Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

</html> 100 612 100 612 0 0 298k 0 –:–:– –:–:– –:–:– 298k root@cks-master:~# kubectl exec backend curl frontend kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] – [COMMAND] instead. % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 612 100 612 0 0 298k 0 –:–:– –:–:– –:–:– 298k <!DOCTYPE html>

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

![image.png](https://img-blog.csdnimg.cn/img_convert/b91d4ebb05f8e34cf79ec4fa067cb4b0.png#align=left&display=inline&height=721&margin=[objectObject]&name=image.png&originHeight=721&originWidth=952&size=75928&status=done&style=none&width=952)


**进入kubernetes官方文档找到网络策略页面，(**[**https://kubernetes.io/docs/concepts/services-networking/network-policies/**](https://kubernetes.io/docs/concepts/services-networking/network-policies/)**)找到实例copy内容。**
![image.png](https://img-blog.csdnimg.cn/img_convert/934df1379bf324754b04c7b2d2d3a740.png#align=left&display=inline&height=760&margin=[objectObject]&name=image.png&originHeight=760&originWidth=1320&size=91876&status=done&style=none&width=1320)


#### 划重点：复制粘贴到vim时候yaml代码出现缩进错乱问题，so找到了下面解决的办法：
#### [https://blog.csdn.net/annita2019/article/details/108924928](https://blog.csdn.net/annita2019/article/details/108924928)
![image.png](https://img-blog.csdnimg.cn/img_convert/e367da68886f7a22a5f384e3bfcb2304.png#align=left&display=inline&height=468&margin=[objectObject]&name=image.png&originHeight=468&originWidth=787&size=42183&status=done&style=none&width=787)
```html
root@cks-master:~/work# vim default-deny.yaml
root@cks-master:~/work# kubectl apply -f default-deny.yaml 
networkpolicy.networking.k8s.io/default-deny created
root@cks-master:~/work# cat default-deny.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
root@cks-master:~/work# kubectl exec frontend curl backend
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0^C
root@cks-master:~/work# kubectl exec backend curl frontend
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:19 --:--:--     0curl: (6) Could not resolve host: frontend
command terminated with exit code 6

通过以上例子验证了通过default-deny 网络策略实现了backend 和frontend两个服务实现了拒绝访问。

3.2. Allow frontend pods to talk to backend pods-允许符合frontend标签的pod与带有backend标签的pod组会话。

我觉得这个地方稍微要复杂下入如下图

# cat backend.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: frontend

 ### cat frontend.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: frontend
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          run: backend

关于matchLabels的由来： kubectl apply -f backend.yaml kubectl apply -f frontend.yaml 但是还是不通，为什么呢？

忽略了一个本质，没有放通域名解析服务，不知道还记得默认的dns端口吗？kubernetes内部的服务的解析是靠coredns来完成的，当然了老的版本还有过kube-dns？skydns没有记错的话。so要允许dns协议。

##  deny.yaml##
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    ports:
      - port: 53
        protocol: TCP
      - port: 53
        protocol: UDP

3.3. based on namespaceSelector-基于命名空间标签允许backend标签的pod去访问符合namespace标签的应用

关于namespace的labels(默认建立是没有的，可以自己添加)

Cluster Setup - Network Policies 网络规则

Welcome to nginx!

Welcome to nginx!

3.2. Allow frontend pods to talk to backend pods-允许符合frontend标签的pod与带有backend标签的pod组会话。

3.3. based on namespaceSelector-基于命名空间标签允许backend标签的pod去访问符合namespace标签的应用

Similar Posts

Comments