- \u30dd\u30ea\u30b7\u30fc\u306e\u968e\u5c64\u5316\u3068\u512a\u5148\u5ea6\u8a2d\u5b9a<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Namespace \u306b\u9650\u5b9a\u3055\u308c\u306a\u3044\u3001\u30af\u30e9\u30b9\u30bf\u30fc\u30ec\u30d9\u30eb\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a2d\u5b9a<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
- \u30a2\u30af\u30b7\u30e7\u30f3\u30eb\u30fc\u30eb\u306e\u30b5\u30dd\u30fc\u30c8: Allow, Drop, Reject \u306e\u30a2\u30af\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u53ef\u80fd<\/ul>\n
\u6211\u5011\u5c07\u95dc\u6ce8Antrea\u53e2\u96c6\u7db2\u8def\u7b56\u7565\uff0c\u4ee5\u78ba\u8a8d\u5176\u529f\u80fd\u3002<\/p>\n
\u987a\u4fbf\u63d0\u4e00\u53e5\uff0c2021\u5e744\u670810\u65e5\uff0c\u5728\u672c\u6587\u64b0\u5199\u65f6\uff0cAntrea\u5df2\u7ecf\u8fbe\u5230\u4e861.0.0\u7248\u672c\u3002\u4e0b\u9762\u7684\u5185\u5bb9\u662f\u57fa\u4e8eAntrea 1.0.0\u8fdb\u884c\u64b0\u5199\u7684\u3002
\n\u53e6\u5916\uff0c\u9664\u4e86\u4e0a\u8ff0\u7684Project Antrea\u9875\u9762\u5916\uff0c\u6211\u8fd8\u53c2\u8003\u4e86\u4ee5\u4e0b\u6587\u7ae0\uff1a
\nhttps:\/\/blog.shin.do\/2020\/01\/antrea-yet-another-cni-plugin-for-kubernetes\/<\/p>\nAntrea \u96c6\u7fa4\u7684\u51c6\u5907<\/h1>\n
\u51c6\u5907\u4e00\u4e2a\u65b0\u7684 K8s \u96c6\u7fa4<\/h2>\n
\u8fd9\u6b21\u6211\u4f7f\u7528 kubeadm \u6765\u51c6\u5907\u4e00\u4e2a\u65b0\u7684 Kubernetes \u96c6\u7fa4\uff0c\u7528\u4e8e Antrea\u3002\u6211\u53c2\u8003\u4e86\u4ee5\u4e0b\u94fe\u63a5\u7684\u5185\u5bb9\uff1a
\nhttps:\/\/thinkit.co.jp\/article\/18188<\/p>\n\u6211\u914d\u7f6e\u4e861\u53f0Master\u548c2\u53f0Worker\uff0c\u4f46\u5728\u5e94\u7528CNI\u4e4b\u524d\uff0c\u5b83\u4eec\u5c06\u5904\u4e8eNotReady\u72b6\u6001\u3002<\/p>\n
$ <\/span>kubectl get node\r\nNAME STATUS ROLES AGE VERSION\r\nk8s-master NotReady control-plane,master 1d v1.20.5\r\nk8s-worker1 NotReady <none> 44m v1.20.5\r\nk8s-worker2 NotReady <none> 2m41s v1.20.5\r\n<\/code><\/pre>\n\u5c06 Antrea \u5e94\u7528\u5230\u96c6\u7fa4\u4e2d<\/h2>\n
\u4f5c\u4e3aCNI\uff0c\u6211\u4eec\u5c06\u5e94\u7528Antrea\u800c\u4e0d\u662fCalico\u3002\u6709\u5173Antrea\u7684\u521d\u59cb\u8bbe\u7f6e\uff0c\u8bf7\u53c2\u8003\u4ee5\u4e0b\u94fe\u63a5\uff1a
\nhttps:\/\/github.com\/vmware-tanzu\/antrea\/blob\/main\/docs\/getting-started.md<\/p>\n\u7531\u4e8e\u672c\u6b21\u4f7f\u7528 Antrea v1.0.0\uff0c\u5c06\u6309\u7167\u4ee5\u4e0b\u65b9\u5f0f\u6307\u5b9a\u5e76\u5e94\u7528\u3002<\/p>\n
