文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >kubernetes网络策略,允许访问特定的ip。

kubernetes网络策略,允许访问特定的ip。
EN

Stack Overflow用户
提问于 2020-06-16 12:59:24
回答 2查看 1.5K关注 0票数 0

我有以下任务要执行

isolation)

  • Create

  • 创建了一个名为
  1. 的名称空间,名为法医学
  2. ,法医学名称空间中的所有豆荚都不应该能够在世界之外进行通信(egress
    1. ,在默认的取证名称空间中命名为调查员的荚,应该只允许从调查人员pod的IP连接。)

我创建了下面的Yaml来做同样的事情。

代码语言:javascript
复制
apiVersion: v1
kind: Namespace
metadata:
  labels:
    name: forensics
  name: forensics

---
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: forensics
  name: forensics
  namespace: forensics
spec:
  containers:
    - command:
        - sleep
        - "10000"
      image: busybox
      name: forensics
      resources: {}
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: pod1
  name: pod1
  namespace: default
spec:
  containers:
    - command:
        - sleep
        - "10000"
      image: busybox
      name: pod1
      resources: {}
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: investigator
  name: investigator
  namespace: default
spec:
  containers:
    - command:
        - sleep
        - "10000"
      image: busybox
      name: investigator
      resources: {}
---
#deny all ingress/egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: forensics
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
# allow ingress from IP of  investigator pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: investigator-network-policy
  namespace: forensics
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - ipBlock:
            cidr: 10.244.0.151/32

我可以看到描述政策如图所示

代码语言:javascript
复制
**kubectl describe networkpolicy default-deny-ingress -n forensics**
Name:         default-deny-ingress
Namespace:    forensics
Created on:   2020-06-16 18:07:21 +0530 IST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Allowing egress traffic:
    <none> (Selected pods are isolated for egress connectivity)
  Policy Types: Ingress, Egress

 **~/kubectl describe networkpolicy investigator-network-policy -n forensics**
Name:         investigator-network-policy
Namespace:    forensics
Created on:   2020-06-16 18:10:49 +0530 IST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      IPBlock:
        CIDR: 10.244.0.151/32
        Except: 
  Not affecting egress traffic
  Policy Types: Ingress

但我不能从调查员舱里找法医舱。

代码语言:javascript
复制
akthakur@ninja k get po -o wide
NAME           READY   STATUS    RESTARTS   AGE   IP             NODE             NOMINATED NODE   READINESS GATES
investigator   1/1     Running   0          20s   10.244.0.151   thinking-3qxqs   <none>           <none>
pod1           1/1     Running   0          20s   10.244.0.232   thinking-3qxqs   <none>           <none>
 akthakur@ninja k get po -o wide -n forensics
NAME        READY   STATUS    RESTARTS   AGE   IP             NODE             NOMINATED NODE   READINESS GATES
forensics   1/1     Running   0          87s   10.244.0.199   thinking-3qxqs   <none>           <none>

Ping结果

代码语言:javascript
复制
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 62:54:37:84:13:42
          inet addr:10.244.0.151  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30 errors:0 dropped:0 overruns:0 frame:0
          TX packets:447 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1944 (1.8 KiB)  TX bytes:43078 (42.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

**/ # ping 10.244.0.199
PING 10.244.0.199 (10.244.0.199): 56 data bytes
^C**
--- 10.244.0.199 ping statistics ---
48 packets transmitted, 0 packets received, 100% packet loss
/ # ping 10.244.0.232
PING 10.244.0.232 (10.244.0.232): 56 data bytes
64 bytes from 10.244.0.232: seq=0 ttl=63 time=0.122 ms
64 bytes from 10.244.0.232: seq=1 ttl=63 time=0.169 ms
64 bytes from 10.244.0.232: seq=2 ttl=63 time=0.151 ms
^C
--- 10.244.0.232 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.122/0.147/0.169 ms
/ # %

我做错了什么?

kubernetes
kubernetes-networkpolicy
EN

回答 2

Stack Overflow用户

发布于 2020-06-16 14:17:36

服务是处理吊舱间通信的成熟方式之一。默认情况下,无论它们所在的名称空间是什么,荚都可以通过它们的IP地址相互通信。检查名称空间级别上的默认策略。默认情况下,如果在名称空间创建期间不指定,则设置为拒绝。更改网络策略,如下所示,以允许来自其他命名空间的通信量。

代码语言:javascript
复制
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: some-name
  namespace: forensics
spec:
  selector: all()
  types:
  - Ingress
  - Egress
票数 1
EN

Stack Overflow用户

发布于 2021-12-08 13:28:05

你只允许进入交通,但阻塞出口交通。所以没有接收包返回到调查员舱。

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/62409104

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档