# 第六题 Network Policy ###### tags: `真题讲解` 切换集群kubectl config use-context k8s **Task** create a NetworkPolicy named **pod-access** torestrict access to Pod **products-service** running in namespace **development**. only allow the following Pods to connect to Pod **products-service** : * Pods in the namespace **testing** * Pods with label **environment: staging** , in any namespace Make sure to apply the NetworkPolicy. You can find a skelet on manifest file at /cks/6/p1.yaml ## 解法 直接复制官网YAML作为骨架[k8s.io/network-policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource) **Tips**: 1. 受访目标在ns development中, 则network policy部署在该ns中 2. 查询ns development中是否已有network policy, 以免其对效果造成干扰 3. 按照题意先查询好ns和Pod的标签 ``` kubectl get ns --show-labels NAME STATUS AGE LABELS calico-system Active 85d name=calico-system default Active 98d <none> development Active 45h <none> gatekeeper-system Active 85d admission.gatekeeper.sh/ignore=no-self-managing,control-plane=controller-manager,gatekeeper.sh/system=yes kube-node-lease Active 98d <none> kube-public Active 98d <none> kube-system Active 98d <none> monitoring Active 45h <none> projectcontour Active 35d <none> qa Active 44h <none> testing Active 22m stage=testing tigera-operator Active 98d name=tigera-operator kubectl get pod -A -l environment=staging NAMESPACE NAME READY STATUS RESTARTS AGE development 6np-pod 1/1 Running 0 19m NP kubectl get pod -n development --show-labels NAME READY STATUS RESTARTS AGE LABELS products-service 1/1 Running 0 21m run=products-service ``` 分别看到ns testing的标签为stage=testing, 而拥有environment=staging标签的Pod在ns development中. 题目要求分别允许ns testing和任意有environment=staging标签的Pod可访问ns development中的products-service. 制作NP: ``` apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: pod-access namespace: development spec: podSelector: matchLabels: run: products-service policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: stage: testing - podSelector: matchLabels: environment: staging ``` ## 验证 同一ns内, 拥有environment=staging标签的Pod能Ping通products-service, 反之没有该标签的Pod在同一ns内无法Ping通. ``` kubectl get pod -n development -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES 6np-deny-pod 1/1 Running 0 4s 192.168.110.59 ubuk8s-vm03 <none> <none> 6np-pod 1/1 Running 0 29m 192.168.110.58 ubuk8s-vm03 <none> <none> products-service 1/1 Running 0 23m 192.168.204.147 ubuk8s-vm04 <none> <none> kubectl exec -n development 6np-pod -- ping 192.168.204.147 -c 3 PING 192.168.204.147 (192.168.204.147) 56(84) bytes of data. 64 bytes from 192.168.204.147: icmp_seq=1 ttl=62 time=1.07 ms 64 bytes from 192.168.204.147: icmp_seq=2 ttl=62 time=0.750 ms 64 bytes from 192.168.204.147: icmp_seq=3 ttl=62 time=0.734 ms --- 192.168.204.147 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2022ms rtt min/avg/max/mdev = 0.734/0.850/1.068/0.153 ms kubectl exec -n development 6np-deny-pod -- ping 192.168.204.147 -c 3 PING 192.168.204.147 (192.168.204.147) 56(84) bytes of data. --- 192.168.204.147 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2050ms command terminated with exit code 1 ```