问题描述
我有一个命名空间:test
,包含 3 个 pod:frontend
、backend
和 database
。
这是 Pod 的清单:
kind: Pod
apiVersion: v1
Metadata:
name: frontend
namespace: test
labels:
app: todo
tier: frontend
spec:
containers:
- name: frontend
image: Nginx
---
kind: Pod
apiVersion: v1
Metadata:
name: backend
namespace: test
labels:
app: todo
tier: backend
spec:
containers:
- name: backend
image: Nginx
---
kind: Pod
apiVersion: v1
Metadata:
name: database
namespace: test
labels:
app: todo
tier: database
spec:
containers:
- name: database
image: MysqL
env:
- name: MysqL_ROOT_PASSWORD
value: example
我将实施一个网络策略,只允许从后端到数据库的传入流量,但不允许来自前端的传入流量。
这是我的网络政策:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
Metadata:
name: app-allow
namespace: test
spec:
podSelector:
matchLabels:
app: todo
tier: database
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: todo
tier: backend
ports:
- protocol: TCP
port: 3306
- protocol: UDP
port: 3306
这是kubectl get pods -n test -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READInesS GATES
backend 1/1 Running 0 28m 172.17.0.5 minikube <none> <none>
database 1/1 Running 0 28m 172.17.0.4 minikube <none> <none>
frontend 1/1 Running 0 28m 172.17.0.3 minikube <none> <none>
这是kubectl get networkpolicy -n test -o wide
NAME POD-SELECTOR AGE
app-allow app=todo,tier=database 21m
当我从 telnet @ip-of-MysqL-pod 3306
pod 执行 frontend
时,连接看起来已经建立并且网络策略不起作用
kubectl exec -it pod/frontend bash -n test
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@frontend:/# telnet 172.17.0.4 3306
Trying 172.17.0.4...
Connected to 172.17.0.4.
Escape character is '^]'.
J
8.0.25 k{%J\�#(t%~qI%7caching_sha2_password
有什么我想念的吗?
谢谢
解决方法
您似乎忘记添加“默认拒绝”策略:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
NetworkPolicy
的默认行为是允许 Pod 之间的所有连接,除非明确拒绝。