Networking

在 Amazon EKS 中應用 k8s 網路策略

  • May 17, 2021

我正在學習 Kubernetes 網路策略。我正在嘗試創建一種情況,即同一命名空間中的兩個 pod 關聯了不同的網路策略:

  • pod A 有來自任何地方的入口
  • 吊艙 B 不知從何而來(但最終只有吊艙 A)

我發現 Kubernetes 似乎接受了網路策略,但沒有執行它們。部署的 Pod 使用該ealen/echo-server:latest映像回顯有關其執行環境的資訊,並測試我從一個 Pod 向另一個 Pod 發出 HTTP 請求的策略:

kubectl exec \
     -n private-networking \
     POD_A_NAME \
     -- wget -O - service-b.private-networking

如果策略有效,我預計從 A 到 B 的呼叫會因超時而失敗,而從 B 到 A 的呼叫會成功。目前,他們在兩個方面都取得了成功。

該集群是使用 Amazon EKS 部署的,我沒有使用 Calico 或任何東西(儘管您會在我嘗試過的 github 儲存庫中看到)。

Pod 通過部署對象部署,僅在名稱上有所不同。(注意,Pod 沒有部署在 Fargate 上)

---
apiVersion: apps/v1
kind: Deployment
metadata:
 name: deployment-a
 namespace: private-networking
spec:
 selector:
   matchLabels:
     service: service-a
 template:
   metadata:
     labels:
       service: service-a
   spec:
     containers:
     - name: echo-a
       image: ealen/echo-server:latest
       resources:
         limits:
           memory: "128Mi"
           cpu: "100m"
       ports:
       - containerPort: 8080
       env:
       - name: PORT
         value: "8080"

應用的網路策略如下,也可以在 GitHub 上訪問

我錯過了什麼?

---
# Deny all ingress and egress traffic across the board
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: deny-all
 namespace: private-networking
spec:
 podSelector: {}
 policyTypes:
   - Ingress
   - Egress
---
# Allow all pods in the namespace to egress traffic to kube-dns
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: allow-dns
 namespace: private-networking
spec:
 podSelector: {}
 policyTypes:
   - Egress
 egress:
   - to:
       - namespaceSelector: {}
         podSelector:
           matchLabels:
             k8s-app: kube-dns
     ports:
       - port: 53
         protocol: UDP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: service-a-ingress-from-anywhere
 namespace: private-networking
spec:
 podSelector:
   matchLabels:
     service: service-a
 policyTypes:
   - Ingress
 ingress:
   - from:
       - ipBlock:
           cidr: 0.0.0.0/0
     ports:
       - port: 8080

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: service-a-egress-to-anywhere
 namespace: private-networking
spec:
 podSelector:
   matchLabels:
     service: service-a
 egress:
   - {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: service-b-ingress-from-nowhere
 namespace: private-networking
spec:
 podSelector:
   matchLabels:
     service: service-b
 policyTypes:
   - Ingress
 ingress: [ ]

這個問題的答案原來是在 Amazon EKS 集群上安裝 Calico。我誤解了文件,認為 Calico 是一個可選的附加組件,並且 Amazon EKS 集群預設安裝了一個容器網路介面外掛。

看來他們沒有。

引用自:https://serverfault.com/questions/1063814