Kubernetes NetworkPolicy无法限制从UI进入
我使用Kubernetes NetworkPolicy无法限制从UI进入,kubernetes,kubernetes-ingress,kubernetes-networkpolicy,Kubernetes,Kubernetes Ingress,Kubernetes Networkpolicy,我使用kind:Deployment部署了一个flask服务(6个副本)和一个ui(3个副本),但是当我添加这样的印花布网络策略时: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: application-network-policy namespace: team-prod-xyz labels: app: application-network-policy spec:
kind:Deployment
部署了一个flask服务(6个副本)和一个ui(3个副本),但是当我添加这样的印花布网络策略时:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: application-network-policy
namespace: team-prod-xyz
labels:
app: application-network-policy
spec:
podSelector:
matchLabels:
app: xyz-svc
run: xyz-svc
ingress:
- ports:
- port: 8000
from:
- podSelector:
matchLabels:
app: xyz-ui
egress:
- {}
policyTypes:
- Ingress
- Egress
我的烧瓶服务是这样的,如果我直接访问它
504 Gateway Time-out
nginx/1.15.3
这可能是意料之中的,但我的UI也无法触及端点
为什么呢
编辑2:Kubernetes和入口信息
库伯内特斯版本-
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.8", GitCommit:"211047e9a1922595eaa3a1127ed365e9299a6c23", GitTreeState:"clean", BuildDate:"2019-10-15T12:02:12Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}
编辑1:我了解到我们需要在网络策略之前使用配置映射公开端口8000
编辑3:使用UI,我指的是使用节点映像完成的部署。我必须检查请求是通过UI pod发送还是直接发送到svc pod。Hi@technazi,您能提供有关kubernetes版本和入口的信息吗?你说的“用户界面”是什么意思?编辑后问题仍然存在或已修复?如果您的规范中缺少“s”。podSelector,它应该是matchLabels而不是matchLabel,请在更改后告诉我它是否有效,或者问题仍然存在jt97I将结束此问题,因为xyz ui服务不直接与xyz svc(后端服务)对话,它通过入口与之对话,这就是我将podSelector添加为xyz svc且入口允许xyz ui的原因,因为请求不是通过ui服务而是通过入口来的。@jt97很抱歉,这里输入错误,添加“s”后,它不起作用。谢谢你的帮助。让我知道,如果我可以提供更多的信息,上述评论。
NAME READY STATUS RESTARTS AGE
pod/xyz-mongodb-replicaset-0 1/1 Running 0 10d
pod/xyz-mongodb-replicaset-1 1/1 Running 0 7d
pod/xyz-mongodb-replicaset-2 1/1 Running 0 6d23h
pod/xyz-svc-7b589fbd4-25qd6 1/1 Running 0 20h
pod/xyz-svc-7b589fbd4-9n8jh 1/1 Running 0 20h
pod/xyz-svc-7b589fbd4-r5q9g 1/1 Running 0 20h
pod/xyz-ui-7d6f44b57b-8s4mq 1/1 Running 0 3d20h
pod/xyz-ui-7d6f44b57b-bl8r6 1/1 Running 0 3d20h
pod/xyz-ui-7d6f44b57b-jwhc2 1/1 Running 0 3d20h
pod/mongodb-backup-check 1/1 Running 0 20h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/xyz-mongodb-replicaset ClusterIP None <none> 27017/TCP 10d
service/xyz-prod-service ClusterIP 10.3.92.123 <none> 8000/TCP 20h
service/xyz-prod-ui ClusterIP 10.3.49.132 <none> 80/TCP 10d
--Deployment--
--Replicasset--
--Statefulset--
Name: xyz-prod-svc
Namespace: prod-xyz
Address:
Default backend: default-http-backend:80 (<none>)
TLS:
prod terminates xyz.prod.domain.com
Rules:
Host Path Backends
---- ---- --------
xyz.prod.domain.com
/ xyz-prod-u:80 (10.7.2.4:80,10.7.4.22:80,10.7.5.24:80)
/project xyz-prod-servic:8000 (10.7.2.15:8000,10.7.5.10:8000,10.7.5.10:8000 + 3 more...)
/trigger xyz-prod-servic:8000 (10.7.2.15:8000,10.7.5.10:8000,10.7.5.10:8000 + 3 more...)
/kpi xyz-prod-servic:8000 (10.7.2.15:8000,10.7.5.10:8000,10.7.5.10:8000 + 3 more...)
/feedback xyz-prod-servic:8000 (10.7.2.15:8000,10.7.5.10:8000,10.7.5.10:8000 + 3 more...)
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: application-network-policy
namespace: app-prod-xyz
labels:
app: application-network-policy
spec:
podSelector:
matchLabel:
run: xyz-svc
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: xyz-ui
- podSelector:
matchLabels:
app: application-health-check
egress:
- to:
- podSelector:
matchLabels:
app: xyz-ui
- podSelector:
matchLabels:
app: xyz-mongodb-replicaset
- podSelector:
matchLabels:
app: mongodb-replicaset