Kubernetes网络策略阻止DNS
我有一个AKS群集(Azure CNI),我正试图在其上实施网络策略。我已经创建了网络策略,它是Kubernetes网络策略阻止DNS,kubernetes,dns,azure-aks,kubernetes-networkpolicy,Kubernetes,Dns,Azure Aks,Kubernetes Networkpolicy,我有一个AKS群集(Azure CNI),我正试图在其上实施网络策略。我已经创建了网络策略,它是 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: myserver spec: podSelector: matchLabels: service: my-server policyTypes: - Ingress - Egress ingress: - from:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: myserver
spec:
podSelector:
matchLabels:
service: my-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
service: myotherserver
- podSelector:
matchLabels:
service: gateway
- podSelector:
matchLabels:
service: yetanotherserver
ports:
- port: 8080
protocol: TCP
egress:
- to:
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- port: 5432
protocol: TCP
- port: 8080
protocol: TCP
如果我删除网络策略,DNS会直接返回;因此,我确定我的网络策略存在问题,但无法找到允许DNS流量的方法。如果有人能告诉我哪里出了问题,我将不胜感激 为避免重复,请创建单独的网络策略以开放DNS流量。首先,我们标记
kube系统kube系统kubectl label namespace kube-system name=kube-system
kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-access
namespace: <your-namespacename>
spec:
podSelector:
matchLabels: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
EOF
kubectl标签名称空间kube system name=kube system
kubectl创建-f-以避免重复创建一个单独的网络策略以开放DNS流量。首先,我们标记kube系统
名称空间。然后允许从所有pod到kube系统
命名空间的DNS通信
kubectl label namespace kube-system name=kube-system
kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-access
namespace: <your-namespacename>
spec:
podSelector:
matchLabels: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
EOF
kubectl标签名称空间kube system name=kube system
kubectl创建-f-