★使用nslookup时,使用如下镜像。
下载地址:wget https://kubernetes.io/examples/admin/dns/busybox.yaml
1 piVersion: v1 2 kind: Pod 3 metadata: 4 name: busybox 5 namespace: default 6 spec: 7 containers: 8 - name: busybox 9 image: busybox:1.28 10 command: 11 - sleep 12 - "3600" 13 imagePullPolicy: IfNotPresent 14 restartPolicy: Always
?通过nslookup查询service的IP:kubectl exec -it busybox -- nslookup my-svc
★【Network Policy】
分为Ingress和Egress策略控制,都为白名单。
•Ingress为入口请求控制
•Egress为出口请求控制
1 apiVersion: networking.k8s.io/v1 2 kind: NetworkPolicy 3 metadata: 4 name: test-network-policy 5 namespace: default 6 spec: 7 podSelector: 8 matchLabels: 9 role: db 10 policyTypes: 11 - Ingress 12 - Egress 13 ingress: 14 - from: 15 - ipBlock: 16 cidr: 172.17.0.0/16 17 except: 18 - 172.17.1.0/24 19 - namespaceSelector: 20 matchLabels: 21 project: myproject 22 - podSelector: 23 matchLabels: 24 role: frontend 25 ports: 26 - protocol: TCP 27 port: 6379 28 egress: 29 - to: 30 - ipBlock: 31 cidr: 10.0.0.0/24 32 ports: 33 - protocol: TCP 34 port: 5978
★禁止所有入口请求
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
★允许所有入口请求
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- {}
★禁止所有出口请求
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Egress
★允许所有出口请求
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- {}