Networking
在 Amazon EKS 中應用 k8s 網路策略
我正在學習 Kubernetes 網路策略。我正在嘗試創建一種情況,即同一命名空間中的兩個 pod 關聯了不同的網路策略:
- pod A 有來自任何地方的入口
- 吊艙 B 不知從何而來(但最終只有吊艙 A)
我發現 Kubernetes 似乎接受了網路策略,但沒有執行它們。部署的 Pod 使用該
ealen/echo-server:latest
映像回顯有關其執行環境的資訊,並測試我從一個 Pod 向另一個 Pod 發出 HTTP 請求的策略:kubectl exec \ -n private-networking \ POD_A_NAME \ -- wget -O - service-b.private-networking
如果策略有效,我預計從 A 到 B 的呼叫會因超時而失敗,而從 B 到 A 的呼叫會成功。目前,他們在兩個方面都取得了成功。
該集群是使用 Amazon EKS 部署的,我沒有使用 Calico 或任何東西(儘管您會在我嘗試過的 github 儲存庫中看到)。
Pod 通過部署對象部署,僅在名稱上有所不同。(注意,Pod 沒有部署在 Fargate 上)
--- apiVersion: apps/v1 kind: Deployment metadata: name: deployment-a namespace: private-networking spec: selector: matchLabels: service: service-a template: metadata: labels: service: service-a spec: containers: - name: echo-a image: ealen/echo-server:latest resources: limits: memory: "128Mi" cpu: "100m" ports: - containerPort: 8080 env: - name: PORT value: "8080"
應用的網路策略如下,也可以在 GitHub 上訪問
我錯過了什麼?
--- # Deny all ingress and egress traffic across the board apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all namespace: private-networking spec: podSelector: {} policyTypes: - Ingress - Egress --- # Allow all pods in the namespace to egress traffic to kube-dns apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns namespace: private-networking spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - port: 53 protocol: UDP --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: service-a-ingress-from-anywhere namespace: private-networking spec: podSelector: matchLabels: service: service-a policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 0.0.0.0/0 ports: - port: 8080 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: service-a-egress-to-anywhere namespace: private-networking spec: podSelector: matchLabels: service: service-a egress: - {} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: service-b-ingress-from-nowhere namespace: private-networking spec: podSelector: matchLabels: service: service-b policyTypes: - Ingress ingress: [ ]
這個問題的答案原來是在 Amazon EKS 集群上安裝 Calico。我誤解了文件,認為 Calico 是一個可選的附加組件,並且 Amazon EKS 集群預設安裝了一個容器網路介面外掛。
看來他們沒有。