kubernetes网络策略,允许访问特定ip
我有以下任务要执行kubernetes网络策略,允许访问特定ip,kubernetes,kubernetes-networkpolicy,Kubernetes,Kubernetes Networkpolicy,我有以下任务要执行 创建名为forensics的命名空间 取证命名空间中的所有POD都不能 与外界沟通(出口隔离) 在默认命名空间中创建一个名为Investor的pod apiVersion: projectcalico.org/v3 kind: NetworkPolicy metadata: name: some-name namespace: forensics spec: selector: all() types: - Ingress - Egress 取证命名
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: some-name
namespace: forensics
spec:
selector: all()
types:
- Ingress
- Egress
akthakur@ninja k get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
investigator 1/1 Running 0 20s 10.244.0.151 thinking-3qxqs <none> <none>
pod1 1/1 Running 0 20s 10.244.0.232 thinking-3qxqs <none> <none>
akthakur@ninja k get po -o wide -n forensics
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
forensics 1/1 Running 0 87s 10.244.0.199 thinking-3qxqs <none> <none>
我创建了下面的Yaml来做同样的事情
apiVersion: v1
kind: Namespace
metadata:
labels:
name: forensics
name: forensics
---
apiVersion: v1
kind: Pod
metadata:
labels:
name: forensics
name: forensics
namespace: forensics
spec:
containers:
- command:
- sleep
- "10000"
image: busybox
name: forensics
resources: {}
---
apiVersion: v1
kind: Pod
metadata:
labels:
name: pod1
name: pod1
namespace: default
spec:
containers:
- command:
- sleep
- "10000"
image: busybox
name: pod1
resources: {}
---
apiVersion: v1
kind: Pod
metadata:
labels:
name: investigator
name: investigator
namespace: default
spec:
containers:
- command:
- sleep
- "10000"
image: busybox
name: investigator
resources: {}
---
#deny all ingress/egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: forensics
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# allow ingress from IP of investigator pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: investigator-network-policy
namespace: forensics
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.244.0.151/32
我可以看到如图所示的描述策略
**kubectl describe networkpolicy default-deny-ingress -n forensics**
Name: default-deny-ingress
Namespace: forensics
Created on: 2020-06-16 18:07:21 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Ingress, Egress
**~/kubectl describe networkpolicy investigator-network-policy -n forensics**
Name: investigator-network-policy
Namespace: forensics
Created on: 2020-06-16 18:10:49 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
IPBlock:
CIDR: 10.244.0.151/32
Except:
Not affecting egress traffic
Policy Types: Ingress
我做错了什么?服务是处理点对点通信的成熟方式之一。 默认情况下,POD可以通过其IP地址相互通信,而不管它们位于哪个命名空间中。 检查命名空间级别的默认策略。如果在创建名称空间期间未指定,则默认情况下会将其设置为拒绝。 如下图所示更改networkpolicy以允许来自其他命名空间的流量
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: some-name
namespace: forensics
spec:
selector: all()
types:
- Ingress
- Egress
你把吊舱露出来了吗?您需要使用服务公开pod?没有服务。IPI上的pod到pod通信同意服务是一种成熟的方式,但我只想测试网络策略。我正在使用weave network。。根据要求,必须阻止来自所有命名空间的所有流量,但应允许来自命名空间中特定pod(已阻止)的流量。