kubernetes 中的 NetworkPolicy 与 podSelector 不匹配
NetworkPolicy in kubernetes doesn't match on podSelector
我有一个简单的工作 NetworkPolicy 看起来像这样
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: monitoring-network-policy-prometheus-jbn
namespace: monitoring
spec:
podSelector:
matchLabels:
app: prometheus
policyTypes:
- Egress
egress:
- to:
ports:
- port: 61678
但现在我想限制更多。我不想允许从所有带有标签 app: prometheus
的 pods 出口到端口 61678 上的所有目的地,我只想允许带有标签 k8s-app: aws-node
的流量到 pods
所以我把政策改为:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: monitoring-network-policy-prometheus-jbn
namespace: monitoring
spec:
podSelector:
matchLabels:
app: prometheus
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
k8s-app: aws-node
根据 https://kubernetes.io/docs/concepts/services-networking/network-policies/ 看起来像这样的政策
...
ingress:
- from:
- namespaceSelector:
matchLabels:
user: alice
- podSelector:
matchLabels:
role: client
...
被描述为 allows connections from Pods in the local Namespace with the label role=client, or from any Pod in any namespace with the label user=alice.
所以我认为这会匹配带有标签 k8s-app: aws node
的 pod,它位于任何端口的 kube-system
命名空间中。但是,当我尝试连接到带有该标签的 pod 时,出现超时。
这是我要连接的 pod
kubectl get pods -n kube-system -l k8s-app=aws-node
NAME READY STATUS RESTARTS AGE
aws-node-ngmnd 1/1 Running 0 46h
我正在使用 AWS EKS 和 Calio 网络插件。
我在这里错过了什么?
发生这种情况是因为您在清单中省略了 namespaceSelector
,默认情况下,当 namespaceSelector
未预设时,系统将 select Pods 匹配 PodSelector
在策略自己的命名空间中。
看这里:
podSelector
This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects
all pods. If NamespaceSelector is also set, then the NetworkPolicyPeer
as a whole selects the Pods matching PodSelector in the Namespaces
selected by NamespaceSelector. Otherwise it selects the Pods matching
PodSelector in the policy's own Namespace.
你能做些什么来解决它?您可以设置空命名空间 select 或根据文档:
namespaceSelector
Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects
all namespaces. If PodSelector is also set, then the
NetworkPolicyPeer as a whole selects the Pods matching PodSelector in
the Namespaces selected by NamespaceSelector. Otherwise it selects all
Pods in the Namespaces selected by NamespaceSelector.
Reference NetworkPolicyPeer
我重现了这个问题,文档是正确的,但对实际上应该是空的地方有点误导。所以括号应该放在matchLabels
:
之后
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: monitoring-network-policy-prometheus-jbn
namespace: monitoring
spec:
podSelector:
matchLabels:
app: prometheus
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
k8s-app: aws-node
namespaceSelector:
matchLabels: {}
回答您对 calico 是否会引起某些问题的担忧。事实上它是,但它应该是。要使网络政策生效,您需要 运行 网络插件来执行它们。
我有一个简单的工作 NetworkPolicy 看起来像这样
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: monitoring-network-policy-prometheus-jbn
namespace: monitoring
spec:
podSelector:
matchLabels:
app: prometheus
policyTypes:
- Egress
egress:
- to:
ports:
- port: 61678
但现在我想限制更多。我不想允许从所有带有标签 app: prometheus
的 pods 出口到端口 61678 上的所有目的地,我只想允许带有标签 k8s-app: aws-node
所以我把政策改为:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: monitoring-network-policy-prometheus-jbn
namespace: monitoring
spec:
podSelector:
matchLabels:
app: prometheus
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
k8s-app: aws-node
根据 https://kubernetes.io/docs/concepts/services-networking/network-policies/ 看起来像这样的政策
...
ingress:
- from:
- namespaceSelector:
matchLabels:
user: alice
- podSelector:
matchLabels:
role: client
...
被描述为 allows connections from Pods in the local Namespace with the label role=client, or from any Pod in any namespace with the label user=alice.
所以我认为这会匹配带有标签 k8s-app: aws node
的 pod,它位于任何端口的 kube-system
命名空间中。但是,当我尝试连接到带有该标签的 pod 时,出现超时。
这是我要连接的 pod
kubectl get pods -n kube-system -l k8s-app=aws-node
NAME READY STATUS RESTARTS AGE
aws-node-ngmnd 1/1 Running 0 46h
我正在使用 AWS EKS 和 Calio 网络插件。
我在这里错过了什么?
发生这种情况是因为您在清单中省略了 namespaceSelector
,默认情况下,当 namespaceSelector
未预设时,系统将 select Pods 匹配 PodSelector
在策略自己的命名空间中。
看这里:
podSelector
This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
你能做些什么来解决它?您可以设置空命名空间 select 或根据文档:
namespaceSelector
Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.Reference NetworkPolicyPeer
我重现了这个问题,文档是正确的,但对实际上应该是空的地方有点误导。所以括号应该放在matchLabels
:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: monitoring-network-policy-prometheus-jbn
namespace: monitoring
spec:
podSelector:
matchLabels:
app: prometheus
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
k8s-app: aws-node
namespaceSelector:
matchLabels: {}
回答您对 calico 是否会引起某些问题的担忧。事实上它是,但它应该是。要使网络政策生效,您需要 运行 网络插件来执行它们。