【发布时间】:2021-11-18 22:04:00
【问题描述】:
我浏览了 3 节点 K8 集群中的代码,似乎无法在部署 pod 上使用 networkpolicy 阻止流量。
这是练习的输出。
user@myk8master:~$ kubectl get deployment,svc,networkpolicy
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP X.X.X.X <none> 443/TCP 20d
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl create deployment nginx --image=nginx
deployment.apps/nginx created
user@myk8master:~$ kubectl expose deployment nginx --port=80
service/nginx exposed
user@myk8master:~$ kubectl run busybox --rm -ti --image=busybox -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (X.X.X.X:80)
remote file exists
/ # exit
Session ended, resume using 'kubectl attach busybox -c busybox -i -t' command when the pod is running
pod "busybox" deleted
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ vi network-policy.yaml
user@myk8master:~$ cat network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
app: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl apply -f network-policy.yaml
networkpolicy.networking.k8s.io/access-nginx created
user@myk8master:~$
user@myk8master:~$
user@myk8master:~$ kubectl run busybox --rm -ti --image=busybox -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.97.229:80)
remote file exists. <<<< THIS SHOULD NOT WORK
我按原样执行了所有步骤,但即使定义了网络策略,我似乎也无法阻止流量。
如果我在这里做一些愚蠢的事情,有人可以帮忙告诉我吗?
【问题讨论】:
-
您使用什么 CNI? CNI 需要支持网络策略
标签: docker kubernetes google-kubernetes-engine kubernetes-ingress kubernetes-pod