如何允许使用出口网络策略访问 kubernetes api?
[英]How to allow access to kubernetes api using egress network policy?
问题描述
Init container with kubectl get pod command is used to get ready status of other pod.
使用kubectl get pod命令初始化容器用于获取其他 pod 的就绪状态。
After Egress NetworkPolicy was turned on init container can't access Kubernetes API: Unable to connect to the server: dial tcp 10.96.0.1:443: i/o timeout .开启 Egress NetworkPolicy 后,init container can't access Kubernetes API: Unable to connect to the server: dial tcp 10.96.0.1:443: i/o timeout 。 CNI is Calico. CNI 是印花布。
Several rules were tried but none of them are working (service and master host IPs, different CIDR masks):尝试了几个规则,但没有一个有效(服务和主主机 IP,不同的 CIDR 掩码):
...
egress:
- to:
- ipBlock:
cidr: 10.96.0.1/32
ports:
- protocol: TCP
port: 443
...
or using namespace (default and kube-system namespaces):或使用命名空间(默认和 kube-system 命名空间):
...
egress:
- to:
- namespaceSelector:
matchLabels:
name: default
ports:
- protocol: TCP
port: 443
...
Looks like ipBlock rules just don't work and namespace rules don't work because kubernetes api is non-standard pod.看起来ipBlock规则不起作用,命名空间规则不起作用,因为 kubernetes api 是非标准 pod。
Can it be configured?可以配置吗? Kubernetes is 1.9.5, Calico is 3.1.1. Kubernetes 是 1.9.5,Calico 是 3.1.1。
Problem still exists with GKE 1.13.7-gke.8 and calico 3.2.7 GKE 1.13.7-gke.8 和 calico 3.2.7 仍然存在问题
3 个解决方案
解决方案1
8 已采纳 2019-06-07 12:38:31
You need to get the real ip of the master using kubectl get endpoints --namespace default kubernetes and make an egress policy to allow that.您需要使用kubectl get endpoints --namespace default kubernetes主站的真实 IP,并制定出口策略以允许这样做。
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-apiserver
namespace: test
spec:
policyTypes:
- Egress
podSelector: {}
egress:
- ports:
- port: 443
protocol: TCP
to:
- ipBlock:
cidr: x.x.x.x/32
解决方案2
1 2019-01-31 12:12:22
Update : Try Dave McNeill's answer first.更新:首先尝试Dave McNeill 的回答。
If it does not work for you (it did for me!), the following might be a workaround:如果它对你不起作用(它对我有用!),以下可能是一种解决方法:
podSelector:
matchLabels:
white: listed
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
This will allow accessing the API server - along with all other IP addresses on the internet :-/这将允许访问 API 服务器 - 以及互联网上的所有其他 IP 地址:-/
You can combine this with the DENY all non-whitelisted traffic from a namespace rule to deny egress for all other pods.您可以将此与来自命名空间规则的拒绝所有非白名单流量结合使用,以拒绝所有其他 pod 的出口。
解决方案3
0 2019-12-17 06:54:00
We aren't on GCP, but the same should apply.我们不在 GCP 上,但同样适用。
We query AWS for the CIDR of our master nodes and use this data as values for helm charts creating the NetworkPolicy for the k8s API access.我们查询 AWS 以获取主节点的 CIDR,并将此数据用作 helm charts 的值,为 k8s API 访问创建 NetworkPolicy。
In our case the masters are part of an auto-scaling group, so we need the CIDR.在我们的例子中,master 是一个自动伸缩组的一部分,所以我们需要 CIDR。 In your case the IP might be enough.在您的情况下,IP 可能就足够了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.