$ <\/span>kubectl apply -f<\/span> https:\/\/github.com\/vmware-tanzu\/antrea\/releases\/download\/v1.0.0\/antrea.yml\r\n<\/code><\/pre>\n\u5982\u679c\u60f3\u5e94\u7528\u6700\u65b0\u7684\u7248\u672c\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u7684\u65b9\u5f0f\u3002<\/p>\n
$ <\/span>kubectl apply -f<\/span> https:\/\/raw.githubusercontent.com\/vmware-tanzu\/antrea\/main\/build\/yamls\/antrea.yml\r\n<\/code><\/pre>\n\u5e94\u7528 Antrea CNI \u540e\uff0c\u8282\u70b9\u5df2\u51c6\u5907\u5c31\u7eea\u3002<\/p>\n
$ <\/span>kubectl get node\r\nNAME STATUS ROLES AGE VERSION\r\nk8s-master Ready control-plane,master 1d v1.20.5\r\nk8s-worker1 Ready <none> 57m v1.20.5\r\nk8s-worker2 Ready <none> 15m v1.20.5\r\n<\/code><\/pre>\nantctl\u7684\u5b89\u88c5<\/h3>\n
antctl \u662f\u4e00\u4e2a\u901a\u8fc7\u63a7\u5236\u5668\u6765\u68c0\u67e5 Antrea \u914d\u7f6e\u548c\u72b6\u6001\u7684\u547d\u4ee4\u884c\u5de5\u5177\u3002\u4e3a\u4e86\u672a\u6765\u7684\u53ef\u80fd\u9700\u8981\uff0c\u5efa\u8bae\u5b89\u88c5\u6700\u65b0\u7248\u672c\u3002\u4ee5\u4e0b\u662f\u9002\u7528\u4e8e 1.0.0 \u7248\u672c\u7684 Linux\u3002<\/p>\n
$ <\/span>curl -Lo<\/span> .\/antctl \"https:\/\/github.com\/vmware-tanzu\/antrea\/releases\/download\/v1.0.0\/antctl-linux-x86_64\"<\/span>\r\n$ <\/span>chmod<\/span> +x .\/antctl\r\n$ <\/span>mv<\/span> .\/antctl \/usr\/local\/bin\r\n$ <\/span>antctl version\r\nantctlVersion: v1.0.0\r\ncontrollerVersion: v1.0.0\r\n<\/code><\/pre>\n\u786e\u8ba4\u8bbe\u7f6e<\/h3>\n
\u5728\u90e8\u7f72Antrea\u65f6\uff0c\u5c06\u4f1a\u521b\u5efaAntrea\u7684configmap\u3002\u60a8\u53ef\u4ee5\u786e\u8ba4\u5f53\u524d\u7684\u914d\u7f6e\u60c5\u51b5\u3002\u67e5\u770b\u5df2\u521b\u5efa\u7684antrea-config-xxxxxxxxx\u3002<\/p>\n
$ <\/span>kubectl get configmap antrea-config-5ct9ktdt77 -n<\/span> kube-system -o<\/span> yaml\r\n<\/code><\/pre>\n\u8fd9\u91cc\u6211\u4eec\u5c06\u786e\u8ba4AntreaPolicy\u7684\u8bbe\u7f6e\u3002\u5728antrea-agent.conf\u548cantrea-controller.conf\u7684\u8bbe\u7f6e\u4e2d\uff0cAntreaPolicy\u88ab\u8bbe\u7f6e\u4e3aTrue\uff0c\u4f46\u88ab\u6ce8\u91ca\u6389\u3002\u7531\u4e8e\u4eceAntrea 1.0\u7248\u672c\u5f00\u59cb\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0bAntrea Network Policy\u5df2\u542f\u7528\uff0c\u6240\u4ee5\u5df2\u7ecf\u88ab\u6fc0\u6d3b\u4e86\u3002<\/p>\n
