17.kubernetes笔记|17.kubernetes笔记 CNI网络插件(三) Calico NetworkPolicy流量管理

NetworkPolicy简介

  • 我们经常需要按租户进行网络隔离,k8s 提供了 networkpolicy 来定义网络策略,从而实现网络隔离以满足租户隔离及部分租户下业务隔离等。Network Policy 提供了基于策略的网络控制,用于隔离应用并减少攻击面。它使用标签选择器模拟传统的分段网络,并通过策略控制它们之间的流量以及来自外部的流量。但这个 networkpolicy 需要有第三方外接网络插件的支持,如Calico、Romana、Weave Net和trireme等
资源规范
apiVersion: networking.k8s.io/v1 #资源隶属的API群组及版本号 kind: NetworkPolicy #资源类型的名称,名称空间级别资源 metadata: #资源元数据 name#资源名称标识 namespace#NetworkPolicy是名称空间级别的资源 spec:#期望的状态 podSelector #当前规则生效的同一名称空间中的一组目标Pod对象,必选字段; #空值表示当前名称空间中的所有Pod资源 policyTypes<[]string> #Ingress表示生效ingress字段; Egress表示生效 # egress字段,同时提供表示二者均有效 ingress <[]0bject>#入站流量源端点对象列表,白名单,空值表示“所有” - from <[jobject> #具体的端点对象列表,空值表示所有合法端点 - ipBlock <0bject> # IP地址块范围内的端点,不能与另外两个字段同时使用 - namespaceSelector <0bject>#匹配的名称空间内的端点 podSelector # 由Pod标签选择器匹配到的端点,空值表示 ports <[ ]0bject>#具体的端口对象列表,空值表示所有合法端口 engress,<[jobject> #出站流量目标端点对象列表,白名单,空值表示“所有” - to <[]0bject> #具体的端点对象列表,空值表示所有合法端点,格式同ingres.from; ports <[j0bject> #具体的端口对象列表,空值表示所有合法端口
策略匹配规则为 1.不区分规则前后次序与权重
2.以最大允许权限为最优匹配
#测试在default名称空间下访问dev名称空间 [root@k8s-master Network]# kubectl get pod -o wide NAMEREADYSTATUSRESTARTSAGEIPNODENOMINATED NODEREADINESS GATES deployment-demo-fb544c5d8-r7pc81/1Running028h192.168.51.1k8s-node3 deployment-demo-fb544c5d8-splfr1/1Running028h192.168.12.1k8s-node2[root@k8s-master ~]# kubectl get pod -o wide -n dev NAMEREADYSTATUSRESTARTSAGEIPNODENOMINATED NODEREADINESS GATES deployment-demo-867c7d9d55-kzctj1/1Running0134m192.168.51.4k8s-node3 deployment-demo-867c7d9d55-l88qg1/1Running0134m192.168.12.2k8s-node2#default名称空间访问 dev名称空间pod 默认是可以相互通信的[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it-- /bin/sh [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2 iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2! [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2 iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!

  • 为所有名称空间打上标签
[root@k8s-master Network]# kubectl label ns default name=default namespace/default labeled [root@k8s-master Network]# kubectl label ns kube-systemname=kube-system namespace/default kube-system[root@k8s-master Network]# kubectl get ns --show-labels NAMESTATUSAGELABELS defaultActive3d9hname=default devActive45hname=dev kube-node-leaseActive3d9hname=kube-node-lease kube-publicActive3d9hname=kube-public kube-systemActive3d9hname=kube-system testActive38hname=test ......

示例1:禁止所有入站流量规则
  • 创建NetworkPolicy 为K8S标准资源 为了说明 策略会以最大允许权限为最优匹配,添加一条默认拒绝所有流量的策略
[root@k8s-master Network]# cat netpol-dev-denyall.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress namespace: dev spec: podSelector: {}#空值匹配所有 policyTypes: ["Ingress", "Egress"]#拒绝所有出站入站流量 egress: - to: - podSelector: {} #空值为none ingress: - from: - podSelector: {} #空值为none[root@k8s-master Network]# kubectlapply -f netpol-dev-denyall.yaml #测试在default、dev名称空间下相互联通性[root@deployment-demo-fb544c5d8-r7pc8 /]# curl192.168.12.2 ^C [root@deployment-demo-fb544c5d8-r7pc8 /]# curl192.168.12.2 ^C [root@deployment-demo-fb544c5d8-r7pc8 /]# ping192.168.12.2 PING 192.168.12.2 (192.168.12.2): 56 data bytes ^C --- 192.168.12.2 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss#所有流量访问失败

