如何编写网络策略文件以允许流量仅从几个IP地址访问应用程序(例如:127.18.12.1,127.19.12.3)。我已经参考了文件https://github.com/ahmetb/kubernetes-network-policy-recipes,但没有找到满意的答案。如果有人帮助我编写网络策略文件,那就太好了。我还参考了Kubernetes的网络政策官方文档。
我的示例代码
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: example
spec:
podSelector:
matchLabels:
app: couchdb
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 127.18.12.1/16
ports:
- protocol: TCP
port: 8080
如果您不想编辑网络策略并限制来自特定域的入口流量,则可以使用喜欢的注释来编辑入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: restricted-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/from-to-www-redirect: "True"
nginx.ingress.kubernetes.io/force-ssl-redirect: "True"
nginx.ingress.kubernetes.io/whitelist-source-range: "00.0.0.0, 142.12.85.524"
对于网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
出口:- 至:-ipBlock:cidr:10.0.0.0/24端口:-协议:TCP端口:5978