apiVersion<\/span>:<\/span> v1<\/span>\r\ndata<\/span>:<\/span>\r\n antrea-agent.conf<\/span>:<\/span> |<\/span>\r\n # FeatureGates is a map of feature names to bools that enable or disable experimental features.<\/span>\r\n featureGates:<\/span>\r\n # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.<\/span>\r\n # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on<\/span>\r\n # Service traffic.<\/span>\r\n # AntreaProxy: true<\/span>\r\n\r\n # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice<\/span>\r\n # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,<\/span>\r\n # this flag will not take effect.<\/span>\r\n # EndpointSlice: false<\/span>\r\n\r\n # Enable traceflow which provides packet tracing feature to diagnose network issue.<\/span>\r\n # Traceflow: true<\/span>\r\n\r\n # Enable NodePortLocal feature to make the pods reachable externally through NodePort<\/span>\r\n # NodePortLocal: false<\/span>\r\n\r\n # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins<\/span>\r\n # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy<\/span>\r\n # feature that supports priorities, rule actions and externalEntities in the future.<\/span>\r\n # AntreaPolicy: true<\/span>\r\n\r\n(snip...)<\/span>\r\n\r\n antrea-controller.conf<\/span>:<\/span> |<\/span>\r\n # FeatureGates is a map of feature names to bools that enable or disable experimental features.<\/span>\r\n featureGates:<\/span>\r\n # Enable traceflow which provides packet tracing feature to diagnose network issue.<\/span>\r\n # Traceflow: true<\/span>\r\n\r\n # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins<\/span>\r\n # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy<\/span>\r\n # feature that supports priorities, rule actions and externalEntities in the future.<\/span>\r\n # AntreaPolicy: true<\/span>\r\n\r\n(snip...)<\/span>\r\n<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528Antrea\u96c6\u7fa4\u7f51\u7edc\u7b56\u7565<\/h1>\n
\u6211\u5011\u73fe\u5728\u4f86\u5be6\u969b\u4f7f\u7528 Antrea Cluster Network Policy\uff0c\u4e26\u4e14\u6bd4\u8f03\u4e00\u4e0b\u5b83\u8207 K8s \u6a19\u6e96\u7684 NetworkPolicy \u7684\u5dee\u7570\u3002<\/p>\n
\u90e8\u7f72\u793a\u4f8b\u5e94\u7528\u7a0b\u5f0f<\/h2>\n
\u9996\u5148\uff0c\u6211\u4eec\u5c06\u90e8\u7f72\u4e00\u4e2a\u7528\u4e8e\u8fdb\u884c\u64cd\u4f5c\u786e\u8ba4\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u5c06Guestbook\u5e94\u7528\u7a0b\u5e8f\u90e8\u7f72\u5230\u9ed8\u8ba4\u7684\u547d\u540d\u7a7a\u95f4\u4e2d\u3002<\/p>\n
$ <\/span>kubectl apply -f<\/span> https:\/\/raw.githubusercontent.com\/kubernetes\/examples\/master\/guestbook-go\/redis-master-controller.json\r\n$ <\/span>kubectl apply -f<\/span> https:\/\/raw.githubusercontent.com\/kubernetes\/examples\/master\/guestbook-go\/redis-master-service.json\r\n$ <\/span>kubectl apply -f<\/span> https:\/\/raw.githubusercontent.com\/kubernetes\/examples\/master\/guestbook-go\/redis-slave-controller.json\r\n$ <\/span>kubectl apply -f<\/span> https:\/\/raw.githubusercontent.com\/kubernetes\/examples\/master\/guestbook-go\/redis-slave-service.json\r\n$ <\/span>kubectl apply -f<\/span> https:\/\/raw.githubusercontent.com\/kubernetes\/examples\/master\/guestbook-go\/guestbook-controller.json\r\n$ <\/span>kubectl apply -f<\/span> https:\/\/raw.githubusercontent.com\/kubernetes\/examples\/master\/guestbook-go\/guestbook-service.json\r\n<\/code><\/pre>\n\u521b\u5efa\u4e86\u4e09\u79cd\u7c7b\u578b\u7684\u670d\u52a1\u548c\u5bb9\u5668\uff1aguestbook\u3001redis-master\u3001redis-slave\u3002<\/p>\n
$ <\/span>kubectl get all -n<\/span> default\r\nNAME READY STATUS RESTARTS AGE\r\npod\/guestbook-hmsrw 1\/1 Running 0 23h\r\npod\/guestbook-nl7xv 1\/1 Running 0 23h\r\npod\/guestbook-s9spp 1\/1 Running 0 23h\r\npod\/redis-master-z2vjh 1\/1 Running 0 23h\r\npod\/redis-slave-cplgv 1\/1 Running 0 23h\r\npod\/redis-slave-r2tmz 1\/1 Running 0 23h\r\n\r\nNAME DESIRED CURRENT READY AGE\r\nreplicationcontroller\/guestbook 3 3 3 23h\r\nreplicationcontroller\/redis-master 1 1 1 23h\r\nreplicationcontroller\/redis-slave 2 2 2 23h\r\n\r\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(<\/span>S)<\/span> AGE\r\nservice\/guestbook LoadBalancer 10.109.117.193 <pending> 3000:30731\/TCP 23h\r\nservice\/kubernetes ClusterIP 10.96.0.1 <none> 443\/TCP 2d\r\nservice\/redis-master ClusterIP 10.98.195.90 <none> 6379\/TCP 23h\r\nservice\/redis-slave ClusterIP 10.109.248.115 <none> 6379\/TCP 23h\r\n<\/code><\/pre>\n\u8bbf\u5ba2\u7559\u8a00\u677f\u670d\u52a1\u662f\u8d1f\u8f7d\u5747\u8861\u7684\u7c7b\u578b\uff0c\u4f46\u7531\u4e8e\u6b64\u73af\u5883\u4e2d\u5c1a\u672a\u5b58\u5728\u63d0\u4f9b\u8005\u8d1f\u8f7d\u5747\u8861\u5668\uff0c\u56e0\u6b64EXTERNAL-IP\u4ecd\u5904\u4e8e\u5f85\u5b9a\u72b6\u6001\u3002\u6682\u65f6\uff0c\u8bf7\u4f7f\u7528NodePort\u901a\u8fc7\u4ee5\u4e0bURL\u8bbf\u95ee\uff0c\u5373\u53ef\u663e\u793a\u8bbf\u5ba2\u7559\u8a00\u677f\u7684\u7528\u6237\u754c\u9762\u3002192.168.110.91\u662f\u5de5\u4f5c\u8282\u70b9\u7684IP\u5730\u5740\u3002<\/p>\n
http:\/\/192.168.110.91:30731\/\r\n<\/span><\/code><\/pre>\n![\"image.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d193137434c4406c087a3\/37-0.png\" "\\"\\"")
<\/div>\n\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u5c06\u786e\u8ba4\u6bcf\u4e2a Pod \u7684\u6807\u7b7e\u8bbe\u7f6e\u3002\u524d\u7aef\u5bb9\u5668 guestbook \u5177\u6709 app: guestbook \u7684\u6807\u7b7e\uff0c\u540e\u7aef\u7684 redis-master \u548c redis-slave \u5177\u6709 app: redis \u7684\u6807\u7b7e\u3002\u8fd9\u4e9b\u6807\u7b7e\u5c06\u5728\u63a5\u4e0b\u6765\u7684 NetworkPolicy \u548c Antrea Network Policy \u7684 PodSelector \u8bbe\u7f6e\u4e2d\u4f7f\u7528\u3002<\/p>\n
$ <\/span>kubectl get pod -L<\/span> app\r\nNAME READY STATUS RESTARTS AGE APP\r\nguestbook-hmsrw 1\/1 Running 0 23h guestbook\r\nguestbook-nl7xv 1\/1 Running 0 23h guestbook\r\nguestbook-s9spp 1\/1 Running 0 23h guestbook\r\nredis-master-z2vjh 1\/1 Running 0 23h redis\r\nredis-slave-cplgv 1\/1 Running 0 23h redis\r\nredis-slave-r2tmz 1\/1 Running 0 23h redis\r\n<\/code><\/pre>\n\u7f51\u7edc\u7b56\u7565<\/h2>\n
\u5728\u5c1d\u8bd5 Antrea Cluster Network Policy \u4e4b\u524d\uff0c\u5148\u786e\u8ba4\u6807\u51c6 NetworkPolicy \u7684\u8fd0\u4f5c\u60c5\u51b5\u3002<\/p>\n
\u5728\u547d\u540d\u7a7a\u95f4\u4e2d\u5bf9\u5bb9\u5668\u4e4b\u95f4\u7684\u63a7\u5236<\/h3>\n
\u5e94\u7528\u4ee5\u4e0b\u7b56\u7565\uff0c\u786e\u8ba4\u5728\u547d\u540d\u7a7a\u95f4\u5185\uff0c\u524d\u7aefguestbook\u4e0e\u540e\u7aefredis\u7684\u901a\u4fe1\u53d7\u5230\u963b\u788d\u3002<\/p>\n
$ cat np1.yaml<\/span>\r\nkind<\/span>:<\/span> NetworkPolicy<\/span>\r\napiVersion<\/span>:<\/span> networking.k8s.io\/v1<\/span>\r\nmetadata<\/span>:<\/span>\r\n name<\/span>:<\/span> drop-access-to-redis<\/span>\r\nspec<\/span>:<\/span>\r\n policyTypes<\/span>:<\/span>\r\n -<\/span> Ingress<\/span>\r\n podSelector<\/span>:<\/span>\r\n matchLabels<\/span>:<\/span>\r\n app<\/span>:<\/span> redis<\/span>\r\n ingress<\/span>:<\/span>\r\n -<\/span> from<\/span>:<\/span>\r\n -<\/span> podSelector<\/span>:<\/span>\r\n matchLabels<\/span>:<\/span>\r\n app<\/span>:<\/span> other<\/span>\r\n$<\/span>\r\n$ kubectl apply -f np1.yaml<\/span>\r\nnetworkpolicy.networking.k8s.io\/drop-access-to-redis created<\/span>\r\n<\/code><\/pre>\n\u5f53\u518d\u6b21\u8bbf\u95eeGuestbook\u7684URL\u65f6\uff0c\u4f1a\u663e\u793a\u4ee5\u4e0b\u5185\u5bb9\uff0c\u8868\u660e\u65e0\u6cd5\u8fde\u63a5\u5230\u540e\u7aef\u3002<\/p>\n
![\"image.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d193137434c4406c087a3\/46-0.png\" "\\"\\"")
<\/div>\n\u5220\u9664\u6b64 NetworkPolicy \u540e\uff0c\u60a8\u5c06\u80fd\u591f\u91cd\u65b0\u8fde\u63a5\u3002<\/p>\n
$ <\/span>kubectl delete -f<\/span> np1.yaml\r\nnetworkpolicy.networking.k8s.io \"drop-access-to-redis\"<\/span> deleted\r\n<\/code><\/pre>\n\u547d\u540d\u7a7a\u95f4\u7528\u4e8e\u63a7\u5236\u5916\u90e8\u8bbf\u95ee\u3002<\/h3>\n
\u8fd9\u6b21\u6211\u4eec\u5c06\u521b\u5efa\u5e76\u5e94\u7528\u4e00\u4e2a\u7981\u6b62\u8bbf\u95ee\u524d\u7aefguestbook\u7684\u7b56\u7565\u3002<\/p>\n
