• Kubernetes

  • k8s生产环境怎样设置禁止部分Pod访问外网,如google、baidu等?

在k8s上部署应用之后,为了安全考虑,需要禁止部分Pod访问外网,查看docker-dns配置如下:
# cat /etc/systemd/system/docker.service.d/docker-dns.conf
[Service]
Environment="DOCKER_DNS_OPTIONS=\
--dns 10.233.0.3 --dns 223.6.6.6 \
--dns-search default.svc.cluster.local --dns-search svc.cluster.local \
--dns-opt ndots:2 --dns-opt timeout:2 --dns-opt attempts:2 \
"
如果去掉–dns 223.6.6.6 ,会导致全局无法解析外网,kubesphere应用商店等功能会受到影响,不知道有没有解决办法?

  • 可以用networkpolicy 的 podselector

    Isolated and Non-isolated Pods 
By default, pods are non-isolated; they accept traffic from any source.

Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. (Other pods in the namespace that are not selected by any NetworkPolicy will continue to accept all traffic.)

Network policies do not conflict; they are additive. If any policy or policies select a pod, the pod is restricted to what is allowed by the union of those policies' ingress/egress rules. Thus, order of evaluation does not affect the policy result.

The NetworkPolicy resource

可以用networkpolicy 的 podselector

Isolated and Non-isolated Pods 
By default, pods are non-isolated; they accept traffic from any source.

Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. (Other pods in the namespace that are not selected by any NetworkPolicy will continue to accept all traffic.)

Network policies do not conflict; they are additive. If any policy or policies select a pod, the pod is restricted to what is allowed by the union of those policies' ingress/egress rules. Thus, order of evaluation does not affect the policy result.

The NetworkPolicy resource