我在minikube上使用Calico,请按照以下说明操作:
https://docs.tigera.io/calico/latest/getting-started/kubernetes/minikube
我已经遵循了验证过程,并确认我看到了预期的内容。我有一个nginx部署在3个命名空间中运行。下面是kubectl get pods -A
的输出:
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-949d58b75-n52zg 1/1 Running 0 15m
kube-system calico-node-s7xqh 1/1 Running 0 15m
kube-system coredns-787d4945fb-zldh9 1/1 Running 0 17m
kube-system etcd-minikube 1/1 Running 0 17m
kube-system kube-apiserver-minikube 1/1 Running 0 17m
kube-system kube-controller-manager-minikube 1/1 Running 0 17m
kube-system kube-proxy-2lskh 1/1 Running 0 17m
kube-system kube-scheduler-minikube 1/1 Running 0 17m
kube-system storage-provisioner 1/1 Running 1 (17m ago) 17m
ns1 new-deploy-7c577ddf69-nsptf 1/1 Running 0 4m17s
ns1 new-deploy-7c577ddf69-rdj4s 1/1 Running 0 4m17s
ns2 new-deploy-7c577ddf69-4hnx5 1/1 Running 0 4m16s
ns2 new-deploy-7c577ddf69-wwqm5 1/1 Running 0 4m16s
ns3 new-deploy-7c577ddf69-hvnkb 1/1 Running 0 4m14s
ns3 new-deploy-7c577ddf69-s92q5 1/1 Running 0 4m14s
字符串
我在ns3中定义了这个网络策略:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: deny-ns2
namespace: ns3
spec:
podSelector:
matchLabels:
environment: test
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
permission: allowed
型
我通过运行kubectl describe networkpolicy -n ns3
确认其已应用。这是输出:
Name: deny-ns2
Namespace: ns3
Created on: 2023-07-10 13:28:50 +0200 CEST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: environment=test
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: permission=allowed
Not affecting egress traffic
Policy Types: Ingress
型
为什么我可以使用ns2中的pod ping并获得响应到ns3,而不会被阻止?下面是我使用的命令,它返回nginx响应,我希望它不起作用。
kubectl exec --namespace ns2 new-deploy-7c577ddf69-4hnx5 -- curl IP_POD_IN_NS3
型
1条答案
按热度按时间w9apscun1#
Minikube通常以kubenet作为网络插件开始,不支持网络策略。我建议使用minikube和cni来安装支持网络策略的cni。网络策略由网络插件实现。单击先决条件以了解有关网络策略的详细信息。