使用Azure CNI网络策略仅允许从Kubernetes单元到特定FQDN/DNS的出口

fivyi3re 于 2022-12-11 发布在 Kubernetes

关注(0)|答案(3)|浏览(179)

How can egress from a Kubernetes pod be limited to only specific FQDN/DNS with Azure CNI Network Policies?
This is something that can be achieved with:
Istio

apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
  name: googleapis
  namespace: default
spec:
  destination:
      service: "*.googleapis.com"
  ports:
      - port: 443
        protocol: https

Cilium

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "fqdn"
spec:
  endpointSelector:
    matchLabels:
      app: some-pod
  egress:
  - toFQDNs:
    - matchName: "api.twitter.com"  
  - toEndpoints:
    - matchLabels:
        "k8s:io.kubernetes.pod.namespace": kube-system
        "k8s:k8s-app": kube-dns
    toPorts:
    - ports:
      - port: "53"
        protocol: ANY
      rules:
        dns:
        - matchPattern: "*"

OpenShift

apiVersion: network.openshift.io/v1
kind: EgressNetworkPolicy
metadata:
  name: default-rules 
spec:
  egress: 
  - type: Allow
    to:
      dnsName: www.example.com
  - type: Deny
    to:
      cidrSelector: 0.0.0.0/0

How can something similar be done with Azure CNI Network Policies?

kubernetes

来源：https://stackoverflow.com/questions/69635928/allow-egress-from-a-kubernetes-pod-to-only-specific-fqdn-dns-with-azure-cni-netw

3条答案

按热度按时间

lhcgjxsq1#

AKS上不支持具有FQDN/DNS规则的ATM网络策略。
如果您使用Azure CNI和Azure策略插件，您将获得默认的Kubernetes网络策略。
如果您使用Azure CNI & Calico Policy Plugin，您可以获得高级功能，如全球网络策略，但不能获得FQDN/DNS。不幸的是，这是Calico Cloud上的付费功能。

赞(0）回复(0）举报 2022-12-11

3j86kqsm2#

应用K8s网络策略
`

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-rules
spec:
  podSelector:
    matchLabels:
      role: pod_role
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    - host: www.example.com

`
参考https://kubernetes.io/docs/concepts/services-networking/network-policies/

赞(0）回复(0）举报 2022-12-11

jum4pzuy3#

如果有人从谷歌点击此页面：
我找到了一个解决方案，它在我的云提供商（OpenTelekomCloud）上运行得很好，可能在许多其他云提供商上也会运行得很好。
有一个名为gke-fqdnnetworkpolicies-golang的项目
通过定义自定义资源

apiVersion: networking.gke.io/v1alpha3
kind: FQDNNetworkPolicy
metadata:
  name: allow-test
  namespace: test1
spec:
  podSelector: {}
  egress:
    - to:
      - fqdns:
        - heise.de
      ports:
      - port: 443
        protocol: TCP
      - port: 80
        protocol: TCP

它将解析FQDN，生成最终的网络策略，并每30秒更新一次记录。这是最终策略的外观

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-test
  namespace: test1
  annotations:
    fqdnnetworkpolicies.networking.gke.io/owned-by: allow-test
spec:
  podSelector: {}
  egress:
    - ports:
        - protocol: TCP
          port: 443
        - protocol: TCP
          port: 80
      to:
        - ipBlock:
            cidr: 128.65.210.8/32
  policyTypes:
    - Ingress
    - Egress

我必须在yaml（从发布页面下载）中将以下权限附加到clusterRolefqdnnetworkpolicies-manager-role，以使其在GKE之外工作

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: fqdnnetworkpolicies-manager-role
rules:

...

- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies/status
  verbs:
  - get
  - patch
  - update

赞(0）回复(0）举报 2022-12-11

我来回答

使用Azure CNI网络策略仅允许从Kubernetes单元到特定FQDN/DNS的出口

3条答案

相关问题

热门标签

最新问答