Kubernetes网络策略无法“知道”运行在不同名称空间上的Pod?

编程问答 2022-08-15

问题描述

我创建了两个名为'a'和'b'的命名空间

我具有如下文件结构。

on folder a

nginx-deployment.yml 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-a
  labels:
    app-tier: UI
  namespace: a
spec:
  
  selector:
    matchLabels:
      app-tier: UI
  template:
    metadata:
      labels:
        app-tier: UI
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80

network-policy.yml 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np-a
  namespace: a
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: b
  
    ports:
    - protocol: TCP
      port: 80
    
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: b
    
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

并使用kubectl apply -f

应用了这两个yml文件

on folder b

nginx-deployment.yml 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-b
  labels:
    app-tier: UI
  namespace: b
spec:
  
  selector:
    matchLabels:
      app-tier: UI
  template:
    metadata:
      labels:
        app-tier: UI
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80

network-policy.yml 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np-b
  namespace: b
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: a
    
    ports:
    - protocol: TCP
      port: 80
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: a
    
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

并使用kubectl apply -f

应用了这两个yml文件

问题

所以基本上我想允许从名称空间 a 到名称空间 b 的流量,反之亦然。

我已经使用公开了服务

$$ kubectl expose deployment nginx-deployment-b -n b --port=80

$$ kubectl expose deployment nginx-deployment-a -n a --port=80

我已经使用

在名称空间 a 中创建了busybox 
kubectl run myshell --image=busybox -n a --command -- sh -c "sleep 3600"

我已经使用exec进入busybox 

kubectl exec myshell -n a -it -- sh

现在这是 wget

的输出 
/ # wget nginx-deployment-b.b.svc.cluster.local
^Z[5]+  Stopped                    wget nginx-deployment-b.b.svc.cluster.local
/ # wget nginx-deployment-a.a.svc.cluster.local
^Z[6]+  Stopped                    wget nginx-deployment-a.a.svc.cluster.local
/ # wget nginx-deployment-a.a.svc
^Z[7]+  Stopped                    wget nginx-deployment-a.a.svc
/ # wget nginx-deployment-b.b.svc
^Z[8]+  Stopped                    wget nginx-deployment-b.b.svc
/ #

您会看到我无法连接到在名称空间 a b

上运行的服务

我该怎么做才能允许从名称空间 a 到名称空间 b 的流量,反之亦然?

任何建议或修改。

谢谢

edit-1

网络政策说明, np-a 

Name:         np-a
Namespace:    a
Created on:   2020-08-21 18:41:12 +0530 IST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: 80/TCP
    From:
      NamespaceSelector: name=b
  Allowing egress traffic:
    To Port: 53/TCP
    To Port: 53/UDP
    To:
      NamespaceSelector: name=b
  Policy Types: Ingress,Egress

np-b 

Name:         np-b
Namespace:    b
Created on:   2020-08-21 18:21:07 +0530 IST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: 80/TCP
    From:
      NamespaceSelector: name=a
  Allowing egress traffic:
    To Port: 53/TCP
    To Port: 53/UDP
    To:
      NamespaceSelector: name=a
  Policy Types: Ingress,Egress

服务说明

Name:              nginx-deployment-a
Namespace:         a
Labels:            app-tier=UI
Annotations:       <none>
Selector:          app-tier=UI
Type:              ClusterIP
IP:                10.107.112.202
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.0.0.147:80
Session Affinity:  None
Events:            <none>


Name:              nginx-deployment-b
Namespace:         b
Labels:            app-tier=UI
Annotations:       <none>
Selector:          app-tier=UI
Type:              ClusterIP
IP:                10.98.228.141
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.0.0.79:80
Session Affinity:  None
Events:            <none>

kubectl get pods -n kube-system

的输出 
NAME                               READY   STATUS    RESTARTS   AGE
cilium-operator-868c78f7b5-44nhn   0/1     Pending   0          7h58m
cilium-operator-868c78f7b5-jl5cq   1/1     Running   2          7h58m
cilium-qgzxs                       1/1     Running   2          7h58m
coredns-66bff467f8-lpck8           1/1     Running   2          8h
etcd-minikube                      1/1     Running   1          7h8m
kube-apiserver-minikube            1/1     Running   1          7h8m
kube-controller-manager-minikube   1/1     Running   3          8h
kube-proxy-f9vgr                   1/1     Running   2          8h
kube-scheduler-minikube            1/1     Running   2          8h
storage-provisioner                1/1     Running   5          8h

解决方法

您需要允许端口53上的出口进行DNS解析

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: dns
spec:
  podSelector: {}
  egress:
  - to:
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53
  policyTypes:
  - Egress

在两个专用于DNS的名称空间中,您都可以像上面一样使用单独的网络策略。

另外,当您访问位于不同名称空间中的服务时,您需要使用<servicename>.<namespacename>.svc<servicename>.<namespacename>.svc.cluster.local

因此,访问nginx-deployment-b的命令应为nginx-deployment-b.b.svcnginx-deployment-b.b.svc.cluster.local

kuberneteskubernetes-ingresskubernetes-networkingkubernetes-networkpolicykubernetes-pod

相关问答

导入项目后报错问题
依赖报错 idea导入项目后依赖报错,解决方案:https://blog....
idea不能识别yaml文件
使用mybatis plus常见错误
错误1:代码生成器依赖和mybatis依赖冲突 启动项目时报错如下...
gradle常见问题与错误
错误1:gradle项目控制台输出为乱码 # 解决方案:https://bl...
Mybatis Plus传入参数0不起作用
错误还原:在查询的过程中,传入的workType为0时,该条件不起...
linux中make编译源码包失败
报错如下,gcc版本太低 ^ server.c:5346:31: 错误:‘struct...