[英]Kubernetes egress rule blocks all outgoing traffic
The Problem问题
I've defined a kube.netes egress
rule from pod test-1
to a specific pod test-2
, but this rule blocks also blocks traffic from test-1
to test-2
:我已经定义了一个从 pod
test-1
到特定 pod test-2
的 kube.netes egress
规则,但是这个规则块也阻止了从test-1
到test-2
的流量:
test-1
and test-2
test-1
和test-2
egress
traffic from test-1
to test-2
test-1
到test-2
的egress
流量的网络策略test-2
from test-1
by curl test-2
.curl test-2
test-2
从test-1
调用 test-2 。 But this call is blocked!Both selectors return the expected pod:两个选择器都返回预期的 pod:
kubectl describe networkpolicies test-1-policy
kubectl get pod --selector app.kubernetes.io/name=test-1
kubectl get pod --selector app.kubernetes.io/name=test-2
When I remove the networkpolicy
the connect by curl test-2
works.当我删除网络策略时,通过
networkpolicy
curl test-2
进行连接会起作用。
My Question: What did I miss?我的问题:我错过了什么?
Here's how to reproduce the problem以下是重现问题的方法
deployment.yaml
(see below)deployment.yaml
中(见下文)kubectl apply -f deployment.yaml
kubectl apply -f deployment.yaml
kubectl exec --stdin --tty $(kubectl get pod -l app.kube.netes.io/name=test-1 -o jsonpath="{.items[0].metadata.name}") -- /bin/bash
kubectl exec --stdin --tty $(kubectl get pod -l app.kube.netes.io/name=test-1 -o jsonpath="{.items[0].metadata.name}") -- /bin/bash
curl test-2
=> request is blocked curl test-2
=>请求被阻塞kubectl delete.networkpolicy test-1-policy
kubectl delete.networkpolicy test-1-policy
Here's the complete yaml:这是完整的 yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-1
labels:
app.kubernetes.io/name: test-1
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: test-1
template:
metadata:
labels:
app.kubernetes.io/name: test-1
spec:
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-2
labels:
app.kubernetes.io/name: test-2
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: test-2
template:
metadata:
labels:
app.kubernetes.io/name: test-2
spec:
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: test-1
labels:
app.kubernetes.io/name: test-1
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
name: http
selector:
app.kubernetes.io/name: test-1
---
apiVersion: v1
kind: Service
metadata:
name: test-2
labels:
app.kubernetes.io/name: test-2
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
name: http
selector:
app.kubernetes.io/name: test-2
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: test-1-policy
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: test-1
policyTypes:
- Ingress
- Egress
ingress: []
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: test-2
ports:
- port: 80
protocol: TCP
The dns egress
rule is missing:缺少 dns
egress
规则:
When you add the egress
rules for port 53
everything works as expected:当您为
port 53
添加egress
规则时,一切都按预期工作:
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
https://github.com/ahmetb/kube.netes.network-policy-recipes/blob/master/11-deny-egress-traffic-from-an-application.md https://github.com/ahmetb/kube.netes.network-policy-recipes/blob/master/11-deny-egress-traffic-from-an-application.md
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.