我在 prod 命名空间中的集群中只有一个网络策略,该策略仅允许入口规则。网络插件是 weave-net。没有为 Egress 配置任何规则,因此我预计出口流量将被阻止。但直到我重新启动网络守护程序集 pod,该规则才生效。我知道根据最佳实践,我应该有默认的入口和出口规则。但我想了解这种行为的原因。重新启动网络插件 pod 是否始终需要此步骤?
1. 网络策略定义
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: prod
spec:
ingress:
- {}
podSelector:
matchLabels:
run: prod-nginx
policyTypes:
- Ingress
- Egress
2. 检查 netpol 对象
Name: test-network-policy
Namespace: prod
Created on: 2021-06-06 10:16:50 +0000 UTC
Labels: <none>
Annotations: <none>
Spec:
PodSelector: run=prod-nginx
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From: <any> (traffic not restricted by source)
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Ingress, Egress
3. 测试到 nginx 服务器的出口流量(这在我的理解中是出乎意料的)
笔记:10.39.0.5 是在 'test' 命名空间中运行的 nginx 服务器的 IP
Command : kubectl -n prod exec -it prod-nginx -- curl http://10.39.0.5 | grep successfully #egress
Response: <p>If you see this page, the nginx web server is successfully installed and
4. 重启 weave-net pods
5. 重新测试与同一 nginx 服务器的出口连接(预期)
笔记:10.39.0.5 是在 'test' 命名空间中运行的 nginx 服务器的 IP
Command: kubectl -n prod exec -it prod-nginx -- curl http://10.39.0.5 | grep successfully #egress**
Response: No connection
答案1
我想向您展示,weave-net
无需重新启动 Pod 即可NetworkPolicy
生效。
您的test-network-policy
NetworkPolicy
标签应用于命名空间run=prod-nginx
中的Pod prod
,并允许所有入口流量并拒绝所有出口流量。
我将创建一个示例来说明它是如何工作的。
首先,我创建了prod-nginx
& prod-test
Pods 并在没有部署的情况下测试了连接性NetworkPolicy
:
# kubectl run prod-nginx --image=nginx -n prod
pod/prod-nginx created
# kubectl run prod-test --image=nginx -n prod
pod/prod-test created
# kubectl get pod -o wide -n prod
NAME READY STATUS RESTARTS AGE IP LABELS
prod-nginx 1/1 Running 0 37s 10.44.0.1 run=prod-nginx
prod-test 1/1 Running 0 11s 10.44.0.2 run=prod-test
# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.1 | grep -i success
<p>If you see this page, the nginx web server is successfully installed and
# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.2 | grep -i success
<p>If you see this page, the nginx web server is successfully installed and
一切正常,所以让我们部署test-network-policy
NetworkPolicy
并再次测试:
# cat netpol.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: prod
spec:
ingress:
- {}
podSelector:
matchLabels:
run: prod-nginx
policyTypes:
- Ingress
- Egress
# kubectl apply -f netpol.yml
networkpolicy.networking.k8s.io/test-network-policy created
我们可以看到该prod-nginx
Pod无法连接到其他Pod但是可以连接到自身:
笔记:Pod 不能阻止对其自身的访问(参见:网络策略文檔
# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.1 | grep -i success
<p>If you see this page, the nginx web server is successfully installed and
# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.2 | grep -i success
command terminated with exit code 7
现在让我们stage-nginx
在命名空间中创建一个 Pod stage
,并检查该prod-nginx
Pod 是否可以连接到它:
# kubectl run stage-nginx --image=nginx -n stage
pod/stage-nginx created
# kubectl get pod -o wide -n stage
NAME READY STATUS RESTARTS AGE IP
stage-nginx 1/1 Running 0 20s 10.44.0.6
# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.6 | grep -i success
command terminated with exit code 7
我们已经验证出口规则正常工作,并且weave-net
不需要重新启动 Pod。