Kube.netes 出口规则阻止所有传出流量
[英]Kubernetes egress rule blocks all outgoing traffic
问题描述
The Problem
问题
I've defined a kube.netes egress rule from pod test-1 to a specific pod test-2 , but this rule blocks also blocks traffic from test-1 to test-2 :我已经定义了一个从 pod test-1到特定 pod test-2的 kube.netes egress规则,但是这个规则块也阻止了从test-1到test-2的流量:
- I've created two pods:
test-1andtest-2我创建了两个 pod: test-1和test-2 - I've created a.networkpolicy that allows only
egresstraffic fromtest-1totest-2我创建了一个只允许从test-1到test-2的egress流量的网络策略 - I've tried to call
test-2fromtest-1bycurl test-2.我试图通过curl test-2test-2从test-1调用 test-2 。 But this call is blocked!但是这个电话被屏蔽了! - I've checked the selectors我检查了选择器
Both selectors return the expected pod:两个选择器都返回预期的 pod:
kubectl describe networkpolicies test-1-policy
kubectl get pod --selector app.kubernetes.io/name=test-1
kubectl get pod --selector app.kubernetes.io/name=test-2
When I remove the networkpolicy the connect by curl test-2 works.当我删除网络策略时,通过networkpolicy curl test-2进行连接会起作用。
My Question: What did I miss?我的问题:我错过了什么?
Here's how to reproduce the problem以下是重现问题的方法
- Paste yaml into file
deployment.yaml(see below)将 yaml 粘贴到文件deployment.yaml中(见下文) - Deploy demo
kubectl apply -f deployment.yaml部署演示kubectl apply -f deployment.yaml - Exec into pod:
kubectl exec --stdin --tty $(kubectl get pod -l app.kube.netes.io/name=test-1 -o jsonpath="{.items[0].metadata.name}") -- /bin/bash执行到 pod 中: kubectl exec --stdin --tty $(kubectl get pod -l app.kube.netes.io/name=test-1 -o jsonpath="{.items[0].metadata.name}") -- /bin/bash - Call request in pod:
curl test-2=> request is blockedpod 中的调用请求: curl test-2=>请求被阻塞 - Remove.networkpolicy:
kubectl delete.networkpolicy test-1-policy删除.networkpolicy: kubectl delete.networkpolicy test-1-policy - Exec in pod and call request => request is executed在 Pod中执行并调用请求 => 执行请求
Here's the complete yaml:这是完整的 yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-1
labels:
app.kubernetes.io/name: test-1
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: test-1
template:
metadata:
labels:
app.kubernetes.io/name: test-1
spec:
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-2
labels:
app.kubernetes.io/name: test-2
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: test-2
template:
metadata:
labels:
app.kubernetes.io/name: test-2
spec:
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: test-1
labels:
app.kubernetes.io/name: test-1
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
name: http
selector:
app.kubernetes.io/name: test-1
---
apiVersion: v1
kind: Service
metadata:
name: test-2
labels:
app.kubernetes.io/name: test-2
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
name: http
selector:
app.kubernetes.io/name: test-2
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: test-1-policy
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: test-1
policyTypes:
- Ingress
- Egress
ingress: []
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: test-2
ports:
- port: 80
protocol: TCP
1 个解决方案
解决方案1
1 已采纳 2022-02-19 15:41:21
The dns egress rule is missing:缺少 dns egress规则:
When you add the egress rules for port 53 everything works as expected:当您为port 53添加egress规则时,一切都按预期工作:
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
https://github.com/ahmetb/kube.netes.network-policy-recipes/blob/master/11-deny-egress-traffic-from-an-application.md https://github.com/ahmetb/kube.netes.network-policy-recipes/blob/master/11-deny-egress-traffic-from-an-application.md
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.