kubernetes网络/网络策略
2021-01-10 00:30
标签:bec onclick 图片 def box example min show ingress ★使用nslookup时,使用如下镜像。 ?通过nslookup查询service的IP:kubectl exec -it busybox -- nslookup my-svc ★【Network Policy】 ★禁止所有入口请求 ★允许所有入口请求 ★禁止所有出口请求 ★允许所有出口请求 kubernetes网络/网络策略 标签:bec onclick 图片 def box example min show ingress 原文地址:https://www.cnblogs.com/mountain2011/p/13513341.html
下载地址:wget https://kubernetes.io/examples/admin/dns/busybox.yaml
1 piVersion: v1
2 kind: Pod
3 metadata:
4 name: busybox
5 namespace: default
6 spec:
7 containers:
8 - name: busybox
9 image: busybox:1.28
10 command:
11 - sleep
12 - "3600"
13 imagePullPolicy: IfNotPresent
14 restartPolicy: Always
分为Ingress和Egress策略控制,都为白名单。
•Ingress为入口请求控制
•Egress为出口请求控制 1 apiVersion: networking.k8s.io/v1
2 kind: NetworkPolicy
3 metadata:
4 name: test-network-policy
5 namespace: default
6 spec:
7 podSelector:
8 matchLabels:
9 role: db
10 policyTypes:
11 - Ingress
12 - Egress
13 ingress:
14 - from:
15 - ipBlock:
16 cidr: 172.17.0.0/16
17 except:
18 - 172.17.1.0/24
19 - namespaceSelector:
20 matchLabels:
21 project: myproject
22 - podSelector:
23 matchLabels:
24 role: frontend
25 ports:
26 - protocol: TCP
27 port: 6379
28 egress:
29 - to:
30 - ipBlock:
31 cidr: 10.0.0.0/24
32 ports:
33 - protocol: TCP
34 port: 5978
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- {}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- {}
上一篇:CSS知识点(三)