kubernetes - 入口网络策略未按预期工作
[英]kubernetes - Ingress network policy not working as excpected
问题描述
I have 3 Kubernetes deployments and services for each of the deployments (namespace = firstspace).
对于每个部署(命名空间 = firstspace),我有 3 个 Kubernetes 部署和服务。 each deployment is labelled as app1, app2, app3 in order.每个部署按顺序标记为 app1、app2、app3。
As an example, if I run the following command.例如,如果我运行以下命令。 I will get the first pod as the result.结果我会得到第一个豆荚。
kubectl get pods -l app=app1 --namespace firstspace
My goal is to restrict the Ingress access of the third pod (app=app3) using the following Network Policy allowing traffic only from the second pod (app=app2) and any pods from another namespace called "secondspace".我的目标是使用以下网络策略限制第三个 Pod (app=app3) 的 Ingress 访问,仅允许来自第二个 Pod (app=app2) 和来自另一个名为“secondspace”的命名空间的任何 Pod 的流量。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-app3
namespace: firstspace
spec:
podSelector:
matchLabels:
app: app3
ingress:
- from:
- namespaceSelector:
matchLabels:
name: secondspace
- podSelector:
matchExpressions:
- {key: app, operator: In, values: [app2]}
policyTypes:
- Ingress
However, when I deploy the network policy to the "firstspace" namespace, I can still curl (and get a sample JSON response) the service of the third pod (app=app3) using the first pod (app=app1).但是,当我将网络策略部署到“firstspace”命名空间时,我仍然可以使用第一个 Pod (app=app1) 卷曲(并获得示例 JSON 响应)第三个 Pod (app=app3) 的服务。
Following is a sample command.以下是示例命令。 Here, 10.100.150.0 is the ClusterIP of the service created for the third pod.这里,10.100.150.0 是为第三个 pod 创建的服务的 ClusterIP。
kubectl exec app1-849b94c6df-rzdls --namespace firstspace-- curl -sL 10.100.150.0:8080/testendpoint
Can someone help me understand what I'm doing wrong here?有人可以帮助我了解我在这里做错了什么吗?
1 个解决方案
解决方案1
1 已采纳 2021-07-28 19:10:51
After some trial and error, I observed the following.经过一些试验和错误,我观察到以下情况。 According to the Kubernetes Network Policies documentation , Deployed Network Policies will be only effective if a network plugin is installed in the Kubernetes cluster.根据 Kubernetes 网络策略文档,部署的网络策略只有在 Kubernetes 集群中安装了网络插件时才有效。
Since my local minikube cluster did not have a network plugin the network policy I have mentioned in the question description was not effective.由于我的本地minikube集群没有网络插件,我在问题描述中提到的网络策略无效。
After, installing the Cillium Network Plugin in my minikube cluster, the network policy worked as expected.在我的minikube集群中安装Cillium Network Plugin之后,网络策略按预期工作。
Notes:笔记:
- Cillium Network Plugin installation was not successful on minikube when using
dockeras the driver.Cillium网络插件安装不成功的minikube使用时, docker的驱动程序。 But it worked when selectedhypervas the driver.但它在选择的hyperv作为驱动程序时工作。 - I had to create an Egress policy as well for the pod with app=app2 label to allow egress traffic from the pod with app=app3 label (See the example below).我还必须为带有 app=app2 标签的 pod 创建一个出口策略,以允许来自带有 app=app3 标签的 pod 的出口流量(参见下面的示例)。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-app2
namespace: firstspace
spec:
podSelector:
matchLabels:
app: app2
egress:
- to:
- podSelector:
matchLabels:
app: app3
policyTypes:
- Egress
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.