また続き。ネットワークポリシーはない状態。
access-nginx -> default-deny
ポリシーの作成順に関係があるのか。
core@kb1 ~ $ kubectl create -f - <<EOF
> kind: NetworkPolicy
> apiVersion: networking.k8s.io/v1
> metadata:
> name: access-nginx
> namespace: policy-demo
> spec:
> podSelector:
> matchLabels:
> run: nginx
> ingress:
> - from:
> - podSelector:
> matchLabels:
> run: access
> EOF
networkpolicy.networking.k8s.io/access-nginx created
core@kb1 ~ $ kubectl create -f - <<EOF
> kind: NetworkPolicy
> apiVersion: networking.k8s.io/v1
> metadata:
> name: default-deny
> namespace: policy-demo
> spec:
> podSelector:
> matchLabels: {}
> EOF
networkpolicy.networking.k8s.io/default-deny created
pod:access で
/ # echo $HOSTNAME access-7c5df8f4c-b8p5b / # wget -q --timeout=5 nginx -O - <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title>
pod:cant-access で。いけない。
/ # echo $HOSTNAME cant-access-7587658dc7-h5b7f / # wget -q --timeout=5 nginx -O - wget: download timed out
いっこでもポリシーがあるとdefault-denyで適用順序に関係なく許可優先とか?あとで確認しよう。
お掃除
$ kubectl delete ns policy-demo namespace "policy-demo" deleted $ kubectl get all --namespace=policy-demo No resources found.
