NetworkPolicy简介
- 咱们常常须要按租户进行网络隔离,k8s 提供了 networkpolicy 来定义网络策略,从而实现网络隔离以满足租户隔离及局部租户下业务隔离等。Network Policy 提供了基于策略的网络管制,用于隔离利用并缩小攻击面。它应用标签选择器模仿传统的分段网络,并通过策略管制它们之间的流量以及来自内部的流量。但这个 networkpolicy 须要有第三方外接网络插件的反对,如Calico、Romana、Weave Net和trireme等
资源标准
apiVersion: networking.k8s.io/v1 #资源附属的API群组及版本号kind: NetworkPolicy #资源类型的名称,名称空间级别资源metadata: #资源元数据 name <string> #资源名称标识 namespace <string> #NetworkPolicy是名称空间级别的资源spec:#冀望的状态 podSelector <Object> #以后规定失效的同一名称空间中的一组指标Pod对象,必选字段; #空值示意以后名称空间中的所有Pod资源 policyTypes<[]string> #Ingress示意失效ingress字段;Egress示意失效 # egress字段,同时提供示意二者均无效 ingress <[]0bject>#入站流量源端点对象列表,白名单,空值示意“所有” - from <[jobject> #具体的端点对象列表,空值示意所有非法端点 - ipBlock <0bject> # IP地址块范畴内的端点,不能与另外两个字段同时应用 - namespaceSelector <0bject>#匹配的名称空间内的端点 podSelector <Object># 由Pod标签选择器匹配到的端点,空值示意<none> ports <[ ]0bject>#具体的端口对象列表,空值示意所有非法端口 engress,<[jobject> #出站流量指标端点对象列表,白名单,空值示意“所有” - to <[]0bject> #具体的端点对象列表,空值示意所有非法端点,格局同ingres.from; ports <[j0bject> #具体的端口对象列表,空值示意所有非法端口
策略匹配规定为
1.不辨别规定前后秩序与权重
2.以最大容许权限为最优匹配
#测试在default名称空间下拜访dev名称空间[root@k8s-master Network]# kubectl get pod -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESdeployment-demo-fb544c5d8-r7pc8 1/1 Running 0 28h 192.168.51.1 k8s-node3 <none> <none>deployment-demo-fb544c5d8-splfr 1/1 Running 0 28h 192.168.12.1 k8s-node2 <none> <none>[root@k8s-master ~]# kubectl get pod -o wide -n devNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESdeployment-demo-867c7d9d55-kzctj 1/1 Running 0 134m 192.168.51.4 k8s-node3 <none> <none>deployment-demo-867c7d9d55-l88qg 1/1 Running 0 134m 192.168.12.2 k8s-node2 <none> <none>#default名称空间拜访 dev名称空间pod 默认是能够互相通信的[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it -- /bin/sh[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2![root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
- 为所有名称空间打上标签
[root@k8s-master Network]# kubectl label ns default name=defaultnamespace/default labeled[root@k8s-master Network]# kubectl label ns kube-system name=kube-systemnamespace/default kube-system[root@k8s-master Network]# kubectl get ns --show-labelsNAME STATUS AGE LABELSdefault Active 3d9h name=defaultdev Active 45h name=devkube-node-lease Active 3d9h name=kube-node-leasekube-public Active 3d9h name=kube-publickube-system Active 3d9h name=kube-systemtest Active 38h name=test......
