如何在同一入口规则中同时应用pod选择器和名称空间选择器? [英] How can I apply pod selector and namespace selector, both, in the same ingress rule?

问题描述

Kubernetes文档此处的示例显示了如何将网络策略应用于Pod选择器或命名空间选择器指定的源.我可以指定同时满足这两个约束条件的来源吗?

Kubernetes documentation example here shows how a network policy can be applied for a source specified by either a pod selector OR a namespace selector. Can I specify a source the fulfills both constraints at the same time.

例如源可以是标签为"tier = web"的吊舱，该吊舱部署在名称空间"ingress"中.

e.g. Can a source be a pod with label "tier=web" which is deployed in namespace "ingress".

P.S.目前，我通过将名称空间名称添加为pod-labels来使其正常工作.

P.S. For now, I have it working by adding namespace name as pod-labels.

推荐答案

是的，这是可能的，但并不直观.如果您查看 下面的部分，它给出了一个很好的解释(在您提出问题后，似乎已经添加了该解释). NetworkPolicy API文档此处通常也很有帮助.

Yes, this is possible, but not immediately intuitive. If you look at the section below the chunk you linked, it gives a pretty good explanation (this appears to have been added after you asked your question). The NetworkPolicy API documentation here is generally helpful as well.

基本上，如果像示例一样将每个选择器放在列表中的两个单独项目中，则它使用逻辑或.如果将它们作为两个项目放在列表的同一数组元素中(第二个项目前面没有破折号)(如下面的示例所示)与AND podSelector和namespaceSelector结合使用，它将起作用.在yaml to json转换器中查看这些内容可能会有所帮助.

Basically, if you put each selector as two separate items in the list like the example does, it is using a logical OR. If you put them as two items in the same array element in the list (no dash in front of the second item) like the example below to AND the podSelector and namespaceSelector, it will work. It may help to see these in a yaml to json converter.

这是他们政策中的一个入口块，已修改为AND条件

Here's an ingress chunk from their policy, modified to AND the conditions

      ingress:
      - from:
        - namespaceSelector:
            matchLabels:
              project: myproject
          podSelector:
            matchLabels:
              role: frontend

如果在to或from语句旁边使用ports规则，则同样适用于这种逻辑.您会在示例中注意到，根据入口规则，它们在ports前面没有破折号.如果他们在前面加了破折号，那就等于入口和端口的条件.

This same sort of logic applies to using the ports rule if you use that alongside of the to or from statements. You'll notice in the example that they do not have a dash in front of ports under the ingress rule. If they had put a dash in front, it would OR the conditions of ingress and ports.

以下是他们讨论如何实现组合选择器时的一些GitHub链接:

Here are some GitHub links from when they were discussing how to implement combining selectors:

1. 此评论可能会提供更多背景知识.该API已经支持OR，因此如果这样做，将为实现该功能的人员破坏某些功能: https://github.com/kubernetes/kubernetes/issues/50451#issuecomment-336305625
2. https://github.com/kubernetes/kubernetes/pull/60452

1. This comment may give a little more background. The API already supported the OR, so doing it otherwise would've broken some functionality for people with that implemented: https://github.com/kubernetes/kubernetes/issues/50451#issuecomment-336305625
2. https://github.com/kubernetes/kubernetes/pull/60452

这篇关于如何在同一入口规则中同时应用pod选择器和名称空间选择器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！