NetworkPolicy不允许在HTTP / HTTPS端口上进行出口

时间:2019-01-30 12:02:19

标签: kubernetes azure-kubernetes kubernetes-networkpolicy cilium

我正在使用下面的NetworkPolicy允许在HTTP和HTTPS端口上进行出口,但是在应用网络策略时,运行wget https://google.com无效。域名已解析(DNS出口规则有效),但连接到外部主机超时。

我尝试在带有cilium的minikube上和在azure-npm的Azure上进行尝试,以防网络策略控制器有些古怪,但是两者的行为相同。我很困惑,因为我对DNS出口使用了相同的方法(该方法有效),但对于其他端口却无法使用。

是什么阻止了HTTP / HTTPS端口上的出口?

Kubernetes版本1.11.5 

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: my-netpolicy
spec:
  egress:
  - ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
  - ports:
    - port: 443
      protocol: UDP
    - port: 443
      protocol: TCP
    - port: 80
      protocol: UDP
    - port: 80
      protocol: TCP
  podSelector:
    matchLabels:
      my-label: my-app

(是的,UDP规则可能是不必要的,但请在此处进行所有尝试)

(如果在Google / etc。阻止Azure IP的情况下,我也曾在私有服务器上尝试过wget

(我也尝试过匹配入口规则,因为“为什么不这样做,结果相同)

kubectl describe关于网络策略:

Name:         my-netpolicy
Namespace:    default
Created on:   2019-01-21 19:00:04 +0000 UTC
Labels:       ...
Annotations:  <none>
Spec:
  PodSelector:     ...
  Allowing ingress traffic:
    To Port: 8080/TCP
    From: <any> (traffic not restricted by source)
    ----------
    To Port: https/UDP
    To Port: https/TCP
    To Port: http/TCP
    To Port: http/UDP
    From: <any> (traffic not restricted by source)
  Allowing egress traffic:
    To Port: 53/UDP
    To Port: 53/TCP
    To: <any> (traffic not restricted by source)
    ----------
    To Port: https/UDP
    To Port: https/TCP
    To Port: http/UDP
    To Port: http/TCP
    To: <any> (traffic not restricted by source)
  Policy Types: Ingress, Egress

最小的可复制示例:

apiVersion: v1
kind: Pod
metadata:
  name: netpolicy-poc-pod
  labels:
    name: netpolicy-poc-pod
spec:
  containers:
  - name: poc
    image: ubuntu:18.04
    command: ["bash", "-c", "while true; do sleep 1000; done"]
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: netpolicy-poc
spec:
  podSelector:
    matchLabels:
      name: netpolicy-poc-pod
  egress:
  - ports:
    - port: 80
      protocol: UDP
    - port: 80
      protocol: TCP
    - port: 443
      protocol: UDP
    - port: 443
      protocol: TCP
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
  ingress: []

然后:

kubectl exec -it netpolicy-poc /bin/bash
apt update
apt install wget -y
wget https://google.com

1 个答案:

答案 0 :(得分:1)

证明我给出的策略可以很好地工作,只是实现该策略的控制器存在一些错误。在Minikube + Cilium上,它不适用于IPv6,但对于IPv4却可以正常工作,而在AKS上,该功能通常仍处于beta中,我们可以尝试其他选择。在使用azure-npm实现时,在我的特定问题上没有发现任何问题,但是由于它在IPv4的Minikube中可以正常工作,因此我假定一旦设置了“工作”控制器,它在Azure中也可以正常工作。 / p>

我找到了一些有关Azure问题的资源:

相关问题
最新问题