使用 pod 网络策略允许不同 pod 之间的流量
[英]Allowing traffic between different pods using pod network policy
问题描述
I have created the below 'pod` in default namespace
我在默认命名空间中创建了以下“pod”
kubectl run myhttpd --image="docker.io/library/nginx:latest" --restart=Never -l app=httpd-server --port 80
I was creating another Pod on a different namespace to check the connectivity on port 80 on default namespace with the below command我正在另一个namespace上创建另一个 Pod,以使用以下command检查default namespace上port 80上的连接性
kubectl run cli-httpd --rm -it --image=busybox --restart=Never -l app=myhttpd -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 100.64.9.198 (IP of application in default namespace)
In order to allow the connectivity between both the namespace, I have created the below Pod network policy为了允许两个命名空间之间的连接,我创建了下面的Pod network policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-ingress-80
namespace: default
spec:
podSelector:
matchLabels:
app: myhttpd
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.64.8.0/22
ports:
- protocol: TCP
port: 80
10.64.8.0/22 is the Pods network range. 10.64.8.0/22是 Pods 网络范围。
But the connectivity is timing out.但是连接正在超时。 Please suggest to allow this connectivty请建议允许此连接
1 个解决方案
解决方案1
0 2022-08-29 18:12:16
In NetworkPolicy, the ipBlock is usually meant to allow communications from outside your SDN.在 NetworkPolicy 中,ipBlock 通常意味着允许来自 SDN 外部的通信。
What you want to do is to filter based on pod labels.您要做的是根据 pod 标签进行过滤。
Having started your test pod, check for its labels启动测试 pod 后,检查其标签
kubectl get pods --show-labels
Pick one that identify your Pod, while not matching anything else, then fix your NetworkPolicy.选择一个可以识别您的 Pod,同时不匹配其他任何内容,然后修复您的 NetworkPolicy。 Should look something like:应该看起来像:
spec:
ingress:
- from:
- podSelector: # assuming client pod belongs to same namespace as application
matchLabels:
app: my-test # netpol allows connections from any pod with label app=my-test
ports:
- port: 80 # netpol allows connections to port 80 only
protocol: TCP
podSelector:
matchLabels:
app: myhttpd # netpol applies to any pod with label app=myhttpd
policyTypes:
- Ingress
While... I'm not certain what the NetworkPolicy specification says regarding ipBlocks (can they refer to SDN ranges?)... depending on your SDN, I guess your configuration "should" work, in some cases, maybe.虽然...我不确定 NetworkPolicy 规范对 ipBlocks 的规定(它们可以引用 SDN 范围吗?)...根据您的 SDN,我猜您的配置“应该”在某些情况下可能有效。 Maybe your issue is only related to label selectors?也许您的问题仅与 label 选择器有关?
Note, allowing connections from everywhere, I would use:请注意,允许来自任何地方的连接,我会使用:
spec:
ingress:
- {}
....
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.