示例2: 创建NetworkPolicy2 放行dev名称空间
  • 规则1:标签匹配的名称空间所有流量都能访问dev下所有Pod;
  • 规则2:除了default名额空间,其它所有名称空间都可以访问dev下的 80端口
  • 组合使用,会以最大允许权限为最优匹配权限
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: demoapp-ingress namespace: dev spec: podSelector: matchLabels : app: demoapp#dev名称空间下 拥有这个标签的Pod生效 policyTypes: ["Ingress"]#入站流量 ingress: - from:#规则1 - namespaceSelector:#名称空间标签匹配 matchExpressions: - key: name operator: In values: [dev,kube-system,logs,monitoring,kubernetes-dashboard] # 匹配名称空间包含这些标签 如:name=dev、name=kube-system 这里不包含default #- ipBlock:#网段匹配 以下网段的pod也被允许访问 #cidr: 192.168.0.0/16 - from: #规则2 只是非default名称空间流量访问80端口都允许 - namespaceSelector: matchExpressions: - {key: name,operator: NotIn, values: ["default"]} #拒绝defaultq名称空间流量访问80端口都允许 ports: - protocol: TCP port: 80[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured[root@k8s-master Network]# kubectl get netpol -n dev NAMEPOD-SELECTORAGE demoapp-ingressapp=demoapp38h deny-all-ingress8h [root@k8s-master Network]# kubectl describe netpol demoapp-ingress -n dev Name:demoapp-ingress Namespace:dev Created on:2021-08-31 17:31:59 +0800 CST Labels: Annotations: Spec: PodSelector:app=demoapp Allowing ingress traffic: To Port:(traffic allowed to all ports) From: NamespaceSelector: name in (dev,kube-system,kubernetes-dashboard,logs,monitoring) ---------- To Port: 80/TCP From: NamespaceSelector: name notin (default) Not affecting egress traffic Policy Types: Ingress

  • 在default名称空间下访问dev名称空间
  • 80端口测试 依然无法访问 没有匹配到符合规则的条目
    [root@k8s-master ~]# kubectl exec deployment-demo-fb544c5d8-splfr -it -- /bin/sh[root@deployment-demo-fb544c5d8-splfr /]# curl 192.168.12.2 #失败#ping测试失败 没有符合规则的条目 [root@deployment-demo-fb544c5d8-splfr /]# ping192.168.12.2 PING 192.168.12.2 (192.168.12.2): 56 data bytes

  • 规则1中添加default名称空间访问权限
    [root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: demoapp-ingress namespace: dev spec: podSelector: matchLabels : app: demoapp#dev名称空间下 拥有这个标签的Pod生效 policyTypes: ["Ingress"]#入站流量 ingress: - from:#规则1 - namespaceSelector:#名称空间标签匹配 matchExpressions: - key: name operator: In values: [dev,kube-system,logs,monitoring,kubernetes-dashboard,default]#新增defualt名称空间 #- ipBlock:#网段匹配 以下网段的pod也被允许访问 #cidr: 192.168.0.0/16 - from: #规则2 只是是非defaultq名称空间流量访问80端口都允许 - namespaceSelector: matchExpressions: - {key: name,operator: NotIn, values: ["default"]} #拒绝defaultq名称空间流量访问80端口都允许 ports: - protocol: TCP port: 80[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured#测试在default名称空间下访问dev名称空间[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2 iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2! [root@deployment-demo-fb544c5d8-r7pc8 /]# ping192.168.12.2

  • bytes from 192.168.12.2: seq=0 ttl=62 time=2.563 ms
  • bytes from 192.168.12.2: seq=1 ttl=62 time=0.758 ms
  • bytes from 192.168.12.2: seq=2 ttl=62 time=0.726 ms
  • bytes from 192.168.12.2: seq=3 ttl=62 time=0.457 ms
  • 以上规则1匹配到的最大权限为优匹配权限 拥有dev下所有流量访问
  • 规则1中删除default名称空间 规则2中default名称空间更改为logs
[root@k8s-master Network]# catnetpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: demoapp-ingress namespace: dev spec: podSelector: matchLabels : app: demoapp#dev名称空间下 拥有这个标签的Pod生效 policyTypes: ["Ingress"]#入站流量 ingress: - from:#规则1 - namespaceSelector:#名称空间标签匹配 matchExpressions: - key: name operator: In values: [dev,kube-system,logs,monitoring,kubernetes-dashboard]#匹配名称空间包含这些标签 如:name=dev、name=kube-system #- ipBlock:#网段匹配 以下网段的pod也被允许访问 #cidr: 192.168.0.0/16 - from: #规则2 只是是非defaultq名称空间流量访问80端口都允许 - namespaceSelector: matchExpressions: - {key: name,operator: NotIn, values: ["logs"]} #拒绝defaultq名称空间流量访问80端口都允许 ports: - protocol: TCP port: 80

  • 测试在default名称空间下访问dev名称空间
    [root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured[root@deployment-demo-fb544c5d8-r7pc8 /]# ping192.168.12.2 PING 192.168.12.2 (192.168.12.2): 56 data bytes ^C

  • 【17.kubernetes笔记|17.kubernetes笔记 CNI网络插件(三) Calico NetworkPolicy流量管理】packets transmitted, 0 packets received, 100% packet loss
    [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
    iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
    [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
    iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
  • ping 失败因为没有匹配的规则条目,curl 匹配到了规则2 只要非logs名称空间的都可以访问80端口
示例3:出站流量规则
[root@k8s-master Network]# kubectl get netpol -n dev NAMEPOD-SELECTORAGE demoapp-egressapp=demoapp104s deny-all-ingress2d11h#查看dev NetworkPolicy [root@k8s-master Network]# kubectl describe netpol deny-all-ingress -n dev Name:deny-all-ingress Namespace:dev Created on:2021-09-01 23:34:49 +0800 CST Labels: Annotations: Spec: PodSelector: (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic: To Port:(traffic allowed to all ports) From: PodSelector: Allowing egress traffic: To Port:(traffic allowed to all ports) To: PodSelector: Policy Types: Ingress, Egress [root@k8s-master Network]# kubectl get pod -n dev NAMEREADYSTATUSRESTARTSAGE deployment-demo-867c7d9d55-kzctj1/1Running03d21h deployment-demo-867c7d9d55-l88qg1/1Running03d21h[root@k8s-master ~]# kubectl get pod -o wide NAMEREADYSTATUSRESTARTSAGEIPNODENOMINATED NODEREADINESS GATES deployment-demo-fb544c5d8-r7pc81/1Running04d23h192.168.51.1k8s-node3 deployment-demo-fb544c5d8-splfr1/1Running04d23h192.168.12.1k8s-node2

  • 在dev名称空间下访问default名称空间
    [root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1 ^C [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1 ^C [root@deployment-demo-867c7d9d55-l88qg /]# ping192.168.51.1 PING 192.168.51.1 (192.168.51.1): 56 data bytes ^C

  • packets transmitted, 0 packets received, 100% packet loss
    [root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
    ^C
  • 所有出站流量都失败
  • 新建出站策略
    [root@k8s-master Network]# cat netpol-dev-demoapp-egress.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: demoapp-egress namespace: dev spec: podSelector: matchLabels: app: demoapp policyTypes: ["Egress"] #出站流量 egress: - to: ports: - protocol: UDP port: 53 - to:#to模块之间是或逻辑 to内部是与逻辑 - podSelector: matchLabels: app: redis#被访问站点标签 ports: - protocol: TCP#匹配标签为redis端口为6379 port: 6379 - to:#出站80端口 #- podSelector:#标签实测中有问题 打开访问不了 #matchLabels: #app: demoapp ports: - protocol: TCP port: 80[root@k8s-master Network]# kubectl apply -fnetpol-dev-demoapp-egress.yaml networkpolicy.networking.k8s.io/demoapp-egress created[root@k8s-master Network]# kubectl get netpol -n dev NAMEPOD-SELECTORAGE demoapp-egressapp=demoapp20m deny-all-ingress2d12h[root@k8s-master Network]# kubectl describe netpol demoapp-egress -n dev Name:demoapp-egress Namespace:dev Created on:2021-09-04 12:35:07 +0800 CST Labels: Annotations: Spec: PodSelector:app=demoapp Not affecting ingress traffic Allowing egress traffic: To Port: 53/UDP To:(traffic not restricted by source) ---------- To Port: 6379/TCP To: PodSelector: app=redis ---------- To Port: 80/TCP To:(traffic not restricted by source) Policy Types: Egress

  • 再次测试出站访问 在dev名称空间下访问default名称空间
    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1! [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1! [root@deployment-demo-867c7d9d55-l88qg /]# ping 192.168.51.1#ping并没有放行 所以失败 PING 192.168.51.1 (192.168.51.1): 56 data bytes ^C

  • packets transmitted, 0 packets received, 100% packet loss
    [root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
    Server: 10.96.0.10
    Address: 10.96.0.10#53
示例4:合并出入站流量控制
[root@k8s-master Network]# cat netpol-stage-default.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default namespace: dev spec: podSelector: {} policyTypes: ["Ingress" , "Egress"]#出入站流量策略 ingress: - from: - namespaceSelector: matchExpressions: - key : name operator: In values: [stage,kube-system,logs ,monitoring,kubernetes-dashboard]#不包含default名称空间 egress: - to: ports: - protocol: UDP port: 53 - to: - namespaceSelector: matchLabels: name: kube-system podSelector: matchLabels: component: kube-apiserver ports: - protocol: TCP port: 80 - to: - namespaceSelector: matchLabels: name: default#允许default所有出站流量[root@k8s-master Network]# kubectl apply -fnetpol-stage-default.yaml[root@k8s-master Network]# kubectl get netpol -n dev NAMEPOD-SELECTORAGE default7m13s deny-all-ingress2d14h [root@k8s-master Network]# kubectl describe netpol default -n dev Name:default Namespace:dev Created on:2021-09-04 13:32:21 +0800 CST Labels: Annotations: Spec: PodSelector: (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic: To Port:(traffic allowed to all ports) From: NamespaceSelector: name in (kube-system,kubernetes-dashboard,logs,monitoring,stage) Allowing egress traffic: To Port: 53/UDP To:(traffic not restricted by source) ---------- To Port: 80/TCP To: NamespaceSelector: name=kube-system PodSelector: component=kube-apiserver ---------- To Port:(traffic allowed to all ports) To: NamespaceSelector: name=default Policy Types: Ingress, Egress

  • 测试出站访问 在dev名称空间下访问default名称空间
    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1! [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1! [root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system Server:10.96.0.10 Address:10.96.0.10#53Name:kube-dns.kube-system.svc.cluster.local Address: 10.96.0.10# 测试入站访问 在defaule名称空间下访问dev名称空间[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it -- /bin/sh ^C [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4 ^C [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4

    GlobalNetworkPolicy全局访问策略calico自定义资源类型
尽管功能上日渐丰富,但k8s自己的NetworkPolicy资源仍然具有相当的局限性,例如它没有明确的拒绝规则、缺乏对选泽器高级表达式的支持、不支持应用层规,以及没有集群范围的网络策略等,为了解决这些限制,Calico等提供了自有的策略CRD,包括NetworkPolicy和GlobalNetworkPolicy等,其中的NetworkPolicy CRD比tKubernetes NetworkPolicy
API提供了更大的功能集,包括支持拒绝规则、规则解析级别以及应用层规则等,但相关的规则需要由Calicoctl创建。
GlobalNetworkPolicy支持使用selector、serviceAccountSelector或namespaceSelector来选定网络策略的生效范围,默认为all(),且集群的所有端点。下面的配置清单示例(globalnetworkpolicy-demo.yaml)为非系统类名称空间(本示例假没有kube-system、kubernetes-dashboard、logs和monitoring这4个)定义了一个通用的网络策略。
资源规范:
apiversion: projectcalico.org/v3 kind: GlobalietworkPolicy metadata: name: namespaces-default spec: order: 0.0 #策略叠加时的应用次序,数字越小越先应用,冲突时,后者会覆盖前者#策略应用目标为非指定名称空间中的所有端点 namespaceSelector: name not in { "kube-system" , " kubernetes-dashboard" , " logs" , "monitoring"} types:["Ingress", "Egress"]ingress:#入站流量规则 - action: Allow#白名单 source: #策略生效目标中的端点可由下面系统名称空间中每个源端点访问任意端口 namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring"} egress:#出站流量规则 -action: Aliow#允许所有

[root@k8s-master Network]# kubectl api-resources#查看资源类型 NAMESHORTNAMESAPIGROUPNAMESPACEDKIND ...... bgpconfigurationscrd.projectcalico.orgfalseBGPConfiguration bgppeerscrd.projectcalico.orgfalseBGPPeer blockaffinitiescrd.projectcalico.orgfalseBlockAffinity clusterinformationscrd.projectcalico.orgfalseClusterInformation felixconfigurationscrd.projectcalico.orgfalseFelixConfiguration globalnetworkpoliciescrd.projectcalico.orgfalseGlobalNetworkPolicy globalnetworksetscrd.projectcalico.orgfalseGlobalNetworkSet hostendpointscrd.projectcalico.orgfalseHostEndpoint ipamblockscrd.projectcalico.orgfalseIPAMBlock ipamconfigscrd.projectcalico.orgfalseIPAMConfig ipamhandlescrd.projectcalico.orgfalseIPAMHandle ippoolscrd.projectcalico.orgfalseIPPool kubecontrollersconfigurationscrd.projectcalico.orgfalseKubeControllersConfiguration networkpoliciescrd.projectcalico.orgtrueNetworkPolicy networksetscrd.projectcalico.orgtrueNetworkSet

示例5: 创建 GlobalNetworkPolicy Ingress、Egress
[root@k8s-master Network]# kubectl get netpol -n dev#-记得清空之前的NetworkPolicy全部删除 No resources found in dev namespace. [root@k8s-master Network]# cat globalnetworkpolicy-demo.yaml apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy#calico资源全局不属于任何名称空间 metadata: name: namespaces-default spec: order: 0.0#优先级 namespaceSelector: name not in { "kube-system","kubernetes-dashboard","logs","monitoring","dev"}#生效的名称空间 types: ["Ingress","Egress"] ingress: - action: Allow#允许 NetworkPolicy没有拒绝策略 source: namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}#默认来自这些名称空间的流量都是允许的 egress : - action: Allow#默认可以访问所有出站流量[root@k8s-master Network]# calicoctlapply -f globalnetworkpolicy-demo.yaml Successfully applied 1 'GlobalNetworkPolicy' resource(s)[root@k8s-master Network]# calicoctlget GlobalNetworkPolicy NAME namespaces-default [root@k8s-master Network]# calicoctlget GlobalNetworkPolicy -o yaml apiVersion: projectcalico.org/v3 items: - apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: creationTimestamp: "2021-09-04T06:06:50Z" name: namespaces-default resourceVersion: "1214207" uid: 94d3fa70-c7c3-4333-a926-2656ada9d8e7 spec: egress: - action: Allow destination: {} source: {} ingress: - action: Allow destination: {} source: namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"} namespaceSelector: name not in { "kube-system","kubernetes-dashboard","logs","monitoring","dev"} order: 0 types: - Ingress - Egress kind: GlobalNetworkPolicyList metadata: resourceVersion: "1216067"

  • 测试test名称空间访问default名称空间
    [root@k8s-master Network]# kubectl get pod -n test NAMEREADYSTATUSRESTARTSAGE deployment-demo-867c7d9d55-72p8r1/1Running02d16h deployment-demo-867c7d9d55-8pf7z1/1Running02d16h[root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-72p8r -n test -it -- /bin/sh [root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1 ^C [root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1^C

  • 策略没有包含test名称空间 访问失败
  • 测试dev名称空间访问default名称空间
[root@k8s-master ~]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1! [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!

  • 删除globalNetworkPolicy不然会影响后续测试
    [root@k8s-master Ingress]# kubectl get globalNetworkPolicy NAMEAGE default.namespaces-default7d22h [root@k8s-master Ingress]# kubectl deleteglobalNetworkPolicydefault.namespaces-default globalnetworkpolicy.crd.projectcalico.org "default.namespaces-default" deleted