题目主干
Task - 1(可能会考的问题1)
在现有的namespace my-app中创建一个名为allow-port-from-namespace的新NetworkPolicy。
确保新的NetworkPolicy允许namespace echo中的Pods连接到namespace my-app中的Pods的9000端口。
进一步确保新的NetworkPolicy:
不允许对没有在监听 端口9000的Pods的访问
不允许非来自 namespace echo中的Pods的访问
参考说明
https://kubernetes.io/zh/docs/concepts/services-networking/network-policies/
题目解答
查看命名空间echo是否有标签
student@master01:~$ kubectl get ns echo --show-labels
NAME STATUS AGE LABELS
echo Active 71d kubernetes.io/metadata.name=echo
student@master01:~$
发现当前没有,这里打一个标签
student@master01:~$ kubectl label ns echo project=echo
namespace/echo labeled
student@master01:~$ kubectl get ns echo --show-labels
NAME STATUS AGE LABELS
echo Active 71d kubernetes.io/metadata.name=echo,project=echo
student@master01:~
创建网络策略文件networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-from-namespace
namespace: my-app
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
project: echo
ports:
- protocol: TCP
port: 9000
检查网络策略
student@master01:~$ kubectl apply -f networkpolicy.yaml
student@master01:~$ kubectl -n my-app get networkpolicy allow-port-from-namespace
NAME POD-SELECTOR AGE
allow-port-from-namespace <none> 65s
student@master01:~$
student@master01:~$ kubectl -n my-app describe networkpolicy allow-port-from-namespace
Name: allow-port-from-namespace
Namespace: my-app
Created on: 2022-05-06 16:20:38 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 9000/TCP
From:
NamespaceSelector: project=echo
Not affecting egress traffic
Policy Types: Ingress
student@master01:~$