Kubernetes 网络策略 - 仅允许流量通过特定端口提供服务
我有一个 GKE 集群 v1.21 并启用了网络策略。
我使用以下命令拒绝集群内的所有入口和出口流量:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-traffic
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
我有一个部署和一个侦听 443 的内部负载均衡器:
apiVersion: v1
kind: Service
metadata:
name: my-service
annotations:
cloud.google.com/load-balancer-type: "Internal"
spec:
selector:
app: my-webserver
ports:
- port: 443
targetPort: 8080
type: LoadBalancer
另一个名为 my-deployment 的部署,我想从中向 my-webserver 发送 https 请求。
我设置了以下策略:
允许 my-webserver 入口
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-ingress-my-webserver
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
app: my-webserver
ingress:
- from:
- podSelector:
matchLabels:
app: my-deployment
ports:
- protocol: TCP
port: 443
允许 my-deployment 出口
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-my-deployment
spec:
podSelector:
matchLabels:
app: my-deployment
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: my-webserver
ports:
- protocol: TCP
port: 443
这些网络策略不允许我从 my-deployment 向 my-webserver 发送请求。
但是,当删除这两个策略上的端口部分时,这有效 - 我可以从 my-deployment 到 my-webserver 进行 https 调用。
但是,我希望能够仅允许特定端口和特定协议上的连接。
有没有办法将连接限制为仅特定端口?
I have a GKE cluster v1.21 and have network policy enabled.
I denied all ingress and egress traffic within the cluster using:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-traffic
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
And I have a deployment and an internal load balancer the listens on 443:
apiVersion: v1
kind: Service
metadata:
name: my-service
annotations:
cloud.google.com/load-balancer-type: "Internal"
spec:
selector:
app: my-webserver
ports:
- port: 443
targetPort: 8080
type: LoadBalancer
And another deployment called my-deployment from which I want to send https requests to my-webserver.
I've setup the following policies:
Allow ingress for my-webserver
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-ingress-my-webserver
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
app: my-webserver
ingress:
- from:
- podSelector:
matchLabels:
app: my-deployment
ports:
- protocol: TCP
port: 443
Allow egress for my-deployment
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-my-deployment
spec:
podSelector:
matchLabels:
app: my-deployment
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: my-webserver
ports:
- protocol: TCP
port: 443
Those network policies don't allow me to send requests to my-webserver from my-deployment.
However, when removing the ports section on both policies this works - I can make https calls from my-deployment to my-webserver.
But, I want to be able to allow connections only on a specific port and a specific protocol.
Is there a way for me to restrict connections only to a specific port?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您只需打开8080端口即可。
Kubernetes 中的服务是虚拟的,不会路由或传输流量,翻译 443 ->在评估 iptables 规则之前,8080 在 Pod 节点本地发生。
You only have to open port 8080.
A Service in Kubernetes is something virtual and doesn't route or transfer traffic, the translation 443 -> 8080 happens locally on the Pod's node before the iptables rule is evaluated.
我假设您正在从 my-deployment 的 Pod 进行测试并访问外部负载均衡器的 IP 地址(如果是这种情况);发生这种情况是因为您允许的通信仅是从源 Pod 到服务,您缺少从服务到目标 Pod 的部分。
根据 Google 的文档:
您需要做的是在两个策略中都允许端口 8080:
I am assuming you are testing from a my-deployment's Pod and hitting the External LB's IP address, if that is the case; this is happening because the communication you are allowing is just from the source Pod to the service, you are missing the part from the service to the destination Pod.
As per Google's documentation:
What you need to do, is to allow the port 8080 as well in both policies: