Kubernetes 网络政策。无法 'wget' 到不同命名空间上的 pod 运行?

Kubernetes NetWork Policies. unable to 'wget' on to pod running on different namespace?

我创建了两个命名空间 'a' 和 'b'

我的文件结构如下..

on folder a

nginx-deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-a
  labels:
    app-tier: UI
  namespace: a
spec:
  
  selector:
    matchLabels:
      app-tier: UI
  template:
    metadata:
      labels:
        app-tier: UI
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80

网络-policy.yml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np-a
  namespace: a
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: b
  
    ports:
    - protocol: TCP
      port: 80
    
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: b
    
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

并使用 kubectl apply -f

应用两个 yml 文件

on folder b

nginx-deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-b
  labels:
    app-tier: UI
  namespace: b
spec:
  
  selector:
    matchLabels:
      app-tier: UI
  template:
    metadata:
      labels:
        app-tier: UI
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80

网络-policy.yml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np-b
  namespace: b
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: a
    
    ports:
    - protocol: TCP
      port: 80
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: a
    
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

并使用 kubectl apply -f

应用两个 yml 文件

问题

所以基本上我想允许从命名空间 a 到命名空间 b 的流量,反之亦然。

并且我已经使用

公开了服务
$$ kubectl expose deployment nginx-deployment-b -n b --port=80

$$ kubectl expose deployment nginx-deployment-a -n a --port=80

并且我在命名空间 a 中使用

创建了 busybox
kubectl run myshell --image=busybox -n a --command -- sh -c "sleep 3600"

而且我已经使用

执行到 busybox
kubectl exec myshell -n a -it -- sh

现在这是 wget

的输出
/ # wget nginx-deployment-b.b.svc.cluster.local
^Z[5]+  Stopped                    wget nginx-deployment-b.b.svc.cluster.local
/ # wget nginx-deployment-a.a.svc.cluster.local
^Z[6]+  Stopped                    wget nginx-deployment-a.a.svc.cluster.local
/ # wget nginx-deployment-a.a.svc
^Z[7]+  Stopped                    wget nginx-deployment-a.a.svc
/ # wget nginx-deployment-b.b.svc
^Z[8]+  Stopped                    wget nginx-deployment-b.b.svc
/ # 

您可以看到我既无法连接到命名空间 a 上的服务 运行 也无法连接到 b

我应该怎么做才能允许从命名空间 a 到命名空间 b 的流量,反之亦然?

任何建议或修改。

谢谢

编辑-1

网络政策说明, np-a

Name:         np-a
Namespace:    a
Created on:   2020-08-21 18:41:12 +0530 IST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: 80/TCP
    From:
      NamespaceSelector: name=b
  Allowing egress traffic:
    To Port: 53/TCP
    To Port: 53/UDP
    To:
      NamespaceSelector: name=b
  Policy Types: Ingress, Egress

np-b

Name:         np-b
Namespace:    b
Created on:   2020-08-21 18:21:07 +0530 IST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: 80/TCP
    From:
      NamespaceSelector: name=a
  Allowing egress traffic:
    To Port: 53/TCP
    To Port: 53/UDP
    To:
      NamespaceSelector: name=a
  Policy Types: Ingress, Egress

服务说明

Name:              nginx-deployment-a
Namespace:         a
Labels:            app-tier=UI
Annotations:       <none>
Selector:          app-tier=UI
Type:              ClusterIP
IP:                10.107.112.202
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.0.0.147:80
Session Affinity:  None
Events:            <none>

Name:              nginx-deployment-b
Namespace:         b
Labels:            app-tier=UI
Annotations:       <none>
Selector:          app-tier=UI
Type:              ClusterIP
IP:                10.98.228.141
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.0.0.79:80
Session Affinity:  None
Events:            <none>

kubectl get pods -n kube-system

的输出
NAME                               READY   STATUS    RESTARTS   AGE
cilium-operator-868c78f7b5-44nhn   0/1     Pending   0          7h58m
cilium-operator-868c78f7b5-jl5cq   1/1     Running   2          7h58m
cilium-qgzxs                       1/1     Running   2          7h58m
coredns-66bff467f8-lpck8           1/1     Running   2          8h
etcd-minikube                      1/1     Running   1          7h8m
kube-apiserver-minikube            1/1     Running   1          7h8m
kube-controller-manager-minikube   1/1     Running   3          8h
kube-proxy-f9vgr                   1/1     Running   2          8h
kube-scheduler-minikube            1/1     Running   2          8h
storage-provisioner                1/1     Running   5          8h

您需要允许端口 53 的出口以进行 DNS 解析

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: dns
spec:
  podSelector: {}
  egress:
  - to:
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53
  policyTypes:
  - Egress

您可以在专用于 DNS 的两个命名空间中使用单独的网络策略。

此外,当您访问位于不同命名空间中的服务时,您需要使用 <servicename>.<namespacename>.svc<servicename>.<namespacename>.svc.cluster.local

因此访问 nginx-deployment-b 的命令应该是 nginx-deployment-b.b.svcnginx-deployment-b.b.svc.cluster.local