support