堆栈内存溢出
  简体   繁体   English

EKS Calico允许从AWS Classic Elb到Pod的入站

[英]eks calico allow inbound from aws classic elb to pod

 原文  2018-10-10 14:45:11       kubernetes/ amazon-eks/ project-calico/ aws-eks

问题描述

I'm trying to set up network policies to allow only inbound traffic from the aws classic load balancer to the pods. 我正在尝试设置网络策略,以仅允许从aws经典负载均衡器到Pod的入站流量。 Nothing else should be able to talk to the pods which includes any pod replicas. 没有其他应该能够与包含任何Pod副本的Pod通信的内容。 I've configured the following but it does not work. 我已经配置了以下内容,但是它不起作用。 Any ideas what I'm missing? 有什么想法我想念的吗? As soon as I apply this, the health checks on the load balancer fail. 一旦应用此方法,负载平衡器上的运行状况检查就会失败。 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: a-b-c1
  labels:
    app: a-b-c1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: a-b-c1
  template:
    metadata:
      labels:
        app: a-b-c1
    spec:
      containers:
      - name: a-b-c1
        image: image:latest
        ports:
        - name: http-server1
          containerPort: 80
        resources:
          requests:
            cpu: 0.5
---
kind: Service
apiVersion: v1
metadata:
  name: a-b-c-elb1
  labels:
    app: a-b-c1
    name: a-b-c1-elb
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "environment=eks"
spec:
  ports: 
    - port: 80
      targetPort: http-server1
  selector:
    app: a-b-c1
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 10.0.0.0/8
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-elb
spec:
  podSelector:
    matchLabels:
      app: a-b-c1
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          name: a-b-c1-elb

1 个解决方案

解决方案1
 0 已采纳  2018-10-10 15:41:36

I don't think this is possible in AWS. 我认为这在AWS中是不可能的。

In this network policy you are limiting ingress to pods labelled with ab-c1-elb , but this doesn't represent the service, this only represent an hypothetic pod with label name: ab-c1-elb (it is a podSelector not a serviceSelector, that sadly doesn't exist). 在此网络策略中,您只能将入口限制为标有ab-c1-elb Pod,但这并不代表服务,仅代表具有标签name: ab-c1-elb的假想Pod name: ab-c1-elb (它是podSelector,不是serviceSelector ,可惜不存在)。

A network policy allows matching traffic with a pod selector, a namespace selector or/and a block of IPs. 网络策略允许使用Pod选择器,名称空间选择器或/和IP块匹配流量。 In your case, the only one that could do the job is the block of IPs. 在您的情况下,唯一可以完成此任务的是IP块。 You could limit the traffic to the IP of the load balancer and that would do the trick. 您可以将流量限制为负载均衡器的IP,这样就可以解决问题。

But, in AWS the load balancers have ephemeral IPs, that changes whenever they want, so it is not possible to limit the traffic to the load balancer. 但是,在AWS中,负载均衡器具有临时IP,可以随时更改,因此无法限制流量到负载均衡器。 The most you could get is to limit the traffic to the subnet's CIDR. 您所能获得的最多是将流量限制到子网的CIDR。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Calico在AWS EKS上进行策略和联网? - Use Calico for policy and networking on AWS EKS? AWS EKS Workers从未向ELB注册 - AWS EKS Workers never register with ELB 使用 AWS EKS 的自我管理 ELB (NLB) - Self Managed ELB (NLB) with AWS EKS AWS EKS,如何直接从浏览器中访问 Pod? - AWS EKS, How To Hit Pod directly from browser? AWS EKS-从Pod内部验证Kubernetes python lib - AWS EKS - Authenticate Kubernetes python lib from inside a pod 节点上的 Pod 限制 - AWS EKS - Pod limit on Node - AWS EKS 如何允许从特定 AWS EKS pod 连接到 AWS RDS? - How to allow connection from specific AWS EKS pods to AWS RDS? 如何在 aws EKS 中从一个 Pod 访问集群 IP 到另一个 Pod - How to access the cluster IP from one pod to another pod in aws EKS Calico CNI Pod网络无法在EKS Kubernetes工作者节点上的不同主机上运行 - Calico CNI pod networking not working across different hosts on EKS Kubernetes worker nodes 启动 POD 时获取 ImagePullBackOff 是 AWS EKS - Getting ImagePullBackOff when starting a POD is AWS EKS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM