문제 설명
Kubernetes 네트워크 정책 ‑ 트래픽이 특정 포트를 통해서만 서비스되도록 허용 (Kubernetes Network Policy ‑ Allowing traffic to service over specific port only)
GKE 클러스터 v1.21이 있고 네트워크 정책이 사용 설정되어 있습니다.
다음을 사용하여 클러스터 내의 모든 수신 및 송신 트래픽을 거부했습니다.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default‑deny‑all‑traffic
spec:
podSelector: {}
policyTypes:
‑ Ingress
‑ Egress
배포 및 내부 로드 밸런서는 443에서 수신 대기합니다.
apiVersion: v1
kind: Service
metadata:
name: my‑service
annotations:
cloud.google.com/load‑balancer‑type: "Internal"
spec:
selector:
app: my‑webserver
ports:
‑ port: 443
targetPort: 8080
type: LoadBalancer
my‑webserver에 https 요청을 보내려는 my‑deployment라는 또 다른 배포가 있습니다.
저는 다음 정책을 설정하십시오.
my‑webserver의 수신 허용
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow‑ingress‑my‑webserver
spec:
policyTypes:
‑ Ingress
podSelector:
matchLabels:
app: my‑webserver
ingress:
‑ from:
‑ podSelector:
matchLabels:
app: my‑deployment
ports:
‑ protocol: TCP
port: 443
my‑deployment의 송신 허용
6apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow‑egress‑my‑deployment
spec:
podSelector:
matchLabels:
app: my‑deployment
policyTypes:
‑ Egress
egress:
‑ to:
‑ podSelector:
matchLabels:
app: my‑webserver
ports:
‑ protocol: TCP
port: 443
해당 네트워크 정책은 my‑deployment에서 my‑webserver로 요청을 보낼 수 있습니다.
그러나 두 정책에서 포트 섹션을 제거하면‑ my‑deployment에서 my‑webserver로 https 호출을 할 수 있습니다.
하지만 특정 포트와 특정 프로토콜에서만 연결을 허용할 수 있도록 하고 싶습니다.
특정 포트로만 연결을 제한하는 방법이 있습니까?
참조 솔루션
방법 1:
I am assuming you are testing from a my‑deployment's Pod and hitting the External LB's IP address, if that is the case; this is happening because the communication you are allowing is just from the source Pod to the service, you are missing the part from the service to the destination Pod.
As per Google's documentation:
You can use GKE's Network Policy Enforcement to control the communication between your cluster's Pods and Services. You define a network policy by using the Kubernetes Network Policy API to create Pod‑level firewall rules. These firewall rules determine which Pods and Services can access one another inside your cluster.
</blockquote>What you need to do, is to allow the port 8080 as well in both policies:
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow‑ingress‑my‑webserver spec: policyTypes: ‑ Ingress podSelector: matchLabels: app: my‑webserver ingress: ‑ from: ‑ podSelector: matchLabels: app: my‑deployment ports: ‑ protocol: TCP port: 8080 ‑ protocol: TCP port: 443 ‑‑‑ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow‑egress‑my‑deployment spec: podSelector: matchLabels: app: my‑deployment policyTypes: ‑ Egress egress: ‑ to: ‑ podSelector: matchLabels: app: my‑webserver ports: ‑ protocol: TCP port: 8080 ‑ protocol: TCP port: 443
(by Montoya、Gabriel Robledo Ahumada)
참조 문서