kubernetes 为什么我的networkpolicy没有在启用了calico的minikube集群上应用?

2ic8powd  于 2023-08-03  发布在  Kubernetes
关注(0)|答案(1)|浏览(100)

我在minikube上使用Calico,请按照以下说明操作:
https://docs.tigera.io/calico/latest/getting-started/kubernetes/minikube
我已经遵循了验证过程,并确认我看到了预期的内容。我有一个nginx部署在3个命名空间中运行。下面是kubectl get pods -A的输出:

NAMESPACE     NAME                                      READY   STATUS    RESTARTS      AGE
kube-system   calico-kube-controllers-949d58b75-n52zg   1/1     Running   0             15m
kube-system   calico-node-s7xqh                         1/1     Running   0             15m
kube-system   coredns-787d4945fb-zldh9                  1/1     Running   0             17m
kube-system   etcd-minikube                             1/1     Running   0             17m
kube-system   kube-apiserver-minikube                   1/1     Running   0             17m
kube-system   kube-controller-manager-minikube          1/1     Running   0             17m
kube-system   kube-proxy-2lskh                          1/1     Running   0             17m
kube-system   kube-scheduler-minikube                   1/1     Running   0             17m
kube-system   storage-provisioner                       1/1     Running   1 (17m ago)   17m
ns1           new-deploy-7c577ddf69-nsptf               1/1     Running   0             4m17s
ns1           new-deploy-7c577ddf69-rdj4s               1/1     Running   0             4m17s
ns2           new-deploy-7c577ddf69-4hnx5               1/1     Running   0             4m16s
ns2           new-deploy-7c577ddf69-wwqm5               1/1     Running   0             4m16s
ns3           new-deploy-7c577ddf69-hvnkb               1/1     Running   0             4m14s
ns3           new-deploy-7c577ddf69-s92q5               1/1     Running   0             4m14s

字符串
我在ns3中定义了这个网络策略:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-ns2
  namespace: ns3
spec:
  podSelector:
    matchLabels:
      environment: test
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          permission: allowed


我通过运行kubectl describe networkpolicy -n ns3确认其已应用。这是输出:

Name:         deny-ns2
Namespace:    ns3
Created on:   2023-07-10 13:28:50 +0200 CEST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     environment=test
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: permission=allowed
  Not affecting egress traffic
  Policy Types: Ingress


为什么我可以使用ns2中的pod ping并获得响应到ns3,而不会被阻止?下面是我使用的命令,它返回nginx响应,我希望它不起作用。

kubectl exec --namespace ns2 new-deploy-7c577ddf69-4hnx5 -- curl IP_POD_IN_NS3

w9apscun

w9apscun1#

Minikube通常以kubenet作为网络插件开始,不支持网络策略。我建议使用minikube和cni来安装支持网络策略的cni。网络策略由网络插件实现。单击先决条件以了解有关网络策略的详细信息。

相关问题