时间戳

首页 > 解决方案 > Kubernetes Networkpolicy 不会阻塞流量

kubernetes - Kubernetes Networkpolicy 不会阻塞流量

问题描述

我有一个名为: 的命名空间test,其中包含 3 个 pod frontend:backenddatabase.

这是 pod 的清单:

kind: Pod
apiVersion: v1
metadata:
  name: frontend
  namespace: test
  labels:
    app: todo
    tier: frontend
spec:
  containers:
    - name: frontend
      image: nginx

---

kind: Pod
apiVersion: v1
metadata:
  name: backend
  namespace: test
  labels:
    app: todo
    tier: backend
spec:
  containers:
    - name: backend
      image: nginx

---

kind: Pod
apiVersion: v1
metadata:
  name: database
  namespace: test
  labels:
    app: todo
    tier: database
spec:
  containers:
    - name: database
      image: mysql
      env:
      - name: MYSQL_ROOT_PASSWORD
        value: example

我会实施一个网络策略,只允许从后端传入数据库的流量,但不允许来自前端的传入流量。

这是我的网络政策:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-allow
  namespace: test
spec:
  podSelector:
    matchLabels:
      app: todo
      tier: database
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: todo
          tier: backend
    ports:
    - protocol: TCP
      port: 3306
    - protocol: UDP
      port: 3306

这是的输出kubectl get pods -n test -o wide

NAME       READY   STATUS    RESTARTS   AGE   IP           NODE       NOMINATED NODE   READINESS GATES
backend    1/1     Running   0          28m   172.17.0.5   minikube   <none>           <none>
database   1/1     Running   0          28m   172.17.0.4   minikube   <none>           <none>
frontend   1/1     Running   0          28m   172.17.0.3   minikube   <none>           <none>

这是的输出kubectl get networkpolicy -n test -o wide

NAME        POD-SELECTOR             AGE
app-allow   app=todo,tier=database   21m

当我telnet @ip-of-mysql-pod 3306frontendpod 执行时,连接看起来已经建立并且网络策略不起作用

kubectl exec -it pod/frontend bash -n test
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@frontend:/# telnet 172.17.0.4 3306
Trying 172.17.0.4...
Connected to 172.17.0.4.
Escape character is '^]'.
J
8.0.25 k{%J\�#(t%~qI%7caching_sha2_password

有什么我想念的吗?

谢谢

标签: kubernetesproject-calicokubernetes-networkpolicy

解决方案

您似乎忘记添加“默认拒绝”策略:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

的默认行为NetworkPolicy是允许 pod 之间的所有连接,除非明确拒绝。

更多详细信息:https ://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic

推荐阅读