我正在使用Weave Net 2.4.0运行Kubernetes 1.9.6。我试图锁定对Kubernetes内部DNS服务器和另一台主机上的特定端口的访问。我似乎找不到适合出口的格式。
我知道以下内容不是有效的政策,只是我想做的事情的代表。如何编写网络策略以支持此操作?
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: dev
spec:
podSelector:
matchLabels:
app: plem-network-policy
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.3.0.10/32
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
- ipBlock:
cidr: 10.49.100.37/32
ports:
- protocol: TCP
port: 8200
答案 0 :(得分:1)
我没有对cidr和port的多个块给予足够的重视。这就是我想要的。
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: dev
spec:
podSelector:
matchLabels:
app: plem-network-policy
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.2.0.0/16
- ipBlock:
cidr: 10.3.0.10/32
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
- to:
- ipBlock:
cidr: 10.49.100.37/32
- ipBlock:
cidr: 10.49.100.137/32
- ipBlock:
cidr: 10.49.100.85/32
ports:
- protocol: TCP
port: 8200
- to:
- ipBlock:
cidr: 10.29.30.56/32
ports:
- protocol: TCP
port: 5439