示例1:禁止所有入站流量规定
- 创立NetworkPolicy 为K8S规范资源 为了阐明 策略会以最大容许权限为最优匹配,增加一条默认回绝所有流量的策略
[root@k8s-master Network]# cat netpol-dev-denyall.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all-ingress namespace: devspec: podSelector: {} #空值匹配所有 policyTypes: ["Ingress", "Egress"] #回绝所有出站入站流量 egress: - to: - podSelector: {} #空值为none ingress: - from: - podSelector: {} #空值为none [root@k8s-master Network]# kubectl apply -f netpol-dev-denyall.yaml #测试在default、dev名称空间下互相联通性[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2^C[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2^C[root@deployment-demo-fb544c5d8-r7pc8 /]# ping 192.168.12.2PING 192.168.12.2 (192.168.12.2): 56 data bytes^C--- 192.168.12.2 ping statistics ---3 packets transmitted, 0 packets received, 100% packet loss#所有流量拜访失败
示例2: 创立NetworkPolicy2 放行dev名称空间
- 规定1:标签匹配的名称空间所有流量都能拜访dev下所有Pod;
- 规定2:除了default名额空间,其它所有名称空间都能够拜访dev下的 80端口
- 组合应用,会以最大容许权限为最优匹配权限
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: demoapp-ingress namespace: devspec: podSelector: matchLabels : app: demoapp #dev名称空间下 领有这个标签的Pod失效 policyTypes: ["Ingress"] #入站流量 ingress: - from: #规定1 - namespaceSelector: #名称空间标签匹配 matchExpressions: - key: name operator: In values: [dev,kube-system,logs,monitoring,kubernetes-dashboard] # 匹配名称空间蕴含这些标签 如:name=dev、name=kube-system 这里不蕴含default# - ipBlock: #网段匹配 以下网段的pod也被容许拜访# cidr: 192.168.0.0/16 - from: #规定2 只是非default名称空间流量拜访80端口都容许 - namespaceSelector: matchExpressions: - {key: name,operator: NotIn, values: ["default"]} #回绝defaultq名称空间流量拜访80端口都容许 ports: - protocol: TCP port: 80[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured[root@k8s-master Network]# kubectl get netpol -n devNAME POD-SELECTOR AGEdemoapp-ingress app=demoapp 38hdeny-all-ingress <none> 8h[root@k8s-master Network]# kubectl describe netpol demoapp-ingress -n devName: demoapp-ingressNamespace: devCreated on: 2021-08-31 17:31:59 +0800 CSTLabels: <none>Annotations: <none>Spec: PodSelector: app=demoapp Allowing ingress traffic: To Port: <any> (traffic allowed to all ports) From: NamespaceSelector: name in (dev,kube-system,kubernetes-dashboard,logs,monitoring) ---------- To Port: 80/TCP From: NamespaceSelector: name notin (default) Not affecting egress traffic Policy Types: Ingress
- 在default名称空间下拜访dev名称空间
80端口测试 仍然无法访问 没有匹配到合乎规定的条目
[root@k8s-master ~]# kubectl exec deployment-demo-fb544c5d8-splfr -it -- /bin/sh[root@deployment-demo-fb544c5d8-splfr /]# curl 192.168.12.2#失败#ping测试失败 没有合乎规定的条目[root@deployment-demo-fb544c5d8-splfr /]# ping 192.168.12.2PING 192.168.12.2 (192.168.12.2): 56 data bytes
规定1中增加default名称空间拜访权限
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: demoapp-ingressnamespace: devspec:podSelector: matchLabels : app: demoapp #dev名称空间下 领有这个标签的Pod失效policyTypes: ["Ingress"] #入站流量ingress: - from: #规定1 - namespaceSelector: #名称空间标签匹配 matchExpressions: - key: name operator: In values: [dev,kube-system,logs,monitoring,kubernetes-dashboard,default] #新增defualt名称空间# - ipBlock: #网段匹配 以下网段的pod也被容许拜访# cidr: 192.168.0.0/16- from: #规定2 只是是非defaultq名称空间流量拜访80端口都容许 - namespaceSelector: matchExpressions: - {key: name,operator: NotIn, values: ["default"]} #回绝defaultq名称空间流量拜访80端口都容许 ports: - protocol: TCP port: 80[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured#测试在default名称空间下拜访dev名称空间[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2![root@deployment-demo-fb544c5d8-r7pc8 /]# ping 192.168.12.2
- bytes from 192.168.12.2: seq=0 ttl=62 time=2.563 ms
- bytes from 192.168.12.2: seq=1 ttl=62 time=0.758 ms
