Afaik a K8sNetworkPolicy只能允許匹配標簽的 pod 做某事。我不想
- 拒絕所有流量
- 允許所有 Pod 的流量,但與我的標簽匹配的 Pod 除外
, 但反而
- 允許所有流量
- 拒絕與我的標簽匹配的 Pod 的流量
我怎么做?
從 kubectl explain NetworkPolicy.spec.ingress.from
DESCRIPTION:
List of sources which should be able to access the pods selected for this
rule. Items in this list are combined using a logical OR operation. If this
field is empty or missing, this rule matches all sources (traffic not
restricted by source). If this field is present and contains at least one
item, this rule allows traffic only if the traffic matches at least one
item in the from list.
據我了解,我們只能允許,不能拒絕。
uj5u.com熱心網友回復:
正如您在評論中提到的,您正在使用 Kind 工具來運行 Kubernetes。您可以使用Calico 網路策略,而不是Kubernetes 網路策略(哪種默認 CNI 插件不支持)。
示例 - 我將使用禁用的默認型別 CNI 插件 啟用的 NodePort創建集群以進行測驗(假設您已經安裝了kind kubectl工具):
kind-cluster-config.yaml檔案:
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
disableDefaultCNI: true # disable kindnet
podSubnet: 192.168.0.0/16 # set to Calico's default subnet
nodes:
- role: control-plane
extraPortMappings:
- containerPort: 30000
hostPort: 30000
listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
protocol: tcp # Optional, defaults to tcp
使用上述配置創建集群的時間:
kind create cluster --config kind-cluster-config.yaml
集群準備好后,我將安裝 Calico CNI 插件:
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
我會等到所有的 calico pod 都準備好(kubectl get pods -n kube-system檢查命令)。然后,我將創建示例nginx 部署 服務型別 NodePort 用于訪問:
nginx-deploy-service.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2 # tells deployment to run 2 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
type: NodePort
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30000
讓我們應用它: kubectl apply -f nginx-deploy-service.yaml
到現在為止還挺好。現在我將嘗試nginx-service使用節點 IP(kubectl get nodes -o wide檢查節點 IP 地址的命令)訪問:
curl 172.18.0.2:30000
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
好的,它正在作業。
現在是安裝calicoctl和應用一些示例策略的時候了 -基于本教程- 僅阻止app帶有 value標簽的 pod 的入口流量nginx:
印花布規則.yaml:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default-deny
spec:
selector: app == "nginx"
types:
- Ingress
應用它:
calicoctl apply -f calico-rule.yaml
Successfully applied 1 'GlobalNetworkPolicy' resource(s)
現在我無法到達172.18.0.2:30000以前作業的地址。政策運行良好!
閱讀有關印花布政策的更多資訊:
- Calico 網路策略入門
- Calico 政策教程
Also check this GitHub topic for more information about NetworkPolicy support in Kind.
EDIT:
Seems like Calico plugin supports as well Kubernetes NetworkPolicy, so you can just install Calico CNI plugin and the apply following policy:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
I tested it and seems it's working fine as well.
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/354122.html
標籤:安全 Kubernetes kubernetes-networkpolicy
上一篇:如何在可折疊的<a>中顯示下一行而不是行內的div內容
下一篇:當我進入Kubernetespod時,為什么會出現execfailed:container_linux.go:380?