Kubernetes 网络政策。无法 'wget' 到不同命名空间上的 pod 运行?
Kubernetes NetWork Policies. unable to 'wget' on to pod running on different namespace?
我创建了两个命名空间 'a' 和 'b'
我的文件结构如下..
on folder a
nginx-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-a
labels:
app-tier: UI
namespace: a
spec:
selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
网络-policy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-a
namespace: a
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: b
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: b
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
并使用 kubectl apply -f
应用两个 yml 文件
on folder b
nginx-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-b
labels:
app-tier: UI
namespace: b
spec:
selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
网络-policy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-b
namespace: b
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: a
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: a
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
并使用 kubectl apply -f
应用两个 yml 文件
问题
所以基本上我想允许从命名空间 a 到命名空间 b 的流量,反之亦然。
并且我已经使用
公开了服务
$$ kubectl expose deployment nginx-deployment-b -n b --port=80
$$ kubectl expose deployment nginx-deployment-a -n a --port=80
并且我在命名空间 a 中使用
创建了 busybox
kubectl run myshell --image=busybox -n a --command -- sh -c "sleep 3600"
而且我已经使用
执行到 busybox
kubectl exec myshell -n a -it -- sh
现在这是 wget
的输出
/ # wget nginx-deployment-b.b.svc.cluster.local
^Z[5]+ Stopped wget nginx-deployment-b.b.svc.cluster.local
/ # wget nginx-deployment-a.a.svc.cluster.local
^Z[6]+ Stopped wget nginx-deployment-a.a.svc.cluster.local
/ # wget nginx-deployment-a.a.svc
^Z[7]+ Stopped wget nginx-deployment-a.a.svc
/ # wget nginx-deployment-b.b.svc
^Z[8]+ Stopped wget nginx-deployment-b.b.svc
/ #
您可以看到我既无法连接到命名空间 a 上的服务 运行 也无法连接到 b
我应该怎么做才能允许从命名空间 a 到命名空间 b 的流量,反之亦然?
任何建议或修改。
谢谢
编辑-1
网络政策说明,
np-a
Name: np-a
Namespace: a
Created on: 2020-08-21 18:41:12 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=b
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=b
Policy Types: Ingress, Egress
np-b
Name: np-b
Namespace: b
Created on: 2020-08-21 18:21:07 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=a
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=a
Policy Types: Ingress, Egress
服务说明
Name: nginx-deployment-a
Namespace: a
Labels: app-tier=UI
Annotations: <none>
Selector: app-tier=UI
Type: ClusterIP
IP: 10.107.112.202
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.0.0.147:80
Session Affinity: None
Events: <none>
和
Name: nginx-deployment-b
Namespace: b
Labels: app-tier=UI
Annotations: <none>
Selector: app-tier=UI
Type: ClusterIP
IP: 10.98.228.141
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.0.0.79:80
Session Affinity: None
Events: <none>
kubectl get pods -n kube-system
的输出
NAME READY STATUS RESTARTS AGE
cilium-operator-868c78f7b5-44nhn 0/1 Pending 0 7h58m
cilium-operator-868c78f7b5-jl5cq 1/1 Running 2 7h58m
cilium-qgzxs 1/1 Running 2 7h58m
coredns-66bff467f8-lpck8 1/1 Running 2 8h
etcd-minikube 1/1 Running 1 7h8m
kube-apiserver-minikube 1/1 Running 1 7h8m
kube-controller-manager-minikube 1/1 Running 3 8h
kube-proxy-f9vgr 1/1 Running 2 8h
kube-scheduler-minikube 1/1 Running 2 8h
storage-provisioner 1/1 Running 5 8h
您需要允许端口 53 的出口以进行 DNS 解析
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dns
spec:
podSelector: {}
egress:
- to:
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
policyTypes:
- Egress
您可以在专用于 DNS 的两个命名空间中使用单独的网络策略。
此外,当您访问位于不同命名空间中的服务时,您需要使用 <servicename>.<namespacename>.svc 或 <servicename>.<namespacename>.svc.cluster.local。
因此访问 nginx-deployment-b 的命令应该是 nginx-deployment-b.b.svc 或 nginx-deployment-b.b.svc.cluster.local
我创建了两个命名空间 'a' 和 'b'
我的文件结构如下..
