[英]How to restrict access to some Kubernetes namespace allowing access only by some pods?
I have the following service: 我有以下服务:
apiVersion: v1
kind: Service
metadata:
name: foo
labels:
app: foo
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: foo
selector:
app: foo
This service point to the following deployment: 该服务指向以下部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: foo
labels:
app: foo
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: foo
template:
metadata:
labels:
app: foo
spec:
containers:
- name: foo
image: gcr.io/foo:1.0.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
I also have another deployment: 我还有另一个部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: bar
labels:
app: bar
spec:
selector:
matchLabels:
app: bar
template:
metadata:
labels:
app: bar
spec:
containers:
- name: bar
image: gcr.io/bar:1.0.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
foo
is deployed to Kubernetes namespace called kube-protected
, bar
is deployed to default Kubernetes namespace. foo
部署到名为kube-protected
Kubernetes命名空间, bar
部署到默认的Kubernetes命名空间。
foo
contains import data and should be well secured. foo
包含导入数据,因此应严格保护。
Kubernetes default namespace may also contain another deployments: qux
, baz
, etc. Kubernetes默认名称空间可能还包含其他部署:
qux
, baz
等。
I want to restrict access to service foo
so only bar
can access it. 我想限制对服务
foo
访问,因此只有bar
可以访问它。 Or another way is to restrict access to kube-protected
namespace so only bar
can get into it. 或者另一种方法是限制对
kube-protected
名称空间的访问,以便只有bar
才能进入它。
SOLUTION 解
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: namespace-which-you-want-to-protect-network-policy
namespace: namespace-which-you-want-to-protect
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
name: namespace-which-is-only-allowed-to-access-protected-namespace
podSelector:
matchLabels:
app: application-which-is-only-allowed-to-access-protected-namespace
podSelector: {}
for this situation you can use Network policy to restrict access to foo 在这种情况下,您可以使用网络策略来限制对foo的访问
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
app: foo
ingress:
- from:
- podSelector:
matchLabels:
app: bar
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.