kubernetes networkpolicy仅允许外部流量访问Internet [英] kubernetes networkpolicy allow external traffic to internet only

问题描述

我试图在我的kubernetes群集中实施网络策略以隔离我的pod在命名空间中，但是自从我使用Azure MFA进行身份验证以来，我仍然允许它们访问Internet.

Im trying to implement network policy in my kubernetes cluster to isolate my pods in a namespace but still allow them to access the internet since im using Azure MFA for authentication.

这是我尝试过的方法，但似乎无法使其正常工作.入口正在按预期工作，但是这些策略会阻止所有出口.

This is what i tried but cant seem to get it working. Ingress is working as expected but these policies blocks all egress.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress 

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: grafana-policy
  namespace: default
spec:
  podSelector:
    matchLabels: 
      app: grafana
  ingress:
  - from:
    - podSelector:
       matchLabels: 
        app: nginx-ingress

谁能告诉我我如何进行上述配置，以便我也允许互联网访问，但阻止访问其他POD的人?

Anybody who can tell me how i make above configuration work so i will also allow internet traffic but blocking traffic to other POD's?

推荐答案

尝试在名称空间上添加默认的拒绝所有网络"策略，然后在其后添加允许Internet"策略.

Try adding a default deny all network policy on the namespace, then adding an allow Internet policy after.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-internet-only
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - ipBlock:
        cidr: 0.0.0.0/0
          except:
            - 10.0.0.0/8
            - 192.168.0.0/16
            - 172.16.0.0/20

这将阻止除互联网出站以外的所有流量. 在仅允许互联网"策略中，所有专用IP都有一个例外，它将阻止Pod到Pod的通信. 如果您需要DNS查找，还必须允许从kube-system到Core DNS的出口，因为default-deny-all策略将阻止DNS查询.

This will block all traffic except for internet outbound. In the allow-internet-only policy, there is an exception for all private IPs which will prevent pod to pod communication. You will also have to allow Egress to Core DNS from kube-system if you require DNS lookups, as the default-deny-all policy will block DNS queries.

这篇关于kubernetes networkpolicy仅允许外部流量访问Internet的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！