我添加了这个 NetworkPolicy 来阻止所有出口但允许 DNS。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-egress
namespace: {{ $namespace }}
spec:
podSelector: {}
egress:
- to:
- namespaceSelector:
matchLabels:
networking/namespace: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
policyTypes:
- Egress
但是,此规则适用的服务出现此错误: Could not lookup srv records on _origintunneld._tcp.argotunnel.com: lookup _origintunneld._tcp.argotunnel.com on 10.2.0.10:53: read udp 10.32.1.179:40784->10.2.0.10:53: i/o timeout
这个 IP (10.2.0.10) 属于 kube-dns 服务,它有一个带有k8s-app=kube-dns标签的 pod,并且在带有标签的 kube-system 命名空间中networking/namespace=kube-system。
如果我删除了 pod 选择器和命名空间选择器,那么出口策略将起作用并且我没有收到错误消息
这有效但不安全,因为它不限于 kube-dns pod:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-egress
namespace: {{ $namespace }}
spec:
podSelector: {}
egress:
- to:
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
policyTypes:
- Egress
kube-system 命名空间 yaml: kubectl get namespace kube-system -o yaml
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2020-07-30T22:08:25Z"
labels:
networking/namespace: kube-system
name: kube-system
resourceVersion: "4084751"
selfLink: /api/v1/namespaces/kube-system
uid: b93e68b0-7899-4f39-a3b8-e0e12e4008ee
spec:
finalizers:
- kubernetes
status:
phase: Active
当前策略未明确允许流向 Kubernetes DNS 的流量。因此,{{ $namespace }}除非其他规则允许,否则来自 pod 的 DNS 查询将被丢弃。
创建 k8s DNS 的允许出口规则应该可以解决您的问题。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-egress
namespace: {{ $namespace }}
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
networking/namespace: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
| 归档时间: |
|
| 查看次数: |
286 次 |
| 最近记录: |