堆栈内存溢出
  简体   繁体   English

Kubernetes 中的网络策略

[英]Network Policy in Kubernetes

 原文  2021-01-24 02:43:11       kubernetes/ kubernetes-ingress/ kubernetes-pod/ kubernetes-networkpolicy

问题描述

I am connecting Nodejs app with mongodb using kubernetes cluster.我正在使用 kubernetes 集群将 Nodejs 应用程序与 mongodb 连接起来。 I want to ensure that mongo POD communicates only with Nodejs POD and deny any other POD traffic.我想确保 mongo POD 仅与 Nodejs POD 通信并拒绝任何其他 POD 流量。 When I apply the default deny policy and then apply the allow policy by app is not working.当我应用默认拒绝策略然后按应用应用允许策略时不起作用。

I have come up with the following policies - why are they not working?我提出了以下政策 - 为什么它们不起作用?

Default Deny Policy:默认拒绝策略:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny
  namespace: default
spec:
  podSelector:
    matchLabels: {}

Network Policy:网络政策:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: access-nodejs
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: nodejs-mongo
  ingress:
    - from:
      - podSelector:
          matchLabels:
            run: mongo

2 个解决方案

解决方案1
 0  2021-01-24 07:28:04

The deny all policy should look like this:拒绝所有策略应如下所示:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

解决方案2
 0  2021-01-25 13:04:35

I applied your policies and it worked for me.我应用了你的政策,它对我有用。 However, you don't have to specify deny-all policy.但是,您不必指定全部拒绝策略。 Once you create a Network Policy that allows pod to accept traffic from a specific set of pods it will be restricted by it.一旦你创建了一个允许 pod 接受来自一组特定 pod 的流量的网络策略,它将受到它的限制。 This way it will keep your setup simpler and will require less troubleshooting.这样,它将使您的设置更简单,并且需要更少的故障排除。

So in your case you can create a Network Policy that allows communication from a specific pod.因此,在您的情况下,您可以创建一个允许来自特定 pod 的通信的网络策略。 Make sure you are using correct labels to select targeted pod(s) and pod(s) that it can accept traffic from.确保您对 select 目标 pod 和它可以接受流量的 pod 使用正确的标签。

Keep in mind that a NetworkPolicy is applied to a particular Namespace and only selects Pods in that particular Namespace .请记住, NetworkPolicy应用于特定的 Namespace 并且仅选择该特定Namespace中的 Pod。

Example policy that can be applied to accept traffic from pods matching it's selectors:可用于接受来自与其选择器匹配的 pod 的流量的示例策略:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: backend-access
spec:
  podSelector:
    matchLabels:
      app: restricted-access #it selects pods that are targeted by this policy
  ingress:
    - from:
      - podSelector:
          matchLabels:
            app: allowed-traffic #selects pods that communicate with pods

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Kubernetes 中的网络策略 - Network Policy in Kubernetes under the hood Kubernetes网络策略出口端口 - Kubernetes network policy egress ports 外部服务的Kubernetes网络策略 - Kubernetes network policy wtih external services Kubernetes - 服务之间通信的网络策略 - Kubernetes - Network policy for communication between services kubernetes - 入口网络策略未按预期工作 - kubernetes - Ingress network policy not working as excpected Kubernetes 网络策略允许出口到 S3 - Kubernetes Network Policy to allow egress to S3 Kubernetes 中“kube-node-lease”的网络策略 - Network Policy for "kube-node-lease" in Kubernetes 如何创建匹配 Kube.netes API 的.network 策略 - How to create a network policy that matches Kubernetes API Kubernetes:网络政策 - 全部拒绝所有人 - Kubernetes: Network policy - deny all with allow all Kubernetes-其他Pod的入口网络策略 - Kubernetes - Ingress network policy from other pod
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM