Kubernetes NetworkPolicy allow loadbalancer

前端未结

关注

 2  1148

I have a Kubernetes cluster running on Google Kubernetes Engine (GKE) with network policy support enabled. I created an nginx deployment and load balancer for it:

相关标签:

2条回答

谎友^

2021-01-03 02:50

I talked about this in my Network Policy recipes repository.

"Allowing EXTERNAL load balancers while DENYING local traffic" is not a use case that makes sense, therefore it's not possible to using network policy.

For Service type=LoadBalancer and Ingress resources to work, you must allow ALL traffic to the pods selected by these resources.

If you REALLY want you can use the from.ipBlock.cidr and from.ipBlock.cidr.except resources to allow traffic from 0.0.0.0/0 (all IPv4) and then excluding 10.0.0.0/8 (or whatever private IP range GKE uses).

0 讨论(0)
发布评论:

提交评论
- 加载中...
无人共我

2021-01-03 02:51
I recently had to do something similar. I needed a policy that didn't allow pods from other namespaces to talk to prod, but did allow the LoadBalancer services to reach pods in prod. Here's what worked (based on Ahmet's post):
```
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: isolate-prod
  namespace: prod
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}
  - from:
    - ipBlock:
        cidr: '0.0.0.0/0'
        except: ['10.0.0.0/8']
```
0 讨论(0)
发布评论:

提交评论
- 加载中...