使用Azure CNI网络策略允许从Kubernetes pod出口到特定的FQDN/DNS

AKS不支持带有FQDN/DNS规则的ATM网络策略。

如果您使用Azure CNI &Azure策略插件，你得到默认的Kubernetes网络策略。

如果您使用Azure CNI &Calico政策插件，您可以获得高级的可能性，如全球网络政策，但不是FQDN/DNS之一。这是Calico Cloud的付费功能。

如果有人从google点击这个页面:

我找到了一个解决方案，在我的云提供商(OpenTelekomCloud)上很好地工作，可能会在许多其他的。

有一个项目叫做gke-fqdnnetworkpolicies-golang

通过定义自定义资源

apiVersion: networking.gke.io/v1alpha3
kind: FQDNNetworkPolicy
metadata:
name: allow-test
namespace: test1
spec:
podSelector: {}
egress:
- to:
- fqdns:
- heise.de
ports:
- port: 443
protocol: TCP
- port: 80
protocol: TCP

它将解析fqdn，生成最终的NetworkPolicy并每30秒更新一次记录。这就是最终Policy的样子

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-test
namespace: test1
annotations:
fqdnnetworkpolicies.networking.gke.io/owned-by: allow-test
spec:
podSelector: {}
egress:
- ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 80
to:
- ipBlock:
cidr: 128.65.210.8/32
policyTypes:
- Ingress
- Egress

我必须将以下权限附加到clusterRolefqdnnetworkpolicies-manager-role在yaml中(从发布页面下载)，使其在GKE

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: fqdnnetworkpolicies-manager-role
rules:
...
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies/status
verbs:
- get
- patch
- update

应用K8s网络策略

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-rules
spec:
podSelector:
matchLabels:
role: pod_role
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
- host: www.example.com

参考https://kubernetes.io/docs/concepts/services-networking/network-policies/