我创建了两个名为“a”和“b”的命名空间
我有如下文件结构..
on folder a
nginx-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-a
labels:
app-tier: UI
namespace: a
spec:
selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
网络策略.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-a
namespace: a
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: b
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: b
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
并使用两个 yml 文件kubectl apply -f
on folder b
nginx-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-b
labels:
app-tier: UI
namespace: b
spec:
selector:
matchLabels:
app-tier: UI
template:
metadata:
labels:
app-tier: UI
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
网络策略.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-b
namespace: b
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: a
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: a
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
并使用两个 yml 文件kubectl apply -f
问题
所以基本上我想允许从命名空间a到命名空间b的流量,反之亦然。
我已经使用
$$ kubectl expose deployment nginx-deployment-b -n b --port=80
$$ kubectl expose deployment nginx-deployment-a -n a --port=80
我在命名空间中创建了busybox a using
kubectl run myshell --image=busybox -n a --command -- sh -c "sleep 3600"
我已经使用 exec 进入了busybox
kubectl exec myshell -n a -it -- sh
现在这是wget的输出
/ # wget nginx-deployment-b.b.svc.cluster.local
^Z[5]+ Stopped wget nginx-deployment-b.b.svc.cluster.local
/ # wget nginx-deployment-a.a.svc.cluster.local
^Z[6]+ Stopped wget nginx-deployment-a.a.svc.cluster.local
/ # wget nginx-deployment-a.a.svc
^Z[7]+ Stopped wget nginx-deployment-a.a.svc
/ # wget nginx-deployment-b.b.svc
^Z[8]+ Stopped wget nginx-deployment-b.b.svc
/ #
您可以看到我既无法连接到在命名空间a或b上运行的服务
我应该怎么做才能允许从命名空间a到命名空间b的流量,反之亦然?
任何建议或修改。
谢谢
编辑-1
网络政策的描述,
np-a
Name: np-a
Namespace: a
Created on: 2020-08-21 18:41:12 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=b
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=b
Policy Types: Ingress, Egress
np-b
Name: np-b
Namespace: b
Created on: 2020-08-21 18:21:07 +0530 IST
Labels: <none>
Annotations: Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: name=a
Allowing egress traffic:
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: name=a
Policy Types: Ingress, Egress
服务说明
Name: nginx-deployment-a
Namespace: a
Labels: app-tier=UI
Annotations: <none>
Selector: app-tier=UI
Type: ClusterIP
IP: 10.107.112.202
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.0.0.147:80
Session Affinity: None
Events: <none>
和
Name: nginx-deployment-b
Namespace: b
Labels: app-tier=UI
Annotations: <none>
Selector: app-tier=UI
Type: ClusterIP
IP: 10.98.228.141
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.0.0.79:80
Session Affinity: None
Events: <none>
的输出kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
cilium-operator-868c78f7b5-44nhn 0/1 Pending 0 7h58m
cilium-operator-868c78f7b5-jl5cq 1/1 Running 2 7h58m
cilium-qgzxs 1/1 Running 2 7h58m
coredns-66bff467f8-lpck8 1/1 Running 2 8h
etcd-minikube 1/1 Running 1 7h8m
kube-apiserver-minikube 1/1 Running 1 7h8m
kube-controller-manager-minikube 1/1 Running 3 8h
kube-proxy-f9vgr 1/1 Running 2 8h
kube-scheduler-minikube 1/1 Running 2 8h
storage-provisioner 1/1 Running 5 8h