Kubernetes kind: NetworkPolicy - Karışık Durumlar

Örnek - namespaceSelector ve podSelector AND ve OR farkı

Açıklaması şöyle

For example, the following NetworkPolicy allows traffic from all Pods in the my-ns namespace that have a role: app label OR from all Pods in any namespaces that have a somelabel: myvalue label:

Şöyle yaparız. Burada 2 tane kural "-" ile veriliyor

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-networkpolicy1
  namespace: my-ns
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          somelabel: myvalue
    - podSelector:
        matchLabels:
          role: app
    ports:
    - protocol: TCP
      port: 80

Açıklaması şöyle.

However, a slightly different NetworkPolicy would allow traffic only from Pods that themselves have a label role: app AND that are in namespaces that have a somelabel: myvalue label:

Şöyle yaparız. Burada 1 tane kural "-" ile veriliyor. 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-networkpolicy2
  namespace: my-ns
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          somelabel: myvalue
      podSelector:
        matchLabels:
          role: app
    ports:
    - protocol: TCP
      port: 80

Kubernetes v1.21'den sonra otomatik olarak kubernetes.io/metadata.name diye bir label yaratılıyor. Label'ın varsayılan değeri namespace ismi. Şöyle yaparız. Yani fazladan label vermeye gerek yok.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: my-app-ns
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock: 
      cidr: 172.17.0.0/16
      except:
      - 172.17.1.0/24 
    - namespaceSelector: 
        matchLabels:   
          kubernetes.io/metadata.name: my-client-ns
      podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978

Örnek - Don’t combine disparate NetworkPolicies

Elimizde şöyle bir policy olsun

# This is bad because it grants access to more than it should
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-network-policy
  namespace: my-ns
spec:
  policyTypes:
  - Egress
  podSelector: {} 
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    - ipBlock:         
        cidr: 93.184.216.34/32
    ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
    - port: 80
      protocol: TCP

Burada hem DNS pod'un 53 ve 80 hem de 93.184.216.34/32 adresinin 53 ve 80 portlarına izin veriliyor. Ancak istenen aslında DNS pod'un 53 portuna, 93.184.216.34/32 adresinin de 80 portuna izin vermek. Doğrusu şöyle

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-allpods-to-dns
  namespace: my-ns
spec:
  policyTypes:
  - Egress
  podSelector: {} 
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP

ve şöyle

apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy 
metadata:   
  name: allow-cronjob-to-examplecom
  namespace: my-ns
spec: 
  podSelector:     
    matchLabels:       
      app.kubernetes.io/component: cronjob
  policyTypes:   
  - Egress   
  egress:   
  - to:     
    - ipBlock:         
        cidr: 93.184.216.34/32
    ports:     
    - protocol: TCP       
      port: 80