我要执行以下任务
创建一个名为取证的命名空间
取证名称空间中的所有Pod都不能 与外界沟通(出口隔离)
在默认名称空间中创建一个名为调查器的pod。
取证名称空间中的Pod仅应允许来自IP的连接 研究者吊舱的顶部。
我创建了以下Yaml以进行相同的操作。
apiVersion: v1
kind: Namespace
metadata:
labels:
name: forensics
name: forensics
---
apiVersion: v1
kind: Pod
metadata:
labels:
name: forensics
name: forensics
namespace: forensics
spec:
containers:
- command:
- sleep
- "10000"
image: busybox
name: forensics
resources: {}
---
apiVersion: v1
kind: Pod
metadata:
labels:
name: pod1
name: pod1
namespace: default
spec:
containers:
- command:
- sleep
- "10000"
image: busybox
name: pod1
resources: {}
---
apiVersion: v1
kind: Pod
metadata:
labels:
name: investigator
name: investigator
namespace: default
spec:
containers:
- command:
- sleep
- "10000"
image: busybox
name: investigator
resources: {}
---
#deny all ingress/egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: forensics
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# allow ingress from IP of investigator pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: investigator-network-policy
namespace: forensics
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.244.0.151/32
我可以看到描述的策略如图所示
**kubectl describe networkpolicy default-deny-ingress -n forensics**
Name: default-deny-ingress
Namespace: forensics
Created on: 2020-06-16 18:07:21 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Ingress, Egress
**~/kubectl describe networkpolicy investigator-network-policy -n forensics**
Name: investigator-network-policy
Namespace: forensics
Created on: 2020-06-16 18:10:49 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
IPBlock:
CIDR: 10.244.0.151/32
Except:
Not affecting egress traffic
Policy Types: Ingress
但是我无法从调查人员的容器中ping法证容器。
akthakur@ninja k get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
investigator 1/1 Running 0 20s 10.244.0.151 thinking-3qxqs <none> <none>
pod1 1/1 Running 0 20s 10.244.0.232 thinking-3qxqs <none> <none>
akthakur@ninja k get po -o wide -n forensics
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
forensics 1/1 Running 0 87s 10.244.0.199 thinking-3qxqs <none> <none>
Ping结果
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 62:54:37:84:13:42
inet addr:10.244.0.151 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30 errors:0 dropped:0 overruns:0 frame:0
TX packets:447 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1944 (1.8 KiB) TX bytes:43078 (42.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
**/ # ping 10.244.0.199
PING 10.244.0.199 (10.244.0.199): 56 data bytes
^C**
--- 10.244.0.199 ping statistics ---
48 packets transmitted, 0 packets received, 100% packet loss
/ # ping 10.244.0.232
PING 10.244.0.232 (10.244.0.232): 56 data bytes
64 bytes from 10.244.0.232: seq=0 ttl=63 time=0.122 ms
64 bytes from 10.244.0.232: seq=1 ttl=63 time=0.169 ms
64 bytes from 10.244.0.232: seq=2 ttl=63 time=0.151 ms
^C
--- 10.244.0.232 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.122/0.147/0.169 ms
/ # %
我在做什么错了?
答案 0 :(得分:1)
服务是处理Pod与Pod通信的成熟方法之一。 默认情况下,pod可以通过其IP地址相互通信,而与它们所在的名称空间无关。 检查名称空间级别的默认策略。如果未在命名空间创建过程中指定,则默认设置为拒绝。 如下所示更改networkpolicy以允许来自其他名称空间的流量。
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: some-name
namespace: forensics
spec:
selector: all()
types:
- Ingress
- Egress