[英]Kubernetes network policy issue- pod selector does not work
經過1小時令人眼花繚亂的調查,我放棄了,來這里尋求幫助。
我正在為自己的 poc 使用 GKE 免費帳戶:
這是網絡策略 yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
season: winter
ingress:
- from:
- podSelector:
matchLabels:
abc: granted
這是吊艙 yaml:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: my-nginx
season: winter
name: my-nginx
spec:
containers:
- image: nginx
name: pod
ports:
- containerPort: 80
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
after creating both items, I create a curl pod without any label and run: kubectl exec pod/curl -it -- curl 10.0.7.205
the IP address 10.0.7.205
is the IP address for the my-nginx pod.
如果這如我所願,我應該看不到來自 my-NGINX pod 的回復。 但不幸的是,網絡策略似乎根本沒有控制這個 pod 的流量。
任何人?
默認情況下,網絡策略將允許所有流量。 您應該做的是為入口流量配置默認拒絕規則:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
有關詳細信息,請參閱https://kubernetes.io/docs/concepts/services-networking/network-policies/ 。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.