stackoom
  简体   繁体   中英

unable to connect internet from pod after applying egress network policy in GKE

 原文  2020-09-19 12:37:06       kubernetes/ google-cloud-platform/ google-kubernetes-engine/ kubernetes-ingress/ gke-networking

Question

I have a pod ( kubectl run app1 --image tomcat:7.0-slim ) in GKE after applying the egress network policy apt-get update command unable to connect internet.

Before applying policy:

在此处输入图片说明

After applying policy:

在此处输入图片说明

This is the policy applied:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app2-np
  namespace: default
spec:
  podSelector:
    matchLabels:
      name: app2
  policyTypes:
  - Egress
  - Ingress
  ingress:
  - {}
  egress:
  - to:
    - podSelector:
        matchLabels:
          name: app3
    ports:
    - port: 8080

  - ports:
    - port: 80
    - port: 53
    - port: 443

The Here am able to connect 8080 port of app3 pod in same namespace. Please help in correcting my netpol.

1 answers

solution1
 1 ACCPTED  2020-09-21 09:57:45

It happens because you are defining the egress rule only for app3 on port 8080, and it will block all internet connect attempts.

If you need to use access internet from some of your pods, you can tag them and create a NetworkPOlicy to permit the internet access.

In the example below, the pods with the tag networking/allow-internet-egress: "true" will be able to reach the internet:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: internet-egress
spec:
  podSelector:
    matchLabels:
      networking/allow-internet-egress: "true"
  egress:
  - {}
  policyTypes:
  - Egress

Another option is allow by ip blocks, in the example below, a rule will allow the internet access ( 0.0.0.0 ) except for the ipBlocks 10.0.0.0/8

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-internet-only
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - ipBlock:
        cidr: 0.0.0.0/0
          except:
            - 10.0.0.0/8

Finally, in this site you can visualize your NetworkPolices in a good way to understand what is the exact behaviour.

References:

https://www.stackrox.com/post/2020/01/kubernetes-egress-network-policies/

Kubernets networkpolicy allow external traffic to internet only

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Kubernetes Egress Network Policy is not working on a pod selected Egress traffic from GKE Pod through VPN Unable to connect to MongoDB Atlas from GKE pod unable to connect with pod running in GKE Unable to override default Pod Security Policy in GKE Unable to access the internet on the pod in the public GKE cluster Kubernetes network policy egress ports Network Policy - Restricting Egress From Some Namespaces But Allowing Other Namespace unable to connect from GKE to GCE Deny egress traffic to internet on a Kubernetes pod
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM