05-网络策略

题目主干

Task - 1（可能会考的问题1）
在现有的namespace my-app中创建一个名为allow-port-from-namespace的新NetworkPolicy。
确保新的NetworkPolicy允许namespace echo中的Pods连接到namespace my-app中的Pods的9000端口。

进一步确保新的NetworkPolicy：
不允许对没有在监听 端口9000的Pods的访问
不允许非来自 namespace echo中的Pods的访问

参考说明

https://kubernetes.io/zh/docs/concepts/services-networking/network-policies/

题目解答

查看命名空间echo是否有标签

student@master01:~$ kubectl get ns echo --show-labels 
NAME   STATUS   AGE   LABELS
echo   Active   71d   kubernetes.io/metadata.name=echo
student@master01:~$

发现当前没有，这里打一个标签

student@master01:~$ kubectl label ns echo project=echo
namespace/echo labeled
student@master01:~$ kubectl get ns echo --show-labels 
NAME   STATUS   AGE   LABELS
echo   Active   71d   kubernetes.io/metadata.name=echo,project=echo
student@master01:~

创建网络策略文件networkpolicy.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: my-app
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              project: echo
      ports:
        - protocol: TCP
          port: 9000

检查网络策略

student@master01:~$ kubectl apply -f networkpolicy.yaml 
student@master01:~$ kubectl -n my-app  get networkpolicy allow-port-from-namespace
NAME                        POD-SELECTOR   AGE
allow-port-from-namespace   <none>         65s
student@master01:~$ 
student@master01:~$ kubectl -n my-app describe networkpolicy allow-port-from-namespace 
Name:         allow-port-from-namespace
Namespace:    my-app
Created on:   2022-05-06 16:20:38 +0800 CST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: 9000/TCP
    From:
      NamespaceSelector: project=echo
  Not affecting egress traffic
  Policy Types: Ingress
student@master01:~$