- bytes from 192.168.12.2: seq=2 ttl=62 time=0.726 ms
bytes from 192.168.12.2: seq=3 ttl=62 time=0.457 ms
- 以上规定1匹配到的最大权限为优匹配权限 领有dev下所有流量拜访
- 规定1中删除default名称空间 规定2中default名称空间更改为logs
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: demoapp-ingress namespace: devspec: podSelector: matchLabels : app: demoapp #dev名称空间下 领有这个标签的Pod失效 policyTypes: ["Ingress"] #入站流量 ingress: - from: #规定1 - namespaceSelector: #名称空间标签匹配 matchExpressions: - key: name operator: In values: [dev,kube-system,logs,monitoring,kubernetes-dashboard] #匹配名称空间蕴含这些标签 如:name=dev、name=kube-system# - ipBlock: #网段匹配 以下网段的pod也被容许拜访# cidr: 192.168.0.0/16 - from: #规定2 只是是非defaultq名称空间流量拜访80端口都容许 - namespaceSelector: matchExpressions: - {key: name,operator: NotIn, values: ["logs"]} #回绝defaultq名称空间流量拜访80端口都容许 ports: - protocol: TCP port: 80
测试在default名称空间下拜访dev名称空间
[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured[root@deployment-demo-fb544c5d8-r7pc8 /]# ping 192.168.12.2PING 192.168.12.2 (192.168.12.2): 56 data bytes^C
packets transmitted, 0 packets received, 100% packet loss
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!- ping 失败因为没有匹配的规定条目,curl 匹配到了规定2 只有非logs名称空间的都能够拜访80端口
示例3:出站流量规定
[root@k8s-master Network]# kubectl get netpol -n dev NAME POD-SELECTOR AGEdemoapp-egress app=demoapp 104sdeny-all-ingress <none> 2d11h#查看dev NetworkPolicy[root@k8s-master Network]# kubectl describe netpol deny-all-ingress -n dev Name: deny-all-ingressNamespace: devCreated on: 2021-09-01 23:34:49 +0800 CSTLabels: <none>Annotations: <none>Spec: PodSelector: <none> (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic: To Port: <any> (traffic allowed to all ports) From: PodSelector: <none> Allowing egress traffic: To Port: <any> (traffic allowed to all ports) To: PodSelector: <none> Policy Types: Ingress, Egress[root@k8s-master Network]# kubectl get pod -n devNAME READY STATUS RESTARTS AGEdeployment-demo-867c7d9d55-kzctj 1/1 Running 0 3d21hdeployment-demo-867c7d9d55-l88qg 1/1 Running 0 3d21h[root@k8s-master ~]# kubectl get pod -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESdeployment-demo-fb544c5d8-r7pc8 1/1 Running 0 4d23h 192.168.51.1 k8s-node3 <none> <none>deployment-demo-fb544c5d8-splfr 1/1 Running 0 4d23h 192.168.12.1 k8s-node2 <none
在dev名称空间下拜访default名称空间
[root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1^C[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1^C[root@deployment-demo-867c7d9d55-l88qg /]# ping 192.168.51.1PING 192.168.51.1 (192.168.51.1): 56 data bytes^C
packets transmitted, 0 packets received, 100% packet loss
[root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system^C
- 所有出站流量都失败
新建出站策略
[root@k8s-master Network]# cat netpol-dev-demoapp-egress.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: demoapp-egressnamespace: devspec:podSelector: matchLabels: app: demoapppolicyTypes: ["Egress"] #出站流量egress:- to: ports: - protocol: UDP port: 53- to: #to模块之间是或逻辑 to外部是与逻辑 - podSelector: matchLabels: app: redis #被拜访站点标签 ports: - protocol: TCP #匹配标签为redis 端口为6379 port: 6379- to: #出站80端口# - podSelector: #标签实测中有问题 关上拜访不了# matchLabels:# app: demoapp ports: - protocol: TCP port: 80[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-egress.yaml networkpolicy.networking.k8s.io/demoapp-egress created[root@k8s-master Network]# kubectl get netpol -n devNAME POD-SELECTOR AGEdemoapp-egress app=demoapp 20mdeny-all-ingress <none> 2d12h[root@k8s-master Network]# kubectl describe netpol demoapp-egress -n devName: demoapp-egressNamespace: devCreated on: 2021-09-04 12:35:07 +0800 CSTLabels: <none>Annotations: <none>Spec:PodSelector: app=demoappNot affecting ingress trafficAllowing egress traffic: To Port: 53/UDP To: <any> (traffic not restricted by source) ---------- To Port: 6379/TCP To: PodSelector: app=redis ---------- To Port: 80/TCP To: <any> (traffic not restricted by source)Policy Types: Egress
