3

我正在使用 Wea​​ve Net 2.4.0 运行 Kubernetes 1.9.6。我正在尝试锁定对 Kubernetes 内部 DNS 服务器和另一台主机上的特定端口的访问。我似乎找不到合适的出口格式。

我知道以下不是有效的政策,但代表了我想要做的事情。我如何编写网络策略来支持这一点?

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: test-network-policy
    namespace: dev
spec:
    podSelector:
        matchLabels:
            app: plem-network-policy
policyTypes:
- Egress
egress:
- to:
    - ipBlock:
        cidr: 10.3.0.10/32
        ports:
        - protocol: TCP
        port: 53
        - protocol: UDP
        port: 53
    - ipBlock:
        cidr: 10.49.100.37/32
        ports:
        - protocol: TCP
        port: 8200
4

1 回答 1

5

我没有对 cidr 和端口的多个块给予足够的关注。这就是我一直在寻找的。

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: test-network-policy
    namespace: dev
spec:
    podSelector:
      matchLabels:
        app: plem-network-policy
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.2.0.0/16
    - ipBlock:
        cidr: 10.3.0.10/32
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53
  - to:
    - ipBlock:
        cidr: 10.49.100.37/32
    - ipBlock:
        cidr: 10.49.100.137/32
    - ipBlock:
        cidr: 10.49.100.85/32
    ports:
    - protocol: TCP
      port: 8200
  - to:
    - ipBlock:
        cidr: 10.29.30.56/32
    ports:
    - protocol: TCP
      port: 5439
于 2018-08-14T14:57:26.837 回答