Kube.netes.network 策略拒绝所有策略不阻止基本通信
[英]Kubernetes network policy deny-all policy not blocking basic communication
问题描述
I am running a GKE cluster version 1.17.13-gke.1400.
我正在运行 GKE 集群版本 1.17.13-gke.1400。
I have applied the following.network policy in my cluster -我在我的集群中应用了以下网络策略 -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Which should block all communication to or from pods on the default namespace.这应该阻止所有与默认命名空间上的 pod 之间的通信。 However, it does not.然而,事实并非如此。 As is evident from this test -从这个测试中可以明显看出 -
$ kubectl run p1 -it --image google/cloud-sdk
root@p1:/# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=1.14 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=1.21 ms
^C
root@p1:/# curl www.google.com
<!doctype html><html itemscope=" ...
From the docs , seems like this application should be pretty straight forward.从文档来看,这个应用程序似乎应该非常简单。 Any help in understanding what I'm doing wrong, or tips for further troubleshooting, will be appreciated.任何帮助理解我做错了什么,或进一步排除故障的提示,将不胜感激。
Thanks, Nimrod,谢谢,宁录,
2 个解决方案
解决方案1
9 已采纳 2020-11-26 13:15:51
For Network Policies to take effect, your cluster needs to run a network plugin which also enforces them.要使网络策略生效,您的集群需要运行一个网络插件来执行它们。 Project Calico or Cilium are plugins that do so. Project Calico或Cilium是这样做的插件。 This is not the default when creating a cluster!这不是创建集群时的默认设置!
So first, you should check if your cluster is set up accordingly as described in the Google Cloud Network Policies docs .因此,首先,您应该检查您的集群是否按照Google Cloud Network Policies 文档中的说明进行了相应设置。 This is somehow abstracted away behind the --enable-network-policy flag.这在--enable-network-policy标志后面以某种方式抽象出来。
If it is enabled, you should see some calico pods in the kube-system namespace.如果启用,您应该会在kube-system命名空间中看到一些 calico pod。
kubectl get pods --namespace=kube-system
If there is a plugin in place which enforces network policies, you need to make sure to have deployed the network policy in the desired namespace - and check if your test using kubectl run is executed in that namespace, too.如果有实施网络策略的插件,您需要确保已在所需的命名空间中部署网络策略 - 并检查您使用kubectl run的测试是否也在该命名空间中执行。 You might have some other namespace configured in your kube context and not hit the default namespace with your command.您可能在 kube 上下文中配置了一些其他命名空间,并且没有使用您的命令访问默认命名空间。
解决方案2
0 2022-03-17 17:36:57
To install Calico using manifests使用清单安装 Calico
Apply the Calico manifests to your cluster.将 Calico 清单应用到您的集群。 These manifests create a DaemonSet in the kube-system namespace.这些清单在 kube-system 命名空间中创建一个 DaemonSet。
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-operator.yaml kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-operator.yaml
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-crs.yaml kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-crs.yaml
View the resources in the kube-system namespace.查看 kube-system 命名空间中的资源。
kubectl get daemonset calico-node --namespace kube-system Output kubectl 获取 daemonset calico-node --namespace kube-system Output
The values in the DESIRED and READY columns should match. DESIRED 和 READY 列中的值应该匹配。 The values returned for you are different than the values in the following output.为您返回的值与以下output中的值不同。
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE calico-node 1 1 1 1 1 kube.netes.io/os=linux 26m NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE calico-node 1 1 1 1 1 kube.netes.io/os=linux 26m
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.