英文:
Restricting AKS Pod Access to Specific IP Address Range
问题
我正在尝试在Azure Kubernetes Service (AKS)中创建一个网络策略,允许只有特定的IP地址范围访问特定的Pod。出于测试目的,我想从我的当前PC的IP地址开始允许访问。
我使用以下命令创建了一个具有所需网络策略的AKS集群,其中RESOURCE_GROUP_NAME和CLUSTER_NAME是你的资源组和集群名称变量:
az aks create \
--resource-group $RESOURCE_GROUP_NAME \
--name $CLUSTER_NAME \
--node-count 1 \
--network-plugin azure \
--network-policy azure
然后,我使用以下命令为我的Pod添加了 "access-restricted" 标签,其中 <pod-name> 应替换为你的Pod的名称:
kubectl label pods <pod-name> access=restricted
我的网络策略如下所示(注意 matchLabels - 这就是我为Pod添加标签的原因):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-my-pc
spec:
podSelector:
matchLabels:
access: restricted
ingress:
- from:
- ipBlock:
cidr: <my-ip-address>/32
尽管应用了网络策略,但我似乎仍然可以从任何IP地址无限制地访问Pod。网络策略未按预期工作。Pod正在运行且处于就绪状态,Service正在使用具有外部IP的负载均衡器 - 一切都正常工作,只是我无法限制访问。
我做错了什么?
英文:
I'm trying to create a network policy in Azure Kubernetes Service (AKS) that allows access to a specific pod from only a specific IP address range. For testing purposes, I want to start with allowing access only from my current PC's IP address.
I created an AKS cluster with the required network policy using "azure":
az aks create \
--resource-group $RESOURCE_GROUP_NAME \
--name $CLUSTER_NAME \
--node-count 1 \
--network-plugin azure \
--network-policy azure
I labeled my pod with "access-restricted":
kubectl label pods <pod-name> access=restricted
And my network policy looks like this (notice the matchLabels - that's why I labeled the pod):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-my-pc
spec:
podSelector:
matchLabels:
access: restricted
ingress:
- from:
- ipBlock:
cidr: <my-ip-address>/32
Despite applying the network policy, I still seem to have unrestricted access to the pod from any IP address. The network policy is not working as expected. Pod is running and in Ready state, Service is using Load Balancer with external IP - all is working fine, I just can't restrict it.
What am I doing wrong?
答案1
得分: 0
你应该通过服务公开你的 Pod。然后你可以按照这个确切的方案进行操作:https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#restrict-inbound-traffic-to-specific-ip-ranges
apiVersion: v1
kind: Service
metadata:
name: azure-vote-front
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: azure-vote-front
loadBalancerSourceRanges:
- MY_EXTERNAL_IP_RANGE
英文:
You should expose your pod through a service. Then you can just follow this exact scenario: https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#restrict-inbound-traffic-to-specific-ip-ranges
apiVersion: v1
kind: Service
metadata:
name: azure-vote-front
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: azure-vote-front
loadBalancerSourceRanges:
- MY_EXTERNAL_IP_RANGE
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论