K8s.network 策略仅限制一个端点的出口

Question

I need to create a NetwrokPolicy for my pod which from the.network aspects needs to access to only one specific endpoint outside the cluster, only this endpoint.我需要为我的 pod 创建一个NetwrokPolicy ，它从 .network 方面需要只访问集群外的一个特定端点，只有这个端点。

The endpoint looks like following.端点如下所示。 https://140.224.232.236:8088 https://140.224.232.236:8088

Before apply the following.network policy I've exec to the pod (the image is based on alpine) and run ping www.google.com and it works as expected,在应用 following.network 策略之前，我已经执行到 pod（图像基于 alpine）并运行ping www.google.com并且它按预期工作，

However when I apply the.network policy I and I try to ping google.com I got ping: bad address 'www.google.com' but when I ping to the ip like但是，当我应用 .network 策略时，我尝试ping google.com我得到ping: bad address 'www.google.com'但是当我 ping 到 ip 时

ping 140.224.232.236
ping 140.224.232.236:8080

it get stuck and before I was able to see something like this它卡住了，在我看到这样的东西之前

64 bytes from 140.224.232.236: seq=518 ttl=245 time=137.603 ms
64 bytes from 140.224.232.236: seq=519 ttl=245 time=137.411 ms
64 bytes from 140.224.232.236: seq=520 ttl=245 time=137.279 ms
64 bytes from 140.224.232.236: seq=521 ttl=245 time=137.138 ms
....

Now its just stuck on this, any idea?现在它只是停留在这个上，有什么想法吗？

ping 140.224.232.236
PING 140.224.232.236 (140.224.232.236): 56 data bytes

and nothing more, what does it mean?仅此而已，这是什么意思？

What I did is the following我所做的是以下

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: test-network-policy
    namespace: dev
spec:
    podSelector:
      matchLabels:
        app.kubernetes.io/name: foo
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 140.224.232.236/32
    ports:
    - protocol: TCP
      port: 8088

I've applied it on the same ns of the pod.我已经将它应用到 pod 的同一个 ns 上。
the name of the pod selector label has taken from the pod which I want to apply the.network policy and have the following. pod 选择器的名称 label 取自我要应用 .network 策略的 pod 并具有以下内容。 app.kube.netes.io/name: foo

Answer 1

As you defined egress with ports:正如您使用端口定义出口一样：

ports:
- protocol: TCP
  port: 8080

which means allowing connections to ip 140.224.232.236 on TCP port 8080.这意味着允许在TCP 端口8080 上连接到 ip 140.224.232.236。

However, ping (ICMP) doesnot know the port.但是， ping (ICMP) 不知道该端口。 Ping will fail every time. Ping 每次都会失败。

ping is a.networking utility used to test the reachability of a remote host over Inte.net Protocol (IP) . ping是一种网络实用程序，用于测试远程主机通过Inte.net 协议 (IP)的可达性。 The ping utility does so by sending out a series of Inte.net Control Message Protocol (ICMP) echo request packets to a remote host. ping实用程序通过向远程主机发送一系列Inte.net 控制消息协议 (ICMP)回显请求数据包来实现此目的。
You cannot probe a specific port with ping command because ICMP belongs to layer-3 IP layer , not layer-4 transport layer (eg, TCP/UDP).您无法使用 ping 命令探测特定端口，因为 ICMP 属于第 3 层 IP 层，而不是第 4 层传输层（例如，TCP/UDP）。
In order to ping a specific port of a remote host, you need to use layer-4 transport protocols which have a notion of port numbers, with many command-line tools like:为了 ping 远程主机的特定端口，您需要使用具有端口号概念的第 4 层传输协议，以及许多命令行工具，例如：

paping 140.224.232.236 -p 8080 -c 3 paping -p 8080 -c 3
nmap -p 80 -sT www.google.com nmap -p 80 -sT www.google.com
tcpping www.google.com tcpping www.google.com

Answer 2

You are allowing egress traffic to port 8088 over TCP , not ICMP.您允许通过 TCP 而不是 ICMP 到端口 8088 的出口流量。 Ping won't work with that applied. Ping 不适用于该应用。

If you want to allow a non-TPC nor UDP protocol using vanilla's Kube.netes API for.network policies, then you need to omit the port definition .如果你想允许非 TPC 或 UDP 协议使用 vanilla 的 Kube.netes API for.network 策略，那么你需要省略端口定义。

You can also use a.network policy API ofCalico for this matter.这个事情也可以用Calico的a.network policy API。

That gives more flexibility when it comes to configuring Network Policies in your cluster.在集群中配置网络策略时，这提供了更大的灵活性。

Answer 3

Your Network policy is perfect.您的网络政策是完美的。 You cannot use ping to test your TCP port as ping works with ICMP protocol.您不能使用 ping 来测试您的 TCP 端口，因为 ping 使用 ICMP 协议。

There are ways without changing your.network policy to test your configuration.有很多方法可以在不更改您的网络策略的情况下测试您的配置。

For examples:-举些例子：-

exec to the pod and run this one liner .执行到 pod 并运行这个one liner 。 You should get 'Port is open'您应该得到“端口已打开”

$  </dev/tcp/140.224.232.236/8088 && echo Port is open || echo Port is closed
Port is open

/dev/tcp/host/port
    If host is a valid hostname or Internet address, and port is an integer port number
    or service name, bash attempts to open a TCP connection to the corresponding socket.
/dev/udp/host/port
    If host is a valid hostname or Internet address, and port is an integer port number
    or service name, bash attempts to open a UDP connection to the corresponding socket.

If curl / wget is installed, run cur/wget by doing exec to the pod如果安装了curl / wget ，通过对 pod 执行 exec 来运行 cur/wget

curl -k https://140.224.232.236:8088
wget --no-check-certificate https://140.224.232.236:8088

If.network tool nc is present, exec to pod and run this command, if '0' is returned it works.如果存在网络工具nc ，则执行到 pod 并运行此命令，如果返回“0”，则它可以运行。

nc 140.224.232.236 8088 &> /dev/null; echo $?
0

or below command should return 'succeeded'或以下命令应返回“成功”

nc -zv 140.224.232.236 8088 
Connection to 140.224.232.236 8088 port [tcp/*] succeeded!

K8s.network 策略仅限制一个端点的出口

问题描述

3 个解决方案

解决方案1
3 已采纳 2022-02-24 03:17:32

解决方案2
1 2022-02-23 18:59:06

解决方案3
1 2022-02-27 09:13:44

K8s.network 策略仅限制一个端点的出口

问题描述

3 个解决方案

解决方案1 3 已采纳 2022-02-24 03:17:32

解决方案2 1 2022-02-23 18:59:06

解决方案3 1 2022-02-27 09:13:44

解决方案1
3 已采纳 2022-02-24 03:17:32

解决方案2
1 2022-02-23 18:59:06

解决方案3
1 2022-02-27 09:13:44