如何允许来自某些 ip 范围的流量到 aks 外部负载均衡器
How to allow trafic from some ip ranges to aks external loadbalancer
我试图只允许流量从一些 ip 范围到 AKS 中的负载均衡器,所以我正在尝试使用 GlobalNetworkPolicy 的 calico 但它不起作用,我做错了什么?
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: deny-lb-port-80
spec:
applyOnForward: true
preDNAT: true
ingress:
- action: Log
- action: Deny
destination:
nets:
- balancerIP
ports:
- 80
protocol: TCP
source: {}
order: 800
types:
- Ingress
---
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: allowlist
spec:
applyOnForward: true
preDNAT: true
ingress:
- action: Log
- action: Allow
destination:
nets:
- balancerip
ports:
- 80
protocol: TCP
source:
nets:
- allowedipranges
order: 500
types:
- Ingress
通常我使用 GlobalNetworkPolicy 全局拒绝入口,然后使用 Kubernetes Network Policy 覆盖命名空间内的 GlobalNetworkPolicy:
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: default-global-deny-all-ingress
spec:
namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "tigera-operator"}
order: 3000 # normal NPs (order: 1000) should have higher order
types:
- Ingress
ingress:
# allow collect metrics from Kubernetes Metrics Server
- action: Allow
protocol: TCP
destination:
selector: 'k8s-app == "metrics-server"'
ports:
- 443
# Deny all ingress
- action: Deny
source:
nets:
- 0.0.0.0/0
Kubernetes 网络策略,例如允许 nginx 入口控制器上网:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-allow-internet
namespace: ingress-nginx
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
ingress:
# Allow ingress from the internet
- from:
- ipBlock:
cidr: 0.0.0.0/0
我试图只允许流量从一些 ip 范围到 AKS 中的负载均衡器,所以我正在尝试使用 GlobalNetworkPolicy 的 calico 但它不起作用,我做错了什么?
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: deny-lb-port-80
spec:
applyOnForward: true
preDNAT: true
ingress:
- action: Log
- action: Deny
destination:
nets:
- balancerIP
ports:
- 80
protocol: TCP
source: {}
order: 800
types:
- Ingress
---
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: allowlist
spec:
applyOnForward: true
preDNAT: true
ingress:
- action: Log
- action: Allow
destination:
nets:
- balancerip
ports:
- 80
protocol: TCP
source:
nets:
- allowedipranges
order: 500
types:
- Ingress
通常我使用 GlobalNetworkPolicy 全局拒绝入口,然后使用 Kubernetes Network Policy 覆盖命名空间内的 GlobalNetworkPolicy:
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: default-global-deny-all-ingress
spec:
namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "tigera-operator"}
order: 3000 # normal NPs (order: 1000) should have higher order
types:
- Ingress
ingress:
# allow collect metrics from Kubernetes Metrics Server
- action: Allow
protocol: TCP
destination:
selector: 'k8s-app == "metrics-server"'
ports:
- 443
# Deny all ingress
- action: Deny
source:
nets:
- 0.0.0.0/0
Kubernetes 网络策略,例如允许 nginx 入口控制器上网:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-allow-internet
namespace: ingress-nginx
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
ingress:
# Allow ingress from the internet
- from:
- ipBlock:
cidr: 0.0.0.0/0