kubernetes - Calico 的 Kubernetes DNS 和 NetworkPolicy 不起作用
问题描述
我有一个运行 Calico 的 Minikube 集群,我正在尝试使 NetworkPolicies 正常工作。这是我的 Pod 和服务:
第一个吊舱(团队-a):
apiVersion: v1
kind: Pod
metadata:
name: team-a
namespace: orga-1
labels:
run: nginx
app: team-a
spec:
containers:
- image: joshrosso/nginx-curl:v2
imagePullPolicy: IfNotPresent
name: nginx
---
apiVersion: v1
kind: Service
metadata:
name: team-a
namespace: orga-1
spec:
ports:
- port: 80
name: http
protocol: TCP
targetPort: 80
selector:
app: team-a
第二个吊舱(团队-b):
apiVersion: v1
kind: Pod
metadata:
name: team-b
namespace: orga-2
labels:
run: nginx
app: team-b
spec:
containers:
- image: joshrosso/nginx-curl:v2
imagePullPolicy: IfNotPresent
name: nginx
---
apiVersion: v1
kind: Service
metadata:
name: team-b
namespace: orga-2
spec:
ports:
- port: 80
name: http
protocol: TCP
targetPort: 80
selector:
app: team-b
当我在 中执行 bash 时team-a
,我无法curl
使用 orga-2.team-b:
dev@ubuntu:~$ kubectl exec -it -n orga-1 team-a /bin/bash
root@team-a:/# curl google.de
//Body removed...
root@team-a:/# curl orga-2.team-b
curl: (6) Could not resolve host: orga-2.team-b
现在我应用了网络策略:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: deny-all-base-rule
namespace: orga-1
spec:
podSelector: {}
policyTypes:
- Ingress
ingress: []
当我现在在 team-a 中 curl google 时,它仍然有效。这是我的豆荚:
kube-system calico-etcd-hbpqc 1/1 Running 0 27m
kube-system calico-kube-controllers-6b86746955-5mk9v 1/1 Running 0 27m
kube-system calico-node-72rcl 2/2 Running 0 27m
kube-system coredns-fb8b8dccf-6j64x 1/1 Running 1 29m
kube-system coredns-fb8b8dccf-vjwl7 1/1 Running 1 29m
kube-system default-http-backend-6864bbb7db-5c25r 1/1 Running 0 29m
kube-system etcd-minikube 1/1 Running 0 28m
kube-system kube-addon-manager-minikube 1/1 Running 0 28m
kube-system kube-apiserver-minikube 1/1 Running 0 28m
kube-system kube-controller-manager-minikube 1/1 Running 0 28m
kube-system kube-proxy-p48xv 1/1 Running 0 29m
kube-system kube-scheduler-minikube 1/1 Running 0 28m
kube-system nginx-ingress-controller-586cdc477c-6rh6w 1/1 Running 0 29m
kube-system storage-provisioner 1/1 Running 0 29m
orga-1 team-a 1/1 Running 0 20m
orga-2 team-b 1/1 Running 0 7m20s
和我的服务:
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 29m
kube-system calico-etcd ClusterIP 10.96.232.136 <none> 6666/TCP 27m
kube-system default-http-backend NodePort 10.105.84.105 <none> 80:30001/TCP 29m
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 29m
orga-1 team-a ClusterIP 10.101.4.159 <none> 80/TCP 8m37s
orga-2 team-b ClusterIP 10.105.79.255 <none> 80/TCP 7m54s
kube-dns 端点可用,服务也可用。
为什么我的网络策略不起作用,为什么 curl 到另一个 pod 不起作用?
解决方案
请运行
curl team-a.orga-1.svc.cluster.local
curl team-b.orga-2.svc.cluster.local
verify entries in 'cat /etc/resolf.conf'
如果您可以到达您的豆荚,请按照本教程进行操作
拒绝所有入口流量:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: orga-1
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
并允许进入 Nginx 的流量:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
namespace: orga-1
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels: {}
您可以在下面找到更多信息:
希望这有帮助。
推荐阅读
- python - 为什么我收到错误消息:“FileExistsError: [WinError 183] 当文件已存在时无法创建文件”?
- javascript - Vue js组件在没有页面刷新的情况下不渲染数据
- android - 无法使用 GSON 解析空白 JSON 字符串
- julia - 修改代码以改进模拟
- android - Wifi 直接连接在 Raspberry Pi 中几秒钟后自动断开连接
- android - 如何将 32 位 .so 文件转换为 64 位 .so 文件用于 android
- java - 我想在 Jframe 中添加带或不带 DB 值的 Dynamic Swing 组件?
- c - 暂停破壳
- angular - 如何使用spring boot后端使角度应用程序仅接收来自局域网的请求?
- python - python - 如何在python中为矩阵或二维数组的每个元素设置特定条件?