Kubernetes 네트워크 정책 - 트래픽이 특정 포트를 통해서만 서비스되도록 허용 (Kubernetes Network Policy - Allowing traffic to service over specific port only)

문제 설명

Kubernetes 네트워크 정책 ‑ 트래픽이 특정 포트를 통해서만 서비스되도록 허용 (Kubernetes Network Policy ‑ Allowing traffic to service over specific port only)

GKE 클러스터 v1.21이 있고 네트워크 정책이 사용 설정되어 있습니다.

다음을 사용하여 클러스터 내의 모든 수신 및 송신 트래픽을 거부했습니다.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default‑deny‑all‑traffic
spec:
  podSelector: {}
  policyTypes:
  ‑ Ingress
  ‑ Egress

배포 및 내부 로드 밸런서는 443에서 수신 대기합니다.

apiVersion: v1
kind: Service
metadata:
  name: my‑service
  annotations:
    cloud.google.com/load‑balancer‑type: "Internal"
spec:
  selector:
    app: my‑webserver
  ports:
    ‑ port: 443
      targetPort: 8080
  type: LoadBalancer

my‑webserver에 https 요청을 보내려는 my‑deployment라는 또 다른 배포가 있습니다.

저는 다음 정책을 설정하십시오.

my‑webserver의 수신 허용

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow‑ingress‑my‑webserver
spec:
  policyTypes:
  ‑ Ingress
  podSelector:
    matchLabels:
      app: my‑webserver
  ingress:
  ‑ from:     
    ‑ podSelector:
        matchLabels:
          app: my‑deployment
    ports:
    ‑ protocol: TCP
      port: 443

my‑deployment의 송신 허용

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow‑egress‑my‑deployment
spec:
  podSelector:
    matchLabels:
      app: my‑deployment
  policyTypes:
  ‑ Egress
  egress:
  ‑ to:
    ‑ podSelector:
        matchLabels:
          app: my‑webserver
    ports:
    ‑ protocol: TCP
      port: 443

해당 네트워크 정책은 my‑deployment에서 my‑webserver로 요청을 보낼 수 있습니다.

그러나 두 정책에서 포트 섹션을 제거하면‑ my‑deployment에서 my‑webserver로 https 호출을 할 수 있습니다.

하지만 특정 포트와 특정 프로토콜에서만 연결을 허용할 수 있도록 하고 싶습니다.

특정 포트로만 연결을 제한하는 방법이 있습니까?

참조 솔루션

방법 1:

I am assuming you are testing from a my‑deployment's Pod and hitting the External LB's IP address, if that is the case; this is happening because the communication you are allowing is just from the source Pod to the service, you are missing the part from the service to the destination Pod.

As per Google's documentation:

You can use GKE's Network Policy Enforcement to control the communication between your cluster's Pods and Services. You define a network policy by using the Kubernetes Network Policy API to create Pod‑level firewall rules. These firewall rules determine which Pods and Services can access one another inside your cluster.

</blockquote>

What you need to do, is to allow the port 8080 as well in both policies:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow‑ingress‑my‑webserver
spec:
  policyTypes:
  ‑ Ingress
  podSelector:
    matchLabels:
      app: my‑webserver
  ingress:
  ‑ from:
    ‑ podSelector:
        matchLabels:
          app: my‑deployment
    ports:
    ‑ protocol: TCP
      port: 8080
    ‑ protocol: TCP
      port: 443
‑‑‑
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow‑egress‑my‑deployment
spec:
  podSelector:
    matchLabels:
      app: my‑deployment
  policyTypes:
  ‑ Egress
  egress:
  ‑ to:
    ‑ podSelector:
        matchLabels:
          app: my‑webserver
    ports:
    ‑ protocol: TCP
      port: 8080
    ‑ protocol: TCP
      port: 443

(by Montoya、Gabriel Robledo Ahumada)

참조 문서

1. Kubernetes Network Policy ‑ Allowing traffic to service over specific port only (CC BY‑SA 2.5/3.0/4.0)