[英]How to use network policy to allow access to pods only from a specific namespace to another in kubernetes?
How can I achieve that when obviously you can not use spec.namespaceSelector
in the netpol?当您显然不能在 netpol 中使用
spec.namespaceSelector
时,我该如何实现?
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-from-ns-netpol
namespace: special-ns
spec:
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: app
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: cka-exam
So, this doesn't work.所以,这是行不通的。
The API resource definition you've provided does not appear to be schema compliant.您提供的 API 资源定义似乎不符合架构。 The NetworkPolicySpec in Kubernetes v1.26 shows that the following fields are allowed:
[policyTypes, podSelector, egress, ingress]
. Kubernetes v1.26 中的NetworkPolicySpec显示允许以下字段:
[policyTypes, podSelector, egress, ingress]
。
I recommend taking a look at the Network Policy documentation.我建议查看网络策略文档。
When you define a Network Policy, you assign it to a Namespace.定义网络策略时,将其分配给命名空间。 You can then narrow that Network Policy to only apply to select Pods (in that Namespace) using the
.spec.podSelector
property.然后,您可以使用
.spec.podSelector
属性将该网络策略缩小为仅适用于选择的 Pod(在该命名空间中)。 As the documentation states, "An empty podSelector
selects all pods in the namespace."正如文档所述,“一个空的
podSelector
选择命名空间中的所有 pod。”
This means if you want block all ingress traffic to the Pods in Namespace special-ns
, you would assign the Network Policy to the special-ns
Namespace and leave the .spec.podSelector
property empty so it selects all of the Pods in special-ns
.这意味着如果您想阻止所有进入命名空间
special-ns
中的 Pod 的入口流量,您可以将网络策略分配给special-ns
命名空间并将.spec.podSelector
属性留空,以便它选择special-ns
中的所有 Pod . Without any ingress
rules defined, the resource would be the Default deny all ingress traffic definition.如果没有定义任何
ingress
规则,资源将是默认拒绝所有入口流量定义。
You then use the ingress
property to define the restrictions, or rules, on where that incoming traffic can come from.然后,您可以使用
ingress
属性来定义传入流量的来源限制或规则。 It looks like your existing definition is correct, so ingress traffic will only be allowed from Pods that exist in the Namespace cka-exam
.看起来您现有的定义是正确的,因此仅允许来自命名空间
cka-exam
中存在的 Pod 的入口流量。
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-from-ns-netpol
namespace: special-ns
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: cka-exam
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.