1. How many network policies do you see in the environment? We have deployed few web applications, services and network policies. Inspect the environment.
controlplane ~ ➜ k get networkpolicies
NAME POD-SELECTOR AGE
payroll-policy name=payroll 36s
controlplane ~ ➜ k get networkpolicies -A
NAMESPACE NAME POD-SELECTOR AGE
default payroll-policy name=payroll 43s
answer : 1
2. What is the name of the Network Policy?
answer : payroll-policy
3. Which pod is the Network Policy applied on?
controlplane ~ ➜ k describe networkpolicies.networking.k8s.io payroll-policy
Name: payroll-policy
Namespace: default
Created on: 2024-07-28 13:51:02 +0000 UTC
Labels: <none>
Annotations: <none>
Spec:
PodSelector: name=payroll
Allowing ingress traffic:
To Port: 8080/TCP
From:
PodSelector: name=internal
Not affecting egress traffic
Policy Types: Ingress
controlplane ~ ➜ k get pod --show-labels
NAME READY STATUS RESTARTS AGE LABELS
external 1/1 Running 0 2m5s name=external
internal 1/1 Running 0 2m5s name=internal
mysql 1/1 Running 0 2m5s name=mysql
payroll 1/1 Running 0 2m5s name=payroll
answer : payroll
4. What type of traffic is this Network Policy configured to handle?
answer : Ingress
5. What is the impact of the rule configured on this Network Policy?
Policy Types: Ingress의 의미
1.Pod로 들어오는 트래픽 제어:
Ingress 유형의 네트워크 정책은 포드로 들어오는 트래픽을 허용하거나 차단하는 규칙을 정의합니다. 이 규칙은 주로 포드가 외부 네트워크 또는 클러스터 내 다른 포드로부터 수신하는 트래픽을 필터링하는 데 사용됩니다.
2. 정책 적용 대상:
• PodSelector를 사용하여 특정 포드에 정책을 적용할 수 있습니다.
• NamespaceSelector를 사용하여 특정 네임스페이스의 포드에 정책을 적용할 수 있습니다.
• Ingress 블록 내에서 from 절을 사용하여 트래픽을 허용할 소스(예: 특정 포드, 네임스페이스, IP 범위)를 지정할 수 있습니다.
answer : Traffic From Internal to Payroll POD is allowed
6. What is the impact of the rule configured on this Network Policy?
answer : Internal POD can access port 8080 on Payroll POD
7. Access the UI of these applications using the link given above the terminal.
8. Perform a connectivity test using the User Interface in these Applications to access the payroll-service at port 8080.
answer : Only Internal application can access payroll service
9. Perform a connectivity test using the User Interface of the Internal Application to access the external-service at port 8080.
answer: Successful!
10. Create a network policy to allow traffic from the Internal application only to the payroll-service and db-service. Use the spec given below. You might want to enable ingress traffic to the pod to test your rules in the UI. Also, ensure that you allow egress traffic to DNS ports TCP and UDP (port 53) to enable DNS resolution from the internal pod.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
namespace: default
spec:
podSelector:
matchLabels:
name: internal
policyTypes:
- Egress
- Ingress
ingress:
- {}
egress:
- to:
- podSelector:
matchLabels:
name: mysql
ports:
- protocol: TCP
port: 3306
- to:
- podSelector:
matchLabels:
name: payroll
ports:
- protocol: TCP
port: 8080
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
이 NetworkPolicy는 name=internal 레이블을 가진 포드에 대해 다음과 같은 동작을 정의합니다:
• Ingress: 모든 Ingress 트래픽을 허용합니다. 즉, 모든 소스로부터 모든 포트로의 Ingress 트래픽이 허용됩니다.
• Egress:
• name=mysql 레이블을 가진 포드로 TCP 3306 포트로의 Egress 트래픽을 허용.
• name=payroll 레이블을 가진 포드로 TCP 8080 포트로의 Egress 트래픽을 허용.
• DNS 조회를 위해 모든 대상에 대해 UDP 및 TCP 53 포트로의 Egress 트래픽을 허용.
'IT 기술 > k8s' 카테고리의 다른 글
| [cka] Storage Class (0) | 2024.08.06 |
|---|---|
| [cka] Persistent Volume Claims (0) | 2024.07.28 |
| [cka] Security Contexts (0) | 2024.07.28 |
| [cka] Image Security (0) | 2024.07.28 |
| [cka] Service Accounts (0) | 2024.07.28 |
댓글