再次测试出站拜访 在dev名称空间下拜访default名称空间
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# ping 192.168.51.1 #ping并没有放行 所以失败PING 192.168.51.1 (192.168.51.1): 56 data bytes^C
packets transmitted, 0 packets received, 100% packet loss
[root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
Server: 10.96.0.10
Address: 10.96.0.10#53
示例4:合并出入站流量管制
[root@k8s-master Network]# cat netpol-stage-default.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: default namespace: devspec: podSelector: {} policyTypes: ["Ingress" , "Egress"] #出入站流量策略 ingress: - from: - namespaceSelector: matchExpressions: - key : name operator: In values: [stage,kube-system,logs ,monitoring,kubernetes-dashboard] #不蕴含default名称空间 egress: - to: ports: - protocol: UDP port: 53 - to: - namespaceSelector: matchLabels: name: kube-system podSelector: matchLabels: component: kube-apiserver ports: - protocol: TCP port: 80 - to: - namespaceSelector: matchLabels: name: default #容许default所有出站流量[root@k8s-master Network]# kubectl apply -f netpol-stage-default.yaml[root@k8s-master Network]# kubectl get netpol -n devNAME POD-SELECTOR AGEdefault <none> 7m13sdeny-all-ingress <none> 2d14h[root@k8s-master Network]# kubectl describe netpol default -n devName: defaultNamespace: devCreated on: 2021-09-04 13:32:21 +0800 CSTLabels: <none>Annotations: <none>Spec: PodSelector: <none> (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic: To Port: <any> (traffic allowed to all ports) From: NamespaceSelector: name in (kube-system,kubernetes-dashboard,logs,monitoring,stage) Allowing egress traffic: To Port: 53/UDP To: <any> (traffic not restricted by source) ---------- To Port: 80/TCP To: NamespaceSelector: name=kube-system PodSelector: component=kube-apiserver ---------- To Port: <any> (traffic allowed to all ports) To: NamespaceSelector: name=default Policy Types: Ingress, Egress
测试出站拜访 在dev名称空间下拜访default名称空间
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-systemServer: 10.96.0.10Address: 10.96.0.10#53Name: kube-dns.kube-system.svc.cluster.localAddress: 10.96.0.10# 测试入站拜访 在defaule名称空间下拜访dev名称空间[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it -- /bin/sh^C[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4^C[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4
GlobalNetworkPolicy全局拜访策略
calico自定义资源类型
只管性能上日渐丰盛,但k8s本人的NetworkPolicy资源依然具备相当的局限性,例如它没有明确的回绝规定、不足对选泽器高级表达式的反对、不反对应用层规,以及没有集群范畴的网络策略等,为了解决这些限度,Calico等提供了自有的策略CRD,包含NetworkPolicy和GlobalNetworkPolicy等,其中的NetworkPolicy CRD比tKubernetes NetworkPolicy
API提供了更大的功能集,包含反对回绝规定、规定解析级别以及应用层规定等,但相干的规定须要由Calicoctl创立。
GlobalNetworkPolicy反对应用selector、serviceAccountSelector或namespaceSelector来选定网络策略的失效范畴,默认为all(),且集群的所有端点。上面的配置清单示例(globalnetworkpolicy-demo.yaml)为非零碎类名称空间(本示例假没有kube-system、kubernetes-dashboard、logs和monitoring这4个)定义了一个通用的网络策略。
资源标准:
apiversion: projectcalico.org/v3kind: GlobalietworkPolicymetadata: name: namespaces-defaultspec: order: 0.0 #策略叠加时的利用秩序,数字越小越先利用,抵触时,后者会笼罩前者#策略利用指标为非指定名称空间中的所有端点namespaceSelector: name not in { "kube-system" , " kubernetes-dashboard" , " logs" , "monitoring"} types:["Ingress", "Egress"] ingress: #入站流量规定 - action: Allow #白名单 source: #策略失效指标中的端点可由上面零碎名称空间中每个源端点拜访任意端口 namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring"} egress: #出站流量规定 -action: Aliow #容许所有
[root@k8s-master Network]# kubectl api-resources #查看资源类型NAME SHORTNAMES APIGROUP NAMESPACED KIND......bgpconfigurations crd.projectcalico.org false BGPConfigurationbgppeers crd.projectcalico.org false BGPPeerblockaffinities crd.projectcalico.org false BlockAffinityclusterinformations crd.projectcalico.org false ClusterInformationfelixconfigurations crd.projectcalico.org false FelixConfigurationglobalnetworkpolicies crd.projectcalico.org false GlobalNetworkPolicyglobalnetworksets crd.projectcalico.org false GlobalNetworkSethostendpoints crd.projectcalico.org false HostEndpointipamblocks crd.projectcalico.org false IPAMBlockipamconfigs crd.projectcalico.org false IPAMConfigipamhandles crd.projectcalico.org false IPAMHandleippools crd.projectcalico.org false IPPoolkubecontrollersconfigurations crd.projectcalico.org false KubeControllersConfigurationnetworkpolicies crd.projectcalico.org true NetworkPolicynetworksets crd.projectcalico.org true NetworkSet
示例5: 创立 GlobalNetworkPolicy Ingress、Egress
[root@k8s-master Network]# kubectl get netpol -n dev #-记得清空之前的NetworkPolicy全副删除No resources found in dev namespace.[root@k8s-master Network]# cat globalnetworkpolicy-demo.yaml apiVersion: projectcalico.org/v3kind: GlobalNetworkPolicy #calico资源 全局不属于任何名称空间metadata: name: namespaces-defaultspec: order: 0.0 #优先级 namespaceSelector: name not in { "kube-system","kubernetes-dashboard","logs","monitoring","dev"} #失效的名称空间 types: ["Ingress","Egress"] ingress: - action: Allow #容许 NetworkPolicy没有回绝策略 source: namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"} #默认来自这些名称空间的流量都是容许的 egress : - action: Allow #默认能够拜访所有出站流量[root@k8s-master Network]# calicoctl apply -f globalnetworkpolicy-demo.yaml Successfully applied 1 'GlobalNetworkPolicy' resource(s)[root@k8s-master Network]# calicoctl get GlobalNetworkPolicyNAME namespaces-default [root@k8s-master Network]# calicoctl get GlobalNetworkPolicy -o yamlapiVersion: projectcalico.org/v3items:- apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: creationTimestamp: "2021-09-04T06:06:50Z" name: namespaces-default resourceVersion: "1214207" uid: 94d3fa70-c7c3-4333-a926-2656ada9d8e7 spec: egress: - action: Allow destination: {} source: {} ingress: - action: Allow destination: {} source: namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"} namespaceSelector: name not in { "kube-system","kubernetes-dashboard","logs","monitoring","dev"} order: 0 types: - Ingress - Egresskind: GlobalNetworkPolicyListmetadata: resourceVersion: "1216067"
测试test名称空间拜访default名称空间
[root@k8s-master Network]# kubectl get pod -n testNAME READY STATUS RESTARTS AGEdeployment-demo-867c7d9d55-72p8r 1/1 Running 0 2d16hdeployment-demo-867c7d9d55-8pf7z 1/1 Running 0 2d16h[root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-72p8r -n test -it -- /bin/sh[root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1^C[root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1^C
- 策略没有蕴含test名称空间 拜访失败
- 测试dev名称空间拜访default名称空间
[root@k8s-master ~]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
删除globalNetworkPolicy不然会影响后续测试
[root@k8s-master Ingress]# kubectl get globalNetworkPolicyNAME AGEdefault.namespaces-default 7d22h[root@k8s-master Ingress]# kubectl delete globalNetworkPolicy default.namespaces-defaultglobalnetworkpolicy.crd.projectcalico.org "default.namespaces-default" deleted