堆栈内存溢出
  简体   繁体   English

如何使用网络策略仅允许从特定名称空间访问 pods 到 kubernetes 中的另一个名称空间?

[英]How to use network policy to allow access to pods only from a specific namespace to another in kubernetes?

 原文  2022-12-13 14:38:45       kubernetes/ networking/ policy/ netpol

问题描述

How can I achieve that when obviously you can not use spec.namespaceSelector in the netpol?当您显然不能在 netpol 中使用spec.namespaceSelector时,我该如何实现?

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-from-ns-netpol
  namespace: special-ns
spec:
  namespaceSelector:
    matchLabels:
      kubernetes.io/metadata.name: app
  ingress:
    - from:
      - namespaceSelector:     
          matchLabels:
            kubernetes.io/metadata.name: cka-exam

So, this doesn't work.所以,这是行不通的。

1 个解决方案

解决方案1
 2 已采纳  2022-12-13 15:38:46

The API resource definition you've provided does not appear to be schema compliant.您提供的 API 资源定义似乎不符合架构。 The NetworkPolicySpec in Kubernetes v1.26 shows that the following fields are allowed: [policyTypes, podSelector, egress, ingress] . Kubernetes v1.26 中的NetworkPolicySpec显示允许以下字段: [policyTypes, podSelector, egress, ingress]

I recommend taking a look at the Network Policy documentation.我建议查看网络策略文档。

When you define a Network Policy, you assign it to a Namespace.定义网络策略时,将其分配给命名空间。 You can then narrow that Network Policy to only apply to select Pods (in that Namespace) using the .spec.podSelector property.然后,您可以使用.spec.podSelector属性将该网络策略缩小为仅适用于选择的 Pod(在该命名空间中)。 As the documentation states, "An empty podSelector selects all pods in the namespace."正如文档所述,“一个空的podSelector选择命名空间中的所有 pod。”

This means if you want block all ingress traffic to the Pods in Namespace special-ns , you would assign the Network Policy to the special-ns Namespace and leave the .spec.podSelector property empty so it selects all of the Pods in special-ns .这意味着如果您想阻止所有进入命名空间special-ns中的 Pod 的入口流量,您可以将网络策略分配给special-ns命名空间并将.spec.podSelector属性留空,以便它选择special-ns中的所有 Pod . Without any ingress rules defined, the resource would be the Default deny all ingress traffic definition.如果没有定义任何ingress规则,资源将是默认拒绝所有入口流量定义。

You then use the ingress property to define the restrictions, or rules, on where that incoming traffic can come from.然后,可以使用ingress属性来定义传入流量的来源限制或规则。 It looks like your existing definition is correct, so ingress traffic will only be allowed from Pods that exist in the Namespace cka-exam .看起来您现有的定义是正确的,因此仅允许来自命名空间cka-exam中存在的 Pod 的入口流量。

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-from-ns-netpol
  namespace: special-ns
spec:
  ingress:
    - from:
      - namespaceSelector:     
          matchLabels:
            kubernetes.io/metadata.name: cka-exam

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 网络策略 - Kubernetes:允许从一个命名空间到侦听一个端口的 Pod 的流量 - network policy - Kubernetes : Allow traffic from one namespace to pods listening on one port 如何在Postgresql中仅允许访问Kubernetes Pod? - How to allow access only for kubernetes pods in postgresql? Kube.netes - 网络策略仅允许命名空间内的端口上的流量 - Kubernetes - Network Policy to allow traffic on port only within a namespace Kubernetes 网络策略,允许在命名空间内通信 - Kubernetes Network Policy, allow communication within namespace 如何允许使用出口网络策略访问 kubernetes api? - How to allow access to kubernetes api using egress network policy? Kubernetes 网络策略 - 允许特定 IP - Kubernetes Network Policy - Allow specific IP 如何从 kubernetes 中的另一个命名空间访问服务 - How to access a service from another namespace in kubernetes Kubernetes如何从另一个命名空间访问服务 - Kubernetes how to access a service from another namespace 如何限制对某些Kubernetes命名空间的访问,仅允许某些Pod进行访问? - How to restrict access to some Kubernetes namespace allowing access only by some pods? 如何使用网络策略停止所有外部流量并仅允许名称空间内的内部Pod网络调用? - How to stop all external traffic and allow only inter pod network call within namespace using network policy?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM