Kubernetes NetworkPolicy 允许来自互联网的外部流量,但不允许 Pod 到 Pod 的流量

【问题标题】:Kubernetes NetworkPolicy allow external traffic from and to internet but no Pod-to-Pod trafficKubernetes NetworkPolicy 允许来自互联网的外部流量,但不允许 Pod 到 Pod 的流量
【发布时间】:2022-06-28 23:54:02
【问题描述】:

如何定义我的网络策略,以便同一命名空间中的两个 pod(test-server 和 test-server2)可以从集群外部访问但不能相互访问?

$ kubectl get pods
NAME                               READY   STATUS    RESTARTS   AGE
test-server-7555d49f48-sfzv9        1/1     Running   0          63m
test-server2-55c9cc78d4-knn59       1/1     Running   0          100m

# test: deny all ingress traffic
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

# test: allow ingress traffic for test-server service
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-test-server-ingress
spec:
  podSelector:
    matchLabels:
      app: test-server
  policyTypes:
  - Ingress
  ingress:
  - {}

---
# test: allow ingress traffic for test-server2 service
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-test-server2-ingress
spec:
  podSelector:
    matchLabels:
      app: test-server2
  policyTypes:
  - Ingress
  ingress:
  - {}

使用这种方法,两个服务都可以从外部访问,但您也可以从一个服务跳转到另一个。

【问题讨论】:

    标签: kubernetes kubernetes-networkpolicy


    【解决方案1】:

    如何定义我的network policy,以便同一命名空间中的两个 pod(test-server 和 test-server2)可以从集群外部访问但不能相互访问?

    根据您的设置,您的 NetworkPolicy 应该与此类似

    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: codewizard-block-policy
  namespace: codewizard
spec:
  # You can also add podSelection to 
  # be more specific.... (up to you)
  podSelector: {}

  policyTypes:
  - Ingress
  - Egress

  ingress:
  - from:
    # Block all traffic from the same subnet (10.10.10.10)
    # Or change the rule to only block a given IP and not a subnet
    - ipBlock:
        cidr: 10.10.10.10/32
        except:
        - 172.17.0.0/16 
    # Add allow ip from your LoadBalancer IP
  
  # Same thing for out going traffic
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 172.17.0.0/16
    • 另一种解决方案可能是使用带有以下注释的Ingressingress.kubernetes.io/whitelist-source-range: "x.x.x.x/xx" 
    apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: whitelist
  annotations:
    ingress.kubernetes.io/whitelist-source-range: "1.1.1.1/24"
spec:
  rules:
  - host: whitelist.test.net
  http:
    paths:
    - path: /
    backend:
      serviceName: webserver
     servicePort: 80

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2019-06-13
      • 2020-09-26
      • 1970-01-01
      • 1970-01-01
      • 2020-03-01
      • 1970-01-01
      • 2020-11-14
      • 2021-03-06
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode