AZURE AKS:为什么网络策略不起作用?
[英]AZURE AKS: why network Policy not working?
问题描述
I have an kubernetes cluster (AKS) within azure, With Application Gateway Ingress Controller.
我在 azure 中有一个 kubernetes 集群 (AKS),带有应用程序网关入口 Controller。
I deployed on it, wordpress helm release.我在上面部署了 wordpress helm release。 I Would like to enable ingress traffic only from Application Gateway ingress controller pod which is in kube-system我只想启用来自kube-system中的应用程序网关入口 controller pod 的入口流量
So, my values.yml look like:所以,我的values.yml看起来像:
# I paste only NetworkPolicy part
networkPolicy:
enabled: true
ingress:
enabled: true
ingressRules:
customRules:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app: ingress-appgw
However when i deploy a release, the wordpress its self works fine.但是,当我部署一个版本时,wordpress 其自身工作正常。 But i can not access to it via <Application_Gateway_Ingress_Controller_PublicIP>但我无法通过<Application_Gateway_Ingress_Controller_PublicIP>访问它
On my Azure Portal, when i go Application Gateway resource i got the following messages:在我的 Azure 门户上,当我 go 应用程序网关资源时,我收到以下消息:
Image1:图片1:
Image2:图片2:
But when i remove Network Policy part from values.yml , the AGIC become healthy!但是当我从values.yml中删除 Network Policy 部分时,AGIC 变得健康!
Any Help please?请问有什么帮助吗?
Thank you in adavance!提前谢谢你!
1 个解决方案
解决方案1
0 2022-08-12 18:07:41
This error mentions as you don't have any healthy backend pools, try to add healthy probes as below.此错误提到您没有任何健康的后端池,请尝试添加健康的探针,如下所示。 This will continuously monitor your backend pools for the health status, and it will update the application gateway.这将持续监控您的后端池的健康状态,并更新应用程序网关。 App gateway will only send traffic to healthy backend pools and refresh应用程序网关只会将流量发送到健康的后端池并刷新
After adding healthy probes and refresh it takes few minutes for updating these and try to access the application gateway and then if you received invalid hostname error try to change the setting as below in advance添加健康探针并刷新后,更新这些探针需要几分钟并尝试访问应用程序网关,然后如果您收到无效的主机名错误,请尝试提前更改设置,如下所示
Check out this So thread by Vladam for some pointers.查看 Vladam 的这个So 线程以获取一些指示。
Alternately, try to develop a network policy that blocks all traffic.或者,尝试制定阻止所有流量的网络策略。 Create a file named as backend-policy.yaml and use the below manifest to block all incoming traffic to the pod:创建一个名为backend-policy.yaml的文件,并使用以下清单阻止所有传入 Pod 的流量:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: backend-policy
namespace: development
spec:
podSelector:
matchLabels:
app: webapp
role: backend
ingress: []
Reference:参考:
Troubleshoot backend health issues in Azure Application Gateway | 解决 Azure 应用程序网关中的后端运行状况问题 | Microsoft Docs 微软文档
Secure pod traffic with network policy - Azure Kubernetes Service | 使用网络策略保护 pod 流量 - Azure Kubernetes 服务 | Microsoft Docs 微软文档
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.