gpt4 book ai didi

Kubernetes NetworkPolicies 拒绝连接

转载 作者:行者123 更新时间:2023-12-02 11:32:23 26 4
gpt4 key购买 nike

我试图创造一个如图所示的情况。
enter image description here

kubectl run frontend --image=nginx --labels="app=frontend" --port=30081 --expose
kubectl run backend --image=nginx --labels="app=backend" --port=30082 --expose
kubectl run database --image=nginx --labels="app=database" --port=30082
我创建了网络策略,它应该阻止所有没有特定标签定义的入口和导出访问。
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
app: frontend
matchLabels:
app: backend
matchLabels:
app: database
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
matchLabels:
app: backend
matchLabels:
app: database
egress:
- to
- podSelector:
matchLabels:
app: frontend
matchLabels:
app: backend
matchLabels:
app: database
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
我尝试连接到没有标签(命令 1)和正确标签(命令 2)的 pod 前端,如下所示。
  • kubectl run busybox --image=busybox --rm -it --restart=Never -- wget
    -O- http://frontend:30081 --timeout 2
  • kubectl run busybox --image=busybox --rm -it --restart=Never
    --labels=app=frontend -- wget -O- http://frontend:30081 --timeout 2

  • 我预计不使用标签的第一个命令将被阻止,第二个命令将允许通信,但按下第二个命令后,我看到输出“wget:无法连接到远程主机(10.109.223.254):连接被拒绝”。我是否错误地定义了网络策略?

    最佳答案

    如 kubernetes documentation 中所述关于网络政策

    Prerequisites

    Network policies are implemented by the network plugin. To use network policies, you must be using a networking solution which supports NetworkPolicy. Creating a NetworkPolicy resource without a controller that implements it will have no effect.


    据我所知,katacoda 使用的 flannel 不支持网络策略。
    controlplane $ kubectl get pods --namespace kube-system
    NAME READY STATUS RESTARTS AGE
    coredns-66bff467f8-4tmhm 1/1 Running 0 16m
    coredns-66bff467f8-v2dbj 1/1 Running 0 16m
    etcd-controlplane 1/1 Running 0 16m
    katacoda-cloud-provider-58f89f7d9-brnk2 1/1 Running 8 16m
    kube-apiserver-controlplane 1/1 Running 0 16m
    kube-controller-manager-controlplane 1/1 Running 0 16m
    kube-flannel-ds-amd64-h5lrd 1/1 Running 1 16m
    kube-flannel-ds-amd64-sdl4b 1/1 Running 0 16m
    kube-keepalived-vip-gkhbz 1/1 Running 0 16m
    kube-proxy-6gd8d 1/1 Running 0 16m
    kube-proxy-zkldz 1/1 Running 0 16m
    kube-scheduler-controlplane 1/1 Running 1 16m
    如前所述 here

    Flannel is focused on networking. For network policy, other projects such as Calico can be used.


    另外还有不错的 tutorial显示哪些 CNI 支持网络策略。
    enter image description here
    所以我会说在 katacoda 游乐场上是不可能的。

    关于Kubernetes NetworkPolicies 拒绝连接,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62789400/

    26 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com