如何使用出口网络策略允许访问kubernetes api? [英] How to allow access to kubernetes api using egress network policy?

问题描述

带有kubectl get pod命令的初始化容器用于获取其他容器的就绪状态.

Init container with kubectl get pod command is used to get ready status of other pod.

打开Egress NetworkPolicy后，初始化容器无法访问Kubernetes API:Unable to connect to the server: dial tcp 10.96.0.1:443: i/o timeout. CNI是印花棉布.

After Egress NetworkPolicy was turned on init container can't access Kubernetes API: Unable to connect to the server: dial tcp 10.96.0.1:443: i/o timeout. CNI is Calico.

尝试了多个规则，但没有一个起作用(服务和主控主机IP，不同的CIDR掩码):

Several rules were tried but none of them are working (service and master host IPs, different CIDR masks):

...
  egress:
  - to:
    - ipBlock:
        cidr: 10.96.0.1/32
    ports:
    - protocol: TCP
      port: 443
...

或使用名称空间(默认名称和kube系统名称空间):

or using namespace (default and kube-system namespaces):

...
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: default
    ports:
    - protocol: TCP
      port: 443
...

看起来像ipBlock规则不起作用，而命名空间规则也不起作用，因为kubernetes api是非标准pod.

Looks like ipBlock rules just don't work and namespace rules don't work because kubernetes api is non-standard pod.

可以配置吗? Kubernetes是1.9.5，Calico是3.1.1.

Can it be configured? Kubernetes is 1.9.5, Calico is 3.1.1.

GKE 1.13.7-gke.8和calico 3.2.7仍然存在问题

Problem still exists with GKE 1.13.7-gke.8 and calico 3.2.7

推荐答案

您需要使用"kubectl获取端点-命名空间默认kubernetes"获取主服务器的真实ip，并制定出口策略以允许该操作.

You need to get the real ip of the master using 'kubectl get endpoints --namespace default kubernetes' and make an egress policy to allow that.

---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1 
metadata:
  name: allow-apiserver
  namespace: test
spec:
  policyTypes:
  - Egress
  podSelector: {}
  egress:
  - ports:
    - port: 443
      protocol: TCP
    to:
    - ipBlock:
        cidr: x.x.x.x/32

这篇关于如何使用出口网络策略允许访问kubernetes api?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！