Kubernetes 出口网络策略不适用于选定的 pod
[英]Kubernetes Egress Network Policy is not working on a pod selected
问题描述
I'm facing a weird issue on setting up egress network policy on my kube cluster.
在我的 kube 集群上设置出口网络策略时,我遇到了一个奇怪的问题。
Basically I want my pod A to access only pod B.基本上我希望我的 pod A 只能访问 pod B。
I have two pods:我有两个豆荚:
- hello-k8s-deploy你好-k8s-部署
- nginx nginx
The hello-k8s-deploy pod expose an API on port 8080 via NodePort. hello-k8s-deploy pod 通过 NodePort 在端口8080上公开一个 API。 My nginx pod is simply an image to access the API.我的 nginx pod 只是一个访问 API 的图像。
So let's try logging in to the nginx pod and access that API exposed by the hello-k8s-deploy pod.因此,让我们尝试登录 nginx pod 并访问 hello-k8s-deploy pod 暴露的 API。
Above shows that the API responded back with message starts with Hello K8s!上图显示 API 回复了以Hello K8s!
Now let's apply the network policy on my nginx pod so it can access only this API, nothing else.现在让我们在我的 nginx pod 上应用网络策略,这样它就只能访问这个 API,没有别的。
Network policy:网络政策:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: app
spec:
podSelector:
matchLabels:
run: nginx
egress:
- to:
- podSelector:
matchLabels:
app: hello-k8s-deploy
policyTypes:
- Egress
Above policy will be applied to pod with label run: nginx上述策略将应用于具有 label 的 pod run: nginx
And the rule is allow traffic to pod with label app: hello-k8s-deploy规则是允许使用 label app: hello-k8s-deploy
Let's validate it by looking at the definition of both of the pods nginx and hello-k8s-deploy让我们通过查看两个 pod nginx 和 hello-k8s-deploy 的定义来验证它
nginx: nginx:
hello-k8s-deploy你好-k8s-部署
As we can see both labels are matching the Network policy.正如我们所看到的,两个标签都匹配网络策略。
After I applied the network policy and access the nginx again I expect to work the same and get a response from the API but I'm getting the below error.在我应用网络策略并再次访问 nginx 后,我希望能正常工作并得到 API 的响应,但我收到以下错误。
Take note that:请注意:
- All of the resources are in the same namespace
app所有资源都在同一个命名空间app中 - My network addon is weave-net which has support for network policy as per documentation.我的网络插件是 weave-net,它根据文档支持网络策略。
- I even tried to specify the namespace selector and add port 8080.我什至尝试指定命名空间选择器并添加端口 8080。
1 个解决方案
解决方案1
2 已采纳 2020-07-25 15:08:25
I finally resolved the issue, basically the problem I was getting is could not resolve host hello-k8s-svc .我终于解决了这个问题,基本上我得到的问题是could not resolve host hello-k8s-svc 。 It means k8s is trying to connect using this host and resolving through dns name (service name).这意味着 k8s 正在尝试使用此主机连接并通过 dns 名称(服务名称)进行解析。
And since my pod is only allowing egress to hello-k8s-deploy, it's failing as it also needs to connect to kube-dns for resolving the dns.而且由于我的 pod 只允许出口到 hello-k8s-deploy,所以它失败了,因为它还需要连接到 kube-dns 来解析 dns。 So before you apply an egress make sure the pod or all pods in your namespace are allowing to connect to kube-dns for dns resolution.因此,在应用 egress 之前,请确保命名空间中的 pod 或所有 pod 都允许连接到 kube-dns 以获得 dns 分辨率。
The fix is simply creating an egress resource to all pods to connect to kube-dns on top of your pod specific egress configuration.修复只是简单地为所有 pod 创建一个出口资源,以在您的 pod 特定出口配置之上连接到 kube-dns。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-egress
spec:
podSelector: {}
egress:
- to:
- namespaceSelector:
matchLabels:
networking/namespace: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
policyTypes:
- Egress
In my case I labeled the kube-system namespace:在我的例子中,我标记了 kube-system 命名空间:
kubectl label namespace kube-system networking/namespace=kube-system
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.