小贝子编程

Kubernetes NetWork Policies.无法'wget'到在不同命名空间上运行的 pod?



我创建了两个名为"a"one_answers"b"的名称空间

我的文件结构如下。。

on folder a

nginx部署.yml

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-a
labels:
app-tier: UI
namespace: a
spec:

selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80

网络策略.yml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-a
namespace: a
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: b

ports:
- protocol: TCP
port: 80

egress:
- to:
- namespaceSelector:
matchLabels:
name: b

ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53

并使用kubectl apply -f应用两个yml文件

on folder b

nginx部署.yml

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-b
labels:
app-tier: UI
namespace: b
spec:

selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80

网络策略.yml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-b
namespace: b
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: a

ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: a

ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53

并使用kubectl apply -f应用两个yml文件

问题

因此,基本上我希望允许从命名空间a到命名空间b的流量,反之亦然。

我已经公开了使用的服务

$$ kubectl expose deployment nginx-deployment-b -n b --port=80
$$ kubectl expose deployment nginx-deployment-a -n a --port=80

我已经使用在命名空间a中创建了busybox

kubectl run myshell --image=busybox -n a --command -- sh -c "sleep 3600"

我让exec使用进入busybox

kubectl exec myshell -n a -it -- sh

现在这是wget的输出

/ # wget nginx-deployment-b.b.svc.cluster.local
^Z[5]+  Stopped                    wget nginx-deployment-b.b.svc.cluster.local
/ # wget nginx-deployment-a.a.svc.cluster.local
^Z[6]+  Stopped                    wget nginx-deployment-a.a.svc.cluster.local
/ # wget nginx-deployment-a.a.svc
^Z[7]+  Stopped                    wget nginx-deployment-a.a.svc
/ # wget nginx-deployment-b.b.svc
^Z[8]+  Stopped                    wget nginx-deployment-b.b.svc
/ #

您可以看到,我既不能连接到运行在命名空间a上的服务,也不能连接到b上的服务

我应该做些什么来允许从命名空间a到命名空间b的流量,反之亦然?

任何建议或修改。

感谢

edit-1

网络策略的描述,np-a

Name:         np-a
Namespace:    a
Created on:   2020-08-21 18:41:12 +0530 IST
Labels:       <none>
Annotations:  Spec:
PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=b
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=b
Policy Types: Ingress, Egress

np-b

Name:         np-b
Namespace:    b
Created on:   2020-08-21 18:21:07 +0530 IST
Labels:       <none>
Annotations:  Spec:
PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=a
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=a
Policy Types: Ingress, Egress

服务说明

Name:              nginx-deployment-a
Namespace:         a
Labels:            app-tier=UI
Annotations:       <none>
Selector:          app-tier=UI
Type:              ClusterIP
IP:                10.107.112.202
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.0.0.147:80
Session Affinity:  None
Events:            <none>


Name:              nginx-deployment-b
Namespace:         b
Labels:            app-tier=UI
Annotations:       <none>
Selector:          app-tier=UI
Type:              ClusterIP
IP:                10.98.228.141
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.0.0.79:80
Session Affinity:  None
Events:            <none>

kubectl get pods -n kube-system的输出

NAME                               READY   STATUS    RESTARTS   AGE
cilium-operator-868c78f7b5-44nhn   0/1     Pending   0          7h58m
cilium-operator-868c78f7b5-jl5cq   1/1     Running   2          7h58m
cilium-qgzxs                       1/1     Running   2          7h58m
coredns-66bff467f8-lpck8           1/1     Running   2          8h
etcd-minikube                      1/1     Running   1          7h8m
kube-apiserver-minikube            1/1     Running   1          7h8m
kube-controller-manager-minikube   1/1     Running   3          8h
kube-proxy-f9vgr                   1/1     Running   2          8h
kube-scheduler-minikube            1/1     Running   2          8h
storage-provisioner                1/1     Running   5          8h

您需要允许在端口53上出口以进行DNS解析

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dns
spec:
podSelector: {}
egress:
- to:
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
policyTypes:
- Egress

您可以在两个专用于DNS的名称空间中分别使用如上所述的网络策略。

此外,当您访问位于不同命名空间中的服务时,您需要使用<servicename>.<namespacename>.svc<servicename>.<namespacename>.svc.cluster.local

因此,访问nginx-deployment-b的命令应该是nginx-deployment-b.b.svcnginx-deployment-b.b.svc.cluster.local

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium