Kubernetes网络策略未按预期工作
Kubernetes网络策略未按预期工作
提问于 2021-04-14 14:02:11
我是Kubernetes的新手,正在尝试设置一个网络策略来保护我的api。
这是我的网络NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
namespace: api
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: api
- namespaceSelector:
matchLabels:
name: backend
- podSelector:
matchLabels:
rule: database在我的设计中,命名空间"api“中的所有pod都只允许来自命名空间:api,命名空间:backend和数据库规则的pod。但是,当我添加一个test名称空间并向名称空间:api中的pod发送请求时,它不会拒绝该请求。
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test
spec:
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: test
image: test
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 5000
---
apiVersion: v1
kind: Service
metadata:
name: test-service
namespace: test
spec:
type: NodePort
selector:
app: test
ports:
- port: 5000
targetPort: 5000
nodePort: 32100我的入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-backend-service
namespace: backend
labels:
rule: ingress
annotations:
kubernetes.io/ingress.class: 'nginx'
nginx.ingress.kubernetes.io/use-regex: 'true'
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
rules:
- http:
paths:
- path: /api/?(.*)
pathType: Prefix
backend:
service:
name: chatbot-server
port:
number: 5000我的一个api:
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-worker-deployment
namespace: api
spec:
replicas: 1
selector:
matchLabels:
api: redis-worker
template:
metadata:
labels:
api: redis-worker
spec:
containers:
- name: redis-worker
image: redis-worker
env:
- name: REDIS_HOST
value: redis
- name: REDIS_PORT
value: "6379"
resources:
requests:
memory: "32Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 5000
---
apiVersion: v1
kind: Service
metadata:
name: redis-worker-service
namespace: api
labels:
rule: api
spec:
selector:
api: redis-worker
ports:
- port: 5000
targetPort: 5000我的命名空间:
apiVersion: v1
kind: Namespace
metadata:
name: test
---
apiVersion: v1
kind: Namespace
metadata:
name: backend
---
apiVersion: v1
kind: Namespace
metadata:
name: api我在test pod中的代码
from flask import Flask, url_for, request, jsonify
import requests
import config
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def hello():
x = requests.get("http://redis-worker-service.api:5000").json()
print(x)
return x
if __name__ == '__main__':
app.run(host=config.HOST, port=config.PORT, debug=config.DEBUG)当我转到http://myminikubeip:32100时,请求应该被拒绝,但它不起作用
回答 1
Stack Overflow用户
回答已采纳
发布于 2021-04-14 14:40:32
大家好,我犯了愚蠢的错误。我忘了将Minikube的网络插件设置为Use Cilium for NetworkPolicy
此外,我没有设置任何出口,因此所有出口都将被拒绝。
固定一个:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
namespace: api
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: api
- namespaceSelector:
matchLabels:
purpose: backend
- podSelector:
matchLabels:
rule: database
egress:
- {}另外,为名称空间设置标签,如下所示
apiVersion: v1
kind: Namespace
metadata:
name: test
---
apiVersion: v1
kind: Namespace
metadata:
name: backend
labels:
purpose: backend
---
apiVersion: v1
kind: Namespace
metadata:
name: api
labels:
purpose: api很抱歉我发了这样一个愚蠢的问题,我希望其他人能从我的错误中学到一些东西。我太抱歉了
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/67086284
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号