堆栈内存溢出
  简体   繁体   English

如何限制对某些Kubernetes命名空间的访问,仅允许某些Pod进行访问?

[英]How to restrict access to some Kubernetes namespace allowing access only by some pods?

 原文  2019-03-12 09:17:41       kubernetes

问题描述

I have the following service: 我有以下服务: 

apiVersion: v1
kind: Service
metadata:
  name: foo
  labels:
    app: foo
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
      name: foo
  selector:
    app: foo

This service point to the following deployment: 该服务指向以下部署: 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: foo
  labels:
    app: foo
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: foo
  template:
    metadata:
      labels:
        app: foo
    spec:
      containers:
        - name: foo
          image: gcr.io/foo:1.0.0
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8080

I also have another deployment: 我还有另一个部署: 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: bar
  labels:
    app: bar
spec:
  selector:
    matchLabels:
      app: bar
  template:
    metadata:
      labels:
        app: bar
    spec:
      containers:
        - name: bar
          image: gcr.io/bar:1.0.0
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8080

foo is deployed to Kubernetes namespace called kube-protected , bar is deployed to default Kubernetes namespace. foo部署到名为kube-protected Kubernetes命名空间, bar部署到默认的Kubernetes命名空间。

foo contains import data and should be well secured. foo包含导入数据,因此应严格保护。

Kubernetes default namespace may also contain another deployments: qux , baz , etc. Kubernetes默认名称空间可能还包含其他部署: quxbaz等。

I want to restrict access to service foo so only bar can access it. 我想限制对服务foo访问,因此只有bar可以访问它。 Or another way is to restrict access to kube-protected namespace so only bar can get into it. 或者另一种方法是限制对kube-protected名称空间的访问,以便只有bar才能进入它。

SOLUTION 

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: namespace-which-you-want-to-protect-network-policy
  namespace: namespace-which-you-want-to-protect
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: namespace-which-is-only-allowed-to-access-protected-namespace
      podSelector:
        matchLabels:
          app: application-which-is-only-allowed-to-access-protected-namespace
  podSelector: {}

1 个解决方案

解决方案1
 3 已采纳  2019-03-12 14:51:24

for this situation you can use Network policy to restrict access to foo 在这种情况下,您可以使用网络策略来限制对foo的访问 

kind: NetworkPolicy

apiVersion: networking.k8s.io/v1

metadata:

  name: access-nginx

spec:

  podSelector:

    matchLabels:

      app: foo

  ingress:

  - from:

    - podSelector:

        matchLabels:

          app: bar

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Postgresql中仅允许访问Kubernetes Pod? - How to allow access only for kubernetes pods in postgresql? 如何使用网络策略仅允许从特定名称空间访问 pods 到 kubernetes 中的另一个名称空间? - How to use network policy to allow access to pods only from a specific namespace to another in kubernetes? 使用全局 IP 白名单限制对某些 Kubernetes 服务的访问 - Restrict access to some Kubernetes services with a global IP whitelist 只为Kubernetes中的某些Pod启用ServiceAccounts - Only enable ServiceAccounts for some pods in Kubernetes 如何限制一个 pod 直接联系其他 pod 但允许通过服务访问 - How can I restrict a pod to contact other pods directly but allowing access via service 如何应用 kubernetes 网络策略来限制其他命名空间对命名空间的访问? - How to apply kubernetes network policies to restrict access of namespace from other namespace? 如何仅在 kube.netes rbac 中控制对 pods/exec 的访问而不绑定 pods create? - how to control access for pods/exec only in kubernetes rbac without pods create binded? Kubernetes 无法访问 pod - Kubernetes Unable to Access pods 限制用户只能访问名称空间中的一项服务 - Restrict user to access only one service in a namespace 如何为命名空间中的 pod 提供管理员访问权限? - how to give pods in namespace an admin access?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM