車載乙太網第二彈|測試之實錘-TC8 TCP/IP協議一致性測試實踐
阿新 • • 發佈:2021-12-15
網路策略需要依賴cni 網路外掛,calico 通過自定義k8s 資源支援網路策略
配置檔案
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name:
namespace:
labels:
annotations:
spec:
下面詳細描述NetworkPolicy.spec
podSelector 指定了該網路策略作用的Pod範圍
- 作用於
NetworkPolicy.metadata.namespace名稱空間的所有pod
spec:
podSelector: {}
- 作用於指定標籤的pod
spec:
podSelector:
matchLabels:
app: db
spec:
podSelector:
matchExpressions:
- key: app
operator: In
values:
- db
policyTypes 指定流入流出的網路策略
- 如果不指定則使用預設的策略,預設Ingress和Egress 都是通過
spec:
policyTypes: []
- 禁止所有的流出策略,不定義
spec.egress
spec: policyTypes: - Egress
- 禁止所有的流入策略,不定義
spec.ingress
spec:
policyTypes:
- Ingress
- 允許所有的流出策略
spec:
policyTypes:
- Egress
egress: {}
- 允許所有的流入策略
spec:
policyTypes:
- Ingress
ingress: {}
ingress 控制流入的具體策略
spec: ingress: - from: - ipBlock: cidr: "10.4.7.1/24" expect: - "10.4.7.50/32" - "192.168.123.1/24" - namespaceSelector: matchLabels: {} matchExpressions: {} - podSelector: matchLabels: {} matchExpressions: {} - ports: - protocol: TCP port: 8000
egress 控制流出的具體策略
spec:
ingress:
- to:
- ipBlock:
cidr: "10.4.7.1/24"
expect:
- "10.4.7.50/32"
- "192.168.123.1/24"
- namespaceSelector:
matchLabels: {}
matchExpressions: {}
- podSelector:
matchLabels: {}
matchExpressions: {}
- ports:
- protocol: TCP
port: 8000
測試檔案
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
spec:
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web
image: python
command: ["python","-m","http.server"]
---
apiVersion: v1
metadata: v1
kind: Service
metadata:
name: myapp
spec:
selector:
app: web
ports:
- port: 8000
targetPort: 8000