Question

我要执行以下任务

创建一个名为取证的命名空间
取证名称空间中的所有Pod都不能与外界沟通（出口隔离）
在默认名称空间中创建一个名为调查器的pod。
取证名称空间中的Pod仅应允许来自IP的连接研究者吊舱的顶部。

我创建了以下Yaml以进行相同的操作。

apiVersion: v1
kind: Namespace
metadata:
  labels:
    name: forensics
  name: forensics

---
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: forensics
  name: forensics
  namespace: forensics
spec:
  containers:
    - command:
        - sleep
        - "10000"
      image: busybox
      name: forensics
      resources: {}
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: pod1
  name: pod1
  namespace: default
spec:
  containers:
    - command:
        - sleep
        - "10000"
      image: busybox
      name: pod1
      resources: {}
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: investigator
  name: investigator
  namespace: default
spec:
  containers:
    - command:
        - sleep
        - "10000"
      image: busybox
      name: investigator
      resources: {}
---
#deny all ingress/egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: forensics
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
# allow ingress from IP of  investigator pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: investigator-network-policy
  namespace: forensics
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - ipBlock:
            cidr: 10.244.0.151/32

我可以看到描述的策略如图所示

**kubectl describe networkpolicy default-deny-ingress -n forensics**
Name:         default-deny-ingress
Namespace:    forensics
Created on:   2020-06-16 18:07:21 +0530 IST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Allowing egress traffic:
    <none> (Selected pods are isolated for egress connectivity)
  Policy Types: Ingress, Egress

 **~/kubectl describe networkpolicy investigator-network-policy -n forensics**
Name:         investigator-network-policy
Namespace:    forensics
Created on:   2020-06-16 18:10:49 +0530 IST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      IPBlock:
        CIDR: 10.244.0.151/32
        Except: 
  Not affecting egress traffic
  Policy Types: Ingress

但是我无法从调查人员的容器中ping法证容器。

akthakur@ninja k get po -o wide
NAME           READY   STATUS    RESTARTS   AGE   IP             NODE             NOMINATED NODE   READINESS GATES
investigator   1/1     Running   0          20s   10.244.0.151   thinking-3qxqs   <none>           <none>
pod1           1/1     Running   0          20s   10.244.0.232   thinking-3qxqs   <none>           <none>
 akthakur@ninja k get po -o wide -n forensics
NAME        READY   STATUS    RESTARTS   AGE   IP             NODE             NOMINATED NODE   READINESS GATES
forensics   1/1     Running   0          87s   10.244.0.199   thinking-3qxqs   <none>           <none>

Ping结果

/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 62:54:37:84:13:42
          inet addr:10.244.0.151  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30 errors:0 dropped:0 overruns:0 frame:0
          TX packets:447 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1944 (1.8 KiB)  TX bytes:43078 (42.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

**/ # ping 10.244.0.199
PING 10.244.0.199 (10.244.0.199): 56 data bytes
^C**
--- 10.244.0.199 ping statistics ---
48 packets transmitted, 0 packets received, 100% packet loss
/ # ping 10.244.0.232
PING 10.244.0.232 (10.244.0.232): 56 data bytes
64 bytes from 10.244.0.232: seq=0 ttl=63 time=0.122 ms
64 bytes from 10.244.0.232: seq=1 ttl=63 time=0.169 ms
64 bytes from 10.244.0.232: seq=2 ttl=63 time=0.151 ms
^C
--- 10.244.0.232 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.122/0.147/0.169 ms
/ # %

我在做什么错了？

Answer 1

服务是处理Pod与Pod通信的成熟方法之一。默认情况下，pod可以通过其IP地址相互通信，而与它们所在的名称空间无关。检查名称空间级别的默认策略。如果未在命名空间创建过程中指定，则默认设置为拒绝。如下所示更改networkpolicy以允许来自其他名称空间的流量。

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: some-name
  namespace: forensics
spec:
  selector: all()
  types:
  - Ingress
  - Egress

kubernetes网络策略，允许访问特定的IP

1 个答案: