主页 / server / 问题 / 1063814
Accepted
Andy Hunt
Asked: 2021-05-18 03:02:56 +0800 CST

在 Amazon EKS 中应用 k8s 网络策略

  • 772

我正在学习 Kubernetes 网络策略。我正在尝试创建一种情况,即同一命名空间中的两个 pod 关联了不同的网络策略:

  • pod A 有来自任何地方的入口
  • 吊舱 B 不知从何而来(但最终只有吊舱 A)

我发现 Kubernetes 似乎接受了网络策略,但没有执行它们。部署的 Pod 使用该ealen/echo-server:latest映像回显有关其运行环境的信息,并测试我从一个 Pod 向另一个 Pod 发出 HTTP 请求的策略:

kubectl exec \
      -n private-networking \
      POD_A_NAME \
      -- wget -O - service-b.private-networking

如果策略有效,我预计从 A 到 B 的调用会因超时而失败,而从 B 到 A 的调用会成功。目前,他们在两个方面都取得了成功。

该集群是使用 Amazon EKS 部署的,我没有使用 Calico 或任何东西(尽管您会在我尝试过的 github 存储库中看到)。

Pod 通过部署对象部署,仅在名称上有所不同。(注意,Pod 没有部署在 Fargate 上)

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-a
  namespace: private-networking
spec:
  selector:
    matchLabels:
      service: service-a
  template:
    metadata:
      labels:
        service: service-a
    spec:
      containers:
      - name: echo-a
        image: ealen/echo-server:latest
        resources:
          limits:
            memory: "128Mi"
            cpu: "100m"
        ports:
        - containerPort: 8080
        env:
        - name: PORT
          value: "8080"

应用的网络策略如下,也可以在 GitHub 上访问

我错过了什么?

---
# Deny all ingress and egress traffic across the board
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: private-networking
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
# Allow all pods in the namespace to egress traffic to kube-dns
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: private-networking
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: service-a-ingress-from-anywhere
  namespace: private-networking
spec:
  podSelector:
    matchLabels:
      service: service-a
  policyTypes:
    - Ingress
  ingress:
    - from:
        - ipBlock:
            cidr: 0.0.0.0/0
      ports:
        - port: 8080

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: service-a-egress-to-anywhere
  namespace: private-networking
spec:
  podSelector:
    matchLabels:
      service: service-a
  egress:
    - {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: service-b-ingress-from-nowhere
  namespace: private-networking
spec:
  podSelector:
    matchLabels:
      service: service-b
  policyTypes:
    - Ingress
  ingress: [ ]
networking kubernetes amazon-eks

1 个回答

  1. Best Answer

    这个问题的答案原来是在 Amazon EKS 集群上安装 Calico。我误解了文档,认为 Calico 是一个可选的附加组件,并且 Amazon EKS 集群默认安装了一个容器网络接口插件。

    看来他们没有。

    • 4

相关问题