参考文档
https://kubernetes.io/zh-cn/docs/concepts/services-networking/network-policies/
https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md
规划
| pod访问情况 | defalt nginx | 备注 |
|---|---|---|
| nginx-dp | √ | 成功 |
| tomcat-dp | × | 成功 |
| efk nginx-efk | × | 成功 |
| efk tomcat-efk | √ | 成功 |
kubectl create ns efk
kubectl label ns efk efk-app=efk
#cat nginx_tomcat.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-dp
spec:
selector:
matchLabels:
app: nginx-dp
app2: nginx-dp-two #实验证明,两个标签中只要匹配上一个即可认为匹配成功
replicas: 1
template:
metadata:
labels:
app: nginx-dp
app2: nginx-dp-two #实验证明,两个标签中只要匹配上一个即可认为匹配成功
spec:
containers:
- name: nginx-dp
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-dp
spec:
selector:
matchLabels:
app: tomcat-dp
replicas: 1
template:
metadata:
labels:
app: tomcat-dp
spec:
containers:
- name: tomcat-dp
image: tomcat
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-efk
namespace: efk
spec:
selector:
matchLabels:
app: nginx-efk
replicas: 1
template:
metadata:
labels:
app: nginx-efk
spec:
containers:
- name: nginx-efk
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-efk
namespace: efk
spec:
selector:
matchLabels:
app: tomcat-efk
app2: tomcat-efk-two
replicas: 1
template:
metadata:
labels:
app: tomcat-efk
app2: tomcat-efk-two
spec:
containers:
- name: tomcat-efk
image: tomcat
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nginx #随便写的名字
spec:
podSelector:
matchLabels:
app: nginx #针对哪个label 的 pod做策略,不写就是namespace下全部pod
policyTypes:
- Ingress #入口限制(default allow all)
#- Egress #出口限制(default allow all)
ingress:
- from:
#- ipBlock: #根据ip地址来管理
# cidr: 10.102.0.0/16 #允许访问的ip段
# except:
# - 10.102.73.130/32 #不允许访问的ip(地址或段)
- namespaceSelector: #带有此label的ns下(是ns的label,不是ns name),可以访问目标pod的容器
matchLabels:
efk-app: efk
podSelector: #限定部分容器,不限定就是全部都allow
matchLabels:
app: tomcat-efk
- podSelector: #根据pod label来判断,同一namaspace下
matchLabels:
app: nginx-dp
ports: #限定特定port
- protocol: TCP
port: 80
# egress: #限制自己的pod访问外面的服务;要么不写(就是出口流量不限制)要么写清楚(不然就是deny出口流量)
# - to:
# - ipBlock: #只能访问特定网段
# cidr: 10.102.0.0/16
# ports: #只能访问特定pod
# - protocol: TCP
# port: 5978
