限制 AKS Pod 访问特定 IP 地址范围

huangapple go评论65阅读模式
英文:

Restricting AKS Pod Access to Specific IP Address Range

问题

我正在尝试在Azure Kubernetes Service (AKS)中创建一个网络策略,允许只有特定的IP地址范围访问特定的Pod。出于测试目的,我想从我的当前PC的IP地址开始允许访问。

我使用以下命令创建了一个具有所需网络策略的AKS集群,其中RESOURCE_GROUP_NAME和CLUSTER_NAME是你的资源组和集群名称变量:

az aks create \
    --resource-group $RESOURCE_GROUP_NAME \
    --name $CLUSTER_NAME \
    --node-count 1 \
    --network-plugin azure \
    --network-policy azure

然后,我使用以下命令为我的Pod添加了 "access-restricted" 标签,其中 <pod-name> 应替换为你的Pod的名称:

kubectl label pods <pod-name> access=restricted

我的网络策略如下所示(注意 matchLabels - 这就是我为Pod添加标签的原因):

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-my-pc
spec:
  podSelector:
    matchLabels:
      access: restricted
  ingress:
  - from:
    - ipBlock:
        cidr: <my-ip-address>/32

尽管应用了网络策略,但我似乎仍然可以从任何IP地址无限制地访问Pod。网络策略未按预期工作。Pod正在运行且处于就绪状态,Service正在使用具有外部IP的负载均衡器 - 一切都正常工作,只是我无法限制访问。

我做错了什么?

英文:

I'm trying to create a network policy in Azure Kubernetes Service (AKS) that allows access to a specific pod from only a specific IP address range. For testing purposes, I want to start with allowing access only from my current PC's IP address.

I created an AKS cluster with the required network policy using "azure":

az aks create \
    --resource-group $RESOURCE_GROUP_NAME \
    --name $CLUSTER_NAME \
    --node-count 1 \
    --network-plugin azure \
    --network-policy azure

I labeled my pod with "access-restricted":

kubectl label pods &lt;pod-name&gt; access=restricted

And my network policy looks like this (notice the matchLabels - that's why I labeled the pod):

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-my-pc
spec:
  podSelector:
    matchLabels:
      access: restricted
  ingress:
  - from:
    - ipBlock:
        cidr: &lt;my-ip-address&gt;/32

Despite applying the network policy, I still seem to have unrestricted access to the pod from any IP address. The network policy is not working as expected. Pod is running and in Ready state, Service is using Load Balancer with external IP - all is working fine, I just can't restrict it.

What am I doing wrong?

答案1

得分: 0

你应该通过服务公开你的 Pod。然后你可以按照这个确切的方案进行操作:https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#restrict-inbound-traffic-to-specific-ip-ranges

apiVersion: v1
kind: Service
metadata:
  name: azure-vote-front
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: azure-vote-front
  loadBalancerSourceRanges:
  - MY_EXTERNAL_IP_RANGE
英文:

You should expose your pod through a service. Then you can just follow this exact scenario: https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#restrict-inbound-traffic-to-specific-ip-ranges

apiVersion: v1
kind: Service
metadata:
  name: azure-vote-front
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: azure-vote-front
  loadBalancerSourceRanges:
  - MY_EXTERNAL_IP_RANGE

huangapple
  • 本文由 发表于 2023年7月20日 21:31:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/76730426.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定