Kubernetes 网络策略未按预期工作

Kubernetes network policy doesn't work as expected

我是 Kubernetes 的新手,尝试设置网络策略来保护我的 api。

这是我的网络 NetworkPolicy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-network-policy
  namespace: api
spec:
  podSelector: {}

  policyTypes:
    - Ingress
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: api
      - namespaceSelector:
          matchLabels:
            name: backend
      - podSelector:
          matchLabels:
            rule: database
        

在我的设计中,命名空间“api”中的所有 pods 仅允许从 namespace:api、namespace:backend 和 pods 进入数据库规则. 但是,当我添加测试命名空间并向 namespace:api 中的 pods 发送请求时,它不会拒绝该请求。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment
  namespace: test
spec:
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
    spec:
      containers:
      - name: test
        image: test
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 5000


---

apiVersion: v1
kind: Service
metadata:
  name: test-service
  namespace: test
spec:
  type: NodePort
  selector:
    app: test
  ports:
  - port: 5000
    targetPort: 5000
    nodePort: 32100

我的入口:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-backend-service
  namespace: backend
  labels:
    rule: ingress
  annotations:
    kubernetes.io/ingress.class: 'nginx'
    nginx.ingress.kubernetes.io/use-regex: 'true'
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
    - http:
        paths:
          - path: /api/?(.*)
            pathType: Prefix
            backend:
              service:
                name: chatbot-server
                port:
                  number: 5000

我的一个 api:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-worker-deployment
  namespace: api
spec:
  replicas: 1
  selector:
    matchLabels:
      api: redis-worker
  template:
    metadata:
      labels:
        api: redis-worker
    spec:
      containers:
      - name: redis-worker
        image: redis-worker
        env:
          - name: REDIS_HOST
            value: redis
          - name: REDIS_PORT
            value: "6379"
        resources:
          requests:
            memory: "32Mi"
            cpu: "100m"
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 5000

---

apiVersion: v1
kind: Service
metadata:
  name: redis-worker-service
  namespace: api
  labels:
    rule: api
spec:
  selector:
    api: redis-worker 
  ports:
  - port: 5000
    targetPort: 5000

我的命名空间:

apiVersion: v1
kind: Namespace
metadata:
  name: test

--- 

apiVersion: v1
kind: Namespace
metadata:
  name: backend

---

apiVersion: v1
kind: Namespace
metadata:
  name: api

我在测试 pod 中的代码

from flask import Flask, url_for, request, jsonify
import requests
import config
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def hello():
    x = requests.get("http://redis-worker-service.api:5000").json()
    print(x)
    return x
if __name__ == '__main__':
    app.run(host=config.HOST, port=config.PORT, debug=config.DEBUG)

当我访问 http://myminikubeip:32100 时,请求应该被拒绝但是它不起作用

大家好,我犯了愚蠢的错误。我忘记为 Minikube 设置网络插件 Use Cilium for NetworkPolicy

此外,我没有设置任何出口,因此所有出口都将被拒绝。

固定一个:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-network-policy
  namespace: api
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            purpose: api
      - namespaceSelector:
          matchLabels:
            purpose: backend
      - podSelector:
          matchLabels:
            rule: database
  egress:
    - {}

另外,为命名空间设置标签如下

apiVersion: v1
kind: Namespace
metadata:
  name: test

--- 

apiVersion: v1
kind: Namespace
metadata:
  name: backend
  labels:
    purpose: backend

---

apiVersion: v1
kind: Namespace
metadata:
  name: api
  labels:
    purpose: api

我很抱歉 post 这么愚蠢的问题,我希望其他人可以从我的错误中吸取教训.. 很抱歉

helpful link for network-policy