[英]kubernetes network policies,allow access to a specific ip
I have the following tasks to perform我有以下任务要执行
Create a namespace named forensics创建一个命名空间取证
All the pods within the forensics namespace should not be able to communicate outside the world (egress isolation)取证命名空间内的所有 pod 都不能与外界通信(出口隔离)
Create a pod named investigator in the default namespace.在默认命名空间中创建一个名为调查员的 pod。
Pods within forensics namespace should only allow connection from IP of the investigator pod.取证命名空间中的 Pod 应该只允许来自调查者 pod 的 IP 的连接。
I created the following Yaml to do the same.我创建了以下 Yaml 来做同样的事情。
apiVersion: v1
kind: Namespace
metadata:
labels:
name: forensics
name: forensics
---
apiVersion: v1
kind: Pod
metadata:
labels:
name: forensics
name: forensics
namespace: forensics
spec:
containers:
- command:
- sleep
- "10000"
image: busybox
name: forensics
resources: {}
---
apiVersion: v1
kind: Pod
metadata:
labels:
name: pod1
name: pod1
namespace: default
spec:
containers:
- command:
- sleep
- "10000"
image: busybox
name: pod1
resources: {}
---
apiVersion: v1
kind: Pod
metadata:
labels:
name: investigator
name: investigator
namespace: default
spec:
containers:
- command:
- sleep
- "10000"
image: busybox
name: investigator
resources: {}
---
#deny all ingress/egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: forensics
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# allow ingress from IP of investigator pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: investigator-network-policy
namespace: forensics
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.244.0.151/32
and I can see describe policy as shown我可以看到如图所示的描述政策
**kubectl describe networkpolicy default-deny-ingress -n forensics**
Name: default-deny-ingress
Namespace: forensics
Created on: 2020-06-16 18:07:21 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Ingress, Egress
**~/kubectl describe networkpolicy investigator-network-policy -n forensics**
Name: investigator-network-policy
Namespace: forensics
Created on: 2020-06-16 18:10:49 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
IPBlock:
CIDR: 10.244.0.151/32
Except:
Not affecting egress traffic
Policy Types: Ingress
But I can not ping forensic pod from the investigator pod.但我无法从调查员舱 ping 取证舱。
akthakur@ninja k get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
investigator 1/1 Running 0 20s 10.244.0.151 thinking-3qxqs <none> <none>
pod1 1/1 Running 0 20s 10.244.0.232 thinking-3qxqs <none> <none>
akthakur@ninja k get po -o wide -n forensics
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
forensics 1/1 Running 0 87s 10.244.0.199 thinking-3qxqs <none> <none>
Ping results Ping 结果
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 62:54:37:84:13:42
inet addr:10.244.0.151 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30 errors:0 dropped:0 overruns:0 frame:0
TX packets:447 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1944 (1.8 KiB) TX bytes:43078 (42.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
**/ # ping 10.244.0.199
PING 10.244.0.199 (10.244.0.199): 56 data bytes
^C**
--- 10.244.0.199 ping statistics ---
48 packets transmitted, 0 packets received, 100% packet loss
/ # ping 10.244.0.232
PING 10.244.0.232 (10.244.0.232): 56 data bytes
64 bytes from 10.244.0.232: seq=0 ttl=63 time=0.122 ms
64 bytes from 10.244.0.232: seq=1 ttl=63 time=0.169 ms
64 bytes from 10.244.0.232: seq=2 ttl=63 time=0.151 ms
^C
--- 10.244.0.232 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.122/0.147/0.169 ms
/ # %
What am I doing wrong?我究竟做错了什么?
Service is one of the mature way to handle pod to pod communication. Service 是处理 pod 到 pod 通信的成熟方式之一。 By default, pods can communicate with each other by their IP address, regardless of the namespace they're in. Check your default policy on namespace level.默认情况下,Pod 可以通过它们的 IP 地址相互通信,无论它们位于哪个命名空间中。检查命名空间级别的默认策略。 it's set to denied by default if don't specify during namespace creation.如果在命名空间创建期间未指定,则默认设置为拒绝。 change networkpolicy as shown below to allow traffic from other namespace.如下所示更改网络策略以允许来自其他命名空间的流量。
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: some-name
namespace: forensics
spec:
selector: all()
types:
- Ingress
- Egress
You just allow ingress traffic but blocking egress traffic.您只允许入口流量但阻止出口流量。 So there is no receive packet back to investigator pod.因此没有接收数据包返回到调查员 pod。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.