Kubernetes 网络策略未按预期工作
Kubernetes network policy doesn't work as expected
我是 Kubernetes 的新手,尝试设置网络策略来保护我的 api。
这是我的网络 NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
namespace: api
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: api
- namespaceSelector:
matchLabels:
name: backend
- podSelector:
matchLabels:
rule: database
在我的设计中,命名空间“api”中的所有 pods 仅允许从 namespace:api、namespace:backend 和 pods 进入数据库规则.
但是,当我添加测试命名空间并向 namespace:api 中的 pods 发送请求时,它不会拒绝该请求。
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test
spec:
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: test
image: test
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 5000
---
apiVersion: v1
kind: Service
metadata:
name: test-service
namespace: test
spec:
type: NodePort
selector:
app: test
ports:
- port: 5000
targetPort: 5000
nodePort: 32100
我的入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-backend-service
namespace: backend
labels:
rule: ingress
annotations:
kubernetes.io/ingress.class: 'nginx'
nginx.ingress.kubernetes.io/use-regex: 'true'
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /api/?(.*)
pathType: Prefix
backend:
service:
name: chatbot-server
port:
number: 5000
我的一个 api:
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-worker-deployment
namespace: api
spec:
replicas: 1
selector:
matchLabels:
api: redis-worker
template:
metadata:
labels:
api: redis-worker
spec:
containers:
- name: redis-worker
image: redis-worker
env:
- name: REDIS_HOST
value: redis
- name: REDIS_PORT
value: "6379"
resources:
requests:
memory: "32Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 5000
---
apiVersion: v1
kind: Service
metadata:
name: redis-worker-service
namespace: api
labels:
rule: api
spec:
selector:
api: redis-worker
ports:
- port: 5000
targetPort: 5000
我的命名空间:
apiVersion: v1
kind: Namespace
metadata:
name: test
---
apiVersion: v1
kind: Namespace
metadata:
name: backend
---
apiVersion: v1
kind: Namespace
metadata:
name: api
我在测试 pod 中的代码
from flask import Flask, url_for, request, jsonify
import requests
import config
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def hello():
x = requests.get("http://redis-worker-service.api:5000").json()
print(x)
return x
if __name__ == '__main__':
app.run(host=config.HOST, port=config.PORT, debug=config.DEBUG)
当我访问 http://myminikubeip:32100 时,请求应该被拒绝但是它不起作用
大家好,我犯了愚蠢的错误。我忘记为 Minikube 设置网络插件 Use Cilium for NetworkPolicy
此外,我没有设置任何出口,因此所有出口都将被拒绝。
固定一个:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
namespace: api
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: api
- namespaceSelector:
matchLabels:
purpose: backend
- podSelector:
matchLabels:
rule: database
egress:
- {}
另外,为命名空间设置标签如下
apiVersion: v1
kind: Namespace
metadata:
name: test
---
apiVersion: v1
kind: Namespace
metadata:
name: backend
labels:
purpose: backend
---
apiVersion: v1
kind: Namespace
metadata:
name: api
labels:
purpose: api
我很抱歉 post 这么愚蠢的问题,我希望其他人可以从我的错误中吸取教训.. 很抱歉
我是 Kubernetes 的新手,尝试设置网络策略来保护我的 api。
这是我的网络 NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
namespace: api
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: api
- namespaceSelector:
matchLabels:
name: backend
- podSelector:
matchLabels:
rule: database
在我的设计中,命名空间“api”中的所有 pods 仅允许从 namespace:api、namespace:backend 和 pods 进入数据库规则. 但是,当我添加测试命名空间并向 namespace:api 中的 pods 发送请求时,它不会拒绝该请求。
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test
spec:
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: test
image: test
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 5000
---
apiVersion: v1
kind: Service
metadata:
name: test-service
namespace: test
spec:
type: NodePort
selector:
app: test
ports:
- port: 5000
targetPort: 5000
nodePort: 32100
我的入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-backend-service
namespace: backend
labels:
rule: ingress
annotations:
kubernetes.io/ingress.class: 'nginx'
nginx.ingress.kubernetes.io/use-regex: 'true'
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /api/?(.*)
pathType: Prefix
backend:
service:
name: chatbot-server
port:
number: 5000
我的一个 api:
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-worker-deployment
namespace: api
spec:
replicas: 1
selector:
matchLabels:
api: redis-worker
template:
metadata:
labels:
api: redis-worker
spec:
containers:
- name: redis-worker
image: redis-worker
env:
- name: REDIS_HOST
value: redis
- name: REDIS_PORT
value: "6379"
resources:
requests:
memory: "32Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 5000
---
apiVersion: v1
kind: Service
metadata:
name: redis-worker-service
namespace: api
labels:
rule: api
spec:
selector:
api: redis-worker
ports:
- port: 5000
targetPort: 5000
我的命名空间:
apiVersion: v1
kind: Namespace
metadata:
name: test
---
apiVersion: v1
kind: Namespace
metadata:
name: backend
---
apiVersion: v1
kind: Namespace
metadata:
name: api
我在测试 pod 中的代码
from flask import Flask, url_for, request, jsonify
import requests
import config
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def hello():
x = requests.get("http://redis-worker-service.api:5000").json()
print(x)
return x
if __name__ == '__main__':
app.run(host=config.HOST, port=config.PORT, debug=config.DEBUG)
当我访问 http://myminikubeip:32100 时,请求应该被拒绝但是它不起作用
大家好,我犯了愚蠢的错误。我忘记为 Minikube 设置网络插件 Use Cilium for NetworkPolicy
此外,我没有设置任何出口,因此所有出口都将被拒绝。
固定一个:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
namespace: api
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: api
- namespaceSelector:
matchLabels:
purpose: backend
- podSelector:
matchLabels:
rule: database
egress:
- {}
另外,为命名空间设置标签如下
apiVersion: v1
kind: Namespace
metadata:
name: test
---
apiVersion: v1
kind: Namespace
metadata:
name: backend
labels:
purpose: backend
---
apiVersion: v1
kind: Namespace
metadata:
name: api
labels:
purpose: api
我很抱歉 post 这么愚蠢的问题,我希望其他人可以从我的错误中吸取教训.. 很抱歉