[英]Kubernetes Network Policy - Allow specific IP
I'm using Kubernetes on IBM cloud.我在 IBM 云上使用 Kubernetes。
I want to create a network policy that denies all the incoming connections to a pod (which expose the app on port 3000 ), but which allows the incoming connections only from a specific IP (MY_IP).我想创建一个网络策略,拒绝与 pod 的所有传入连接(在端口 3000 上公开应用程序),但只允许来自特定 IP (MY_IP) 的传入连接。
I wrote this:我是这样写的:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <MY_POLICY_NAME>
namespace: <MY_NAMESPACE>
spec:
podSelector:
matchLabels:
app: <MY_APP>
env: <MY_ENV>
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: <MY_IP>/24
except:
- <MY_IP>/32
ports:
- protocol: TCP
port: 3000
Unfortunately, this is not working because it blocks all the connections.不幸的是,这不起作用,因为它阻止了所有连接。
How can I fix this?我怎样才能解决这个问题?
In your policy as it is right now, you are allowing ingress from that CIDR, except for all traffic from your <MY_IP>
.在您现在的策略中,您允许来自该 CIDR 的入口,但来自您的
<MY_IP>
所有流量除外。 So it is blocking all traffic from your IP.因此,它会阻止来自您 IP 的所有流量。
PS: Source IP preservation is disabled by default for Ingress in IBM Cloud Kubernetes Service. PS:IBM Cloud Kubernetes Service 中的 Ingress 默认禁用源 IP 保留。 Make sure you've enabled it for your Ingress service: https://console.bluemix.net/docs/containers/cs_ingress.html#preserve_source_ip
确保您已为 Ingress 服务启用它: https : //console.bluemix.net/docs/containers/cs_ingress.html#preserve_source_ip
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.