on folder a
nginx-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-a
labels:
app-tier: UI
namespace: a
spec:
selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
网络-policy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-a
namespace: a
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: b
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: b
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
并使用 kubectl apply -f
on folder b
nginx-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-b
labels:
app-tier: UI
namespace: b
spec:
selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
网络-policy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-b
namespace: b
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: a
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: a
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
并使用 kubectl apply -f
问题
所以基本上我想允许从命名空间 a 到命名空间 b 的流量,反之亦然。
并且我已经使用
公开了服务$$ kubectl expose deployment nginx-deployment-b -n b --port=80
$$ kubectl expose deployment nginx-deployment-a -n a --port=80
并且我在命名空间 a 中使用
创建了 busyboxkubectl run myshell --image=busybox -n a --command -- sh -c "sleep 3600"
而且我已经使用
执行到 busyboxkubectl exec myshell -n a -it -- sh
现在这是 wget
的输出/ # wget nginx-deployment-b.b.svc.cluster.local
^Z[5]+ Stopped wget nginx-deployment-b.b.svc.cluster.local
/ # wget nginx-deployment-a.a.svc.cluster.local
^Z[6]+ Stopped wget nginx-deployment-a.a.svc.cluster.local
/ # wget nginx-deployment-a.a.svc
^Z[7]+ Stopped wget nginx-deployment-a.a.svc
/ # wget nginx-deployment-b.b.svc
^Z[8]+ Stopped wget nginx-deployment-b.b.svc
/ #
您可以看到我既无法连接到命名空间 a 上的服务 运行 也无法连接到 b
我应该怎么做才能允许从命名空间 a 到命名空间 b 的流量,反之亦然?
任何建议或修改。
谢谢
编辑-1
网络政策说明,
np-a
Name: np-a
Namespace: a
Created on: 2020-08-21 18:41:12 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=b
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=b
Policy Types: Ingress, Egress
np-b
Name: np-b
Namespace: b
Created on: 2020-08-21 18:21:07 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=a
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=a
Policy Types: Ingress, Egress
服务说明
Name: nginx-deployment-a
Namespace: a
Labels: app-tier=UI
Annotations: <none>
Selector: app-tier=UI
Type: ClusterIP
IP: 10.107.112.202
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.0.0.147:80
Session Affinity: None
Events: <none>
和
Name: nginx-deployment-b
Namespace: b
Labels: app-tier=UI
Annotations: <none>
Selector: app-tier=UI
Type: ClusterIP
IP: 10.98.228.141
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.0.0.79:80
Session Affinity: None
Events: <none>
kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
cilium-operator-868c78f7b5-44nhn 0/1 Pending 0 7h58m
cilium-operator-868c78f7b5-jl5cq 1/1 Running 2 7h58m
cilium-qgzxs 1/1 Running 2 7h58m
coredns-66bff467f8-lpck8 1/1 Running 2 8h
etcd-minikube 1/1 Running 1 7h8m
kube-apiserver-minikube 1/1 Running 1 7h8m
kube-controller-manager-minikube 1/1 Running 3 8h
kube-proxy-f9vgr 1/1 Running 2 8h
kube-scheduler-minikube 1/1 Running 2 8h
storage-provisioner 1/1 Running 5 8h
您需要允许端口 53 的出口以进行 DNS 解析
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dns
spec:
podSelector: {}
egress:
- to:
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
policyTypes:
- Egress
您可以在专用于 DNS 的两个命名空间中使用单独的网络策略。
此外,当您访问位于不同命名空间中的服务时,您需要使用 <servicename>.<namespacename>.svc 或 <servicename>.<namespacename>.svc.cluster.local。
因此访问 nginx-deployment-b 的命令应该是 nginx-deployment-b.b.svc 或 nginx-deployment-b.b.svc.cluster.local