kubernetes networkpolicy仅允许外部流量访问Internet [英] kubernetes networkpolicy allow external traffic to internet only
问题描述
我试图在我的kubernetes群集中实施网络策略以隔离我的pod在命名空间中,但是自从我使用Azure MFA进行身份验证以来,我仍然允许它们访问Internet.
Im trying to implement network policy in my kubernetes cluster to isolate my pods in a namespace but still allow them to access the internet since im using Azure MFA for authentication.
这是我尝试过的方法,但似乎无法使其正常工作.入口正在按预期工作,但是这些策略会阻止所有出口.
This is what i tried but cant seem to get it working. Ingress is working as expected but these policies blocks all egress.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: grafana-policy
namespace: default
spec:
podSelector:
matchLabels:
app: grafana
ingress:
- from:
- podSelector:
matchLabels:
app: nginx-ingress
谁能告诉我我如何进行上述配置,以便我也允许互联网访问,但阻止访问其他POD的人?
Anybody who can tell me how i make above configuration work so i will also allow internet traffic but blocking traffic to other POD's?
推荐答案
尝试在名称空间上添加默认的拒绝所有网络"策略,然后在其后添加允许Internet"策略.
Try adding a default deny all network policy on the namespace, then adding an allow Internet policy after.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-internet-only
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/20
这将阻止除互联网出站以外的所有流量. 在仅允许互联网"策略中,所有专用IP都有一个例外,它将阻止Pod到Pod的通信. 如果您需要DNS查找,还必须允许从kube-system到Core DNS的出口,因为default-deny-all策略将阻止DNS查询.
This will block all traffic except for internet outbound. In the allow-internet-only policy, there is an exception for all private IPs which will prevent pod to pod communication. You will also have to allow Egress to Core DNS from kube-system if you require DNS lookups, as the default-deny-all policy will block DNS queries.
这篇关于kubernetes networkpolicy仅允许外部流量访问Internet的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!