Kubernetes 限制其他命名空间访问pod
我已经在默认名称空间中创建了如下所示的网络策略Kubernetes 限制其他命名空间访问pod,kubernetes,Kubernetes,我已经在默认名称空间中创建了如下所示的网络策略 master $ k get pod --show-labels NAME READY STATUS RESTARTS AGE LABELS nginx1 1/1 Running 0 30m run=nginx1 nginx2 1/1 Running 0 30m run=nginx2 nginx3
master $ k get pod --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx1 1/1 Running 0 30m run=nginx1
nginx2 1/1 Running 0 30m run=nginx2
nginx3 1/1 Running 0 30m run=nginx3
并且在默认名称空间中具有以下pod
master $ k get pod --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx1 1/1 Running 0 30m run=nginx1
nginx2 1/1 Running 0 30m run=nginx2
nginx3 1/1 Running 0 30m run=nginx3
当我试图从不同的名称空间访问pod时,我仍然能够访问pod(nginx1)
如何限制其他名称空间访问默认名称空间中的pod这是一种预期行为,因为您没有使用
名称空间选择器限制名称空间级别的通信量
master $ k get pod --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx1 1/1 Running 0 30m run=nginx1
nginx2 1/1 Running 0 30m run=nginx2
nginx3 1/1 Running 0 30m run=nginx3
kubectl label ns default key=value
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx1
ingress:
- from:
- namespaceSelector
matchLabels
key: value
将标签key=value
添加到默认名称空间,并在入口中使用namespaceSelector
,以仅允许来自具有该标签的名称空间的通信
key=value
只是一个例子,您可以使用不同的标签
kubectl label ns default key=value
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx1
ingress:
- from:
- namespaceSelector
matchLabels
key: value
- podSelector:
matchLabels:
run: "nginx2"
如何限制其他命名空间访问默认命名空间中的pod
master $ k get pod --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx1 1/1 Running 0 30m run=nginx1
nginx2 1/1 Running 0 30m run=nginx2
nginx3 1/1 Running 0 30m run=nginx3
如果只想在名称空间级别进行限制,只需使用namespaceSelector
kubectl label ns default key=value
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx1
ingress:
- from:
- namespaceSelector
matchLabels
key: value
这将阻止来自任何命名空间中没有标签key=value
有关更多详细信息,请参阅文档,这是一种预期行为,因为您没有使用namespaceSelector来限制命名空间级别的通信量
kubectl label ns default key=value
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx1
ingress:
- from:
- namespaceSelector
matchLabels
key: value
将标签key=value
添加到默认名称空间,并在入口中使用namespaceSelector
,以仅允许来自具有该标签的名称空间的通信
key=value
只是一个例子,您可以使用不同的标签
kubectl label ns default key=value
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx1
ingress:
- from:
- namespaceSelector
matchLabels
key: value
- podSelector:
matchLabels:
run: "nginx2"
如何限制其他命名空间访问默认命名空间中的pod
master $ k get pod --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx1 1/1 Running 0 30m run=nginx1
nginx2 1/1 Running 0 30m run=nginx2
nginx3 1/1 Running 0 30m run=nginx3
如果只想在名称空间级别进行限制,只需使用namespaceSelector
kubectl label ns default key=value
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx1
ingress:
- from:
- namespaceSelector
matchLabels
key: value
这将阻止来自任何命名空间中没有标签key=value
有关更多详细信息,请参阅文档,如果您希望和条件(匹配POD和命名空间条件)符合您的要求。您可以使用下面的NetworkPolicy yaml file和label命令(请查看namespaceSelector和PodSelector是如何定义的,它是在同一数组中定义的,用于将此标记为和条件)。但您确定您的网络策略已在默认命名空间中创建吗
kubectl label ns default name=default
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx1
ingress:
- from:
- namespaceSelector:
matchLabels:
name: "default"
podSelector:
matchLabels:
run: "nginx2"
如果您想要和条件(匹配POD和命名空间条件)匹配您的需求。您可以使用下面的NetworkPolicy yaml file和label命令(请查看namespaceSelector和PodSelector是如何定义的,它是在同一数组中定义的,用于将此标记为和条件)。但您确定您的网络策略已在默认命名空间中创建吗
kubectl label ns default name=default
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx1
ingress:
- from:
- namespaceSelector:
matchLabels:
name: "default"
podSelector:
matchLabels:
run: "nginx2"
网络策略文档概述了四种选择器,它们可以在入口from
部分或出口to
部分中指定
- 豆荚选择器
- 名称空间选择器
- namespaceSelector和podSelector
- ipBlock
您应该在用例中使用第三种选择器:名称空间选择器和podSelector
- namespaceSelector
matchLabels
preferedNS: someNS
- podSelector:
matchLabels:
run: "nginx2"
网络策略文档概述了四种选择器,它们可以在入口from
部分或出口to
部分中指定
- 豆荚选择器
- 名称空间选择器
- namespaceSelector和podSelector
- ipBlock
您应该在用例中使用第三种选择器:名称空间选择器和podSelector
- namespaceSelector
matchLabels
preferedNS: someNS
- podSelector:
matchLabels:
run: "nginx2"