[英]Allow egress from a Kubernetes pod to only specific FQDN/DNS with Azure CNI Network Policies
How can egress from a Kube.netes pod be limited to only specific FQDN/DNS with Azure CNI Network Policies?使用 Azure CNI 网络策略如何将 Kube.netes pod 的出口限制为仅特定的 FQDN/DNS?
This is something that can be achieved with:这可以通过以下方式实现:
Istio伊斯蒂奥
apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
name: googleapis
namespace: default
spec:
destination:
service: "*.googleapis.com"
ports:
- port: 443
protocol: https
Cilium纤毛
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "fqdn"
spec:
endpointSelector:
matchLabels:
app: some-pod
egress:
- toFQDNs:
- matchName: "api.twitter.com"
- toEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
"k8s:k8s-app": kube-dns
toPorts:
- ports:
- port: "53"
protocol: ANY
rules:
dns:
- matchPattern: "*"
OpenShift开班
apiVersion: network.openshift.io/v1
kind: EgressNetworkPolicy
metadata:
name: default-rules
spec:
egress:
- type: Allow
to:
dnsName: www.example.com
- type: Deny
to:
cidrSelector: 0.0.0.0/0
How can something similar be done with Azure CNI Network Policies?如何使用 Azure CNI 网络策略完成类似的事情?
Apply K8s network policies应用 K8s 网络策略
` `
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-rules
spec:
podSelector:
matchLabels:
role: pod_role
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
- host: www.example.com
` `
reference https://kubernetes.io/docs/concepts/services-networking/network-policies/参考https://kubernetes.io/docs/concepts/services-networking/network-policies/
ATM network policies with FQDN/DNS rules are not supported on AKS. AKS 不支持具有 FQDN/DNS 规则的 ATM 网络策略。
If you use Azure CNI & Azure Policy Plugin you get the default Kubernetes Network Policies.如果使用 Azure CNI 和 Azure Policy Plugin,则会获得默认的 Kubernetes 网络策略。
If you use Azure CNI & Calico Policy Plugin you get advanced possibilities like Global Network Polices but not the FQDN/DNS one.如果你使用 Azure CNI 和 Calico Policy Plugin,你会得到高级的可能性,比如全局网络策略,而不是 FQDN/DNS 策略。 This is a paid feature on Calico Cloud unfortunately.
不幸的是,这是 Calico Cloud 上的一项付费功能。
In case someone is hitting this page from google:如果有人从谷歌点击此页面:
I found a solution that works nicely on my cloud provider (OpenTelekomCloud) and probably will on many other.我找到了一个在我的云提供商 (OpenTelekomCloud) 上运行良好的解决方案,并且可能会在许多其他云提供商上运行。
There is a project called gke-fqd.networkpolicies-golang有一个名为gke-fqd.networkpolicies-golang的项目
By defining a custom resource通过定义自定义资源
apiVersion: networking.gke.io/v1alpha3
kind: FQDNNetworkPolicy
metadata:
name: allow-test
namespace: test1
spec:
podSelector: {}
egress:
- to:
- fqdns:
- heise.de
ports:
- port: 443
protocol: TCP
- port: 80
protocol: TCP
it will resolve the FQDNs, produce the final NetworkPolicy and update the records every 30 seconds.它将解析 FQDN,生成最终的 NetworkPolicy 并每 30 秒更新一次记录。 This is what the final Policy will look like
这就是最终政策的样子
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-test
namespace: test1
annotations:
fqdnnetworkpolicies.networking.gke.io/owned-by: allow-test
spec:
podSelector: {}
egress:
- ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 80
to:
- ipBlock:
cidr: 128.65.210.8/32
policyTypes:
- Ingress
- Egress
I had to append following permissions to the clusterRole fqd.networkpolicies-manager-role in the yaml (downloaded from the release page) to make it work outside GKE我必须获得 append 对 yaml 中的 clusterRole fqd.networkpolicies-manager-role的权限(从发布页面下载)才能使其在 GKE 外部工作
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: fqdnnetworkpolicies-manager-role
rules:
...
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies/status
verbs:
- get
- patch
- update
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.