kubernetes网络/网络策略

★使用nslookup时,使用如下镜像。
下载地址:wget https://kubernetes.io/examples/admin/dns/busybox.yaml

 1 piVersion: v1
 2 kind: Pod
 3 metadata:
 4   name: busybox
 5   namespace: default
 6 spec:
 7   containers:
 8   - name: busybox
 9     image: busybox:1.28
10     command:
11       - sleep
12       - "3600"
13     imagePullPolicy: IfNotPresent
14   restartPolicy: Always
View Code

▪通过nslookup查询service的IP:kubectl exec -it busybox -- nslookup my-svc

★【Network Policy】
分为Ingress和Egress策略控制,都为白名单。
•Ingress为入口请求控制
•Egress为出口请求控制

 1 apiVersion: networking.k8s.io/v1
 2 kind: NetworkPolicy
 3 metadata:
 4   name: test-network-policy
 5   namespace: default
 6 spec:
 7   podSelector:
 8     matchLabels:
 9       role: db
10   policyTypes:
11   - Ingress
12   - Egress
13   ingress:
14   - from:
15     - ipBlock:
16         cidr: 172.17.0.0/16
17         except:
18         - 172.17.1.0/24
19     - namespaceSelector:
20         matchLabels:
21           project: myproject
22     - podSelector:
23         matchLabels:
24           role: frontend
25     ports:
26     - protocol: TCP
27       port: 6379
28   egress:
29   - to:
30     - ipBlock:
31         cidr: 10.0.0.0/24
32     ports:
33     - protocol: TCP
34       port: 5978
View Code

★禁止所有入口请求

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress

★允许所有入口请求

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - {}

★禁止所有出口请求

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Egress

★允许所有出口请求

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - {}

 

posted @ 2020-08-16 17:30  山的那一边  阅读(160)  评论(0编辑  收藏  举报