3

我需要将 pod 出口流量限制到外部目的地。Pod 应该能够访问 Internet 上的任何目的地,并且所有集群内部目的地都应该被拒绝。

这是我尝试过的,但没有通过验证:

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: test
spec:
  workloadSelector:
    labels:
      k8s-app: mypod

  outboundTrafficPolicy:
    mode: REGISTRY_ONLY    

  egress: 
    - hosts:
        - 'default/*'

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: all-external

spec:
  location: MESH_EXTERNAL
  resolution: DNS
  hosts:
    - '*'
  ports:
    - name: http
      protocol: HTTP
      number: 80
    - name: https
      protocol: TLS
      number: 443

Istio 1.11.4

4

1 回答 1

1

我是用NetworkPolicy. 允许到 kubernetes 和 istio 相关服务的流量(不仅基于命名空间可能更严格):

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myapp-eg-system

spec:
  podSelector:
    matchLabels:
      app: myapp

  policyTypes:
    - Egress

  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: istio-system

允许除集群网络 IP 空间之外的任何内容:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myapp-eg-app

spec:
  podSelector:
    matchLabels:
      app: myapp

  policyTypes:
    - Egress

  egress:
    - to:
      # Restrict to external traffic
      - ipBlock:
          cidr: '0.0.0.0/0'
          except:
            - '172.0.0.0/8'

      - podSelector:
          matchLabels:
            app: myapp

      ports:
        - protocol: TCP
于 2021-11-12T12:35:38.243 回答