我想拒绝所有出口流量。所以我创建了这个网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Egress
然后我将其应用于命名空间
kubectl -n pps-api-gateway-ci apply -f ~/Documents/networkpolicy.yaml
为了测试这一点,我确实描述了网络策略
kubectl -n pps-api-gateway-ci describe networkpolicy
Name: default-deny
Namespace: pps-api-gateway-ci
Created on: 2018-05-29 13:50:52 -0700 PDT
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration=
{"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":
{"annotations":{},"name":"default-deny","namespace":"pps-api-gateway-
ci"},"spec"...
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this
namespace)
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Egress
然后我登录到那个容器
平 www.google.com
PING www.google.com (216.58.217.100): 56 data bytes
64 bytes from 216.58.217.100: icmp_seq=0 ttl=46 time=2.552 ms
64 bytes from 216.58.217.100: icmp_seq=1 ttl=46 time=1.835 ms
64 bytes from 216.58.217.100: icmp_seq=2 ttl=46 time=1.487 ms
64 bytes from 216.58.217.100: icmp_seq=3 ttl=46 time=2.523 ms
64 bytes from 216.58.217.100: icmp_seq=4 ttl=46 time=1.607 ms
64 bytes from 216.58.217.100: icmp_seq=5 ttl=46 time=1.480 ms
如果应用了我的出口策略,我应该无法 ping 操作。
我正在使用 kubernetes 1.9.6 版本
来自官方文档:
网络策略由网络插件实现,因此您使用的是支持 NetworkPolicy 的网络解决方案- 在没有控制器实现的情况下简单地创建资源将不起作用。
许多网络插件,包括Calico和Weave Net,都支持使用Network Policies
,但Flannel则不支持。