-
Notifications
You must be signed in to change notification settings - Fork 4
NPRC Allow all traffic to an application
Tanveer Alam edited this page Sep 15, 2019
·
1 revision
Allow all traffic to an application
[tan@kmaster ~]$ kubectl run web --image=nginx --labels app=web --expose --port 80
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
service/web created
deployment.apps/web createdDenying all incoming traffic
[tan@kmaster ~]$ cat net_policies/web-deny-all.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: web-deny-all
spec:
podSelector:
matchLabels:
app: web
ingress: [][tan@kmaster ~]$ kubectl apply -f net_policies/web-deny-all.yaml
networkpolicy.networking.k8s.io/web-deny-all created[tan@kmaster ~]$ kubectl run --generator=run-pod/v1 test-$RANDOM --rm -it --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web
wget: download timed outAllows traffic from all Pods in current as well as other namespaces.
Applying this policy makes any other policies restricting the traffic to the pod void(invalid).
[tan@kmaster ~]$ cat net_policies/web-allow-all.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: web-allow-all
namespace: default
spec:
podSelector:
matchLabels:
app: web
ingress:
- {}[tan@kmaster ~]$ kubectl apply -f net_policies/web-allow-all.yaml
networkpolicy.networking.k8s.io/web-allow-all created[tan@kmaster ~]$ kubectl run --generator=run-pod/v1 test-$RANDOM --rm -it --image=alpine -- sh
If you don't see a command prompt, try pressing enter.
/ #
/ # wget -qO- http://web
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>-
namespace: default: deploy this policy to the default namespace. -
podSelector: applies the ingress rule to pods withapp:label - Only one
ingressrule is specified, and it is empty.- Empty ingress rule({}) allows traffic from all pods in the current namespace, as well as other namespaces.
Equivalent to:
- from: podSelector: {} namespaceSelector: {}
- Empty ingress rule({}) allows traffic from all pods in the current namespace, as well as other namespaces.
Equivalent to:
Cleanup
[tan@kmaster ~]$ kubectl delete deployment,service web
deployment.extensions "web" deleted
service "web" deleted