$ <\/span>cat <\/span>np2.yaml\r\nkind: NetworkPolicy\r\napiVersion: networking.k8s.io\/v1\r\nmetadata:\r\n name: drop-access-to-guestbook\r\nspec:\r\n policyTypes:\r\n - Ingress\r\n podSelector:\r\n matchLabels:\r\n app: guestbook\r\n ingress:\r\n - from:\r\n - podSelector:\r\n matchLabels:\r\n app: other\r\n$<\/span>\r\n$ <\/span>kubectl apply -f<\/span> np2.yaml\r\nnetworkpolicy.networking.k8s.io\/drop-access-to-guestbook created\r\n<\/code><\/pre>\n\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u4ecd\u7136\u53ef\u4ee5\u901a\u8fc7NodePort\u4ece\u5916\u90e8\u8bbf\u95ee\u3002<\/p>\n
![\"image.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d193137434c4406c087a3\/53-0.png\" "\\"\\"")
<\/div>\n\u7136\u800c\uff0c\u4e0d\u5141\u8bb8\u901a\u8fc7\u524d\u7aef\u5bb9\u5668\u8bbf\u95eeClusterIP\u3002<\/p>\n
$ <\/span>kubectl exec <\/span>guestbook-hmsrw -it<\/span> --<\/span> sh\r\n\r\n\r\nBusyBox v1.21.1 (<\/span>Ubuntu 1:1.21.0-1ubuntu1)<\/span> built-in shell (<\/span>ash)<\/span>\r\nEnter 'help'<\/span> for <\/span>a list of built-in commands.\r\n\r\n\/app # wget -O - http:\/\/guestbook.default.svc.cluster.local:3000<\/span>\r\nConnecting to guestbook.default.svc.cluster.local:3000 (<\/span>10.109.117.193:3000)<\/span>\r\n^C\r\n\/app # <\/span>\r\n<\/code><\/pre>\n\u5220\u9664\u7b56\u7565\u540e\uff0c\u524d\u7aef\u4e5f\u53ef\u4ee5\u518d\u6b21\u8bbf\u95ee\u3002<\/p>\n
$ <\/span>kubectl delete -f<\/span> np2.yaml\r\nnetworkpolicy.networking.k8s.io \"drop-access-to-guestbook\"<\/span> deleted\r\n<\/code><\/pre>\n\/app # wget -O - http:\/\/guestbook.default.svc.cluster.local:3000<\/span>\r\nConnecting to guestbook.default.svc.cluster.local:3000 (<\/span>10.109.117.193:3000)<\/span>\r\n<!<\/span>DOCTYPE html>\r\n<html lang<\/span>=<\/span>\"en\"<\/span>><\/span>\r\n <head<\/span>><\/span>\r\n <meta content<\/span>=<\/span>\"text\/html; charset=utf-8\"<\/span> http-equiv=<\/span>\"Content-Type\"<\/span>><\/span>\r\n <meta charset<\/span>=<\/span>\"utf-8\"<\/span>><\/span>\r\n <meta content<\/span>=<\/span>\"width=device-width\"<\/span> name<\/span>=<\/span>\"viewport\"<\/span>><\/span>\r\n <link <\/span>href<\/span>=<\/span>\"style.css\"<\/span> rel<\/span>=<\/span>\"stylesheet\"<\/span>><\/span>\r\n <title>Guestbook<\/title>\r\n <\/head>\r\n <body>\r\n <div id<\/span>=<\/span>\"header\"<\/span>><\/span>\r\n <h1>Guestbook<\/h1>\r\n <\/div>\r\n\r\n(<\/span>snip...)<\/span>\r\n<\/code><\/pre>\n\u7528NodePort\u8fdb\u884c\u5916\u90e8\u63a7\u5236\u65f6\uff0c\u65e0\u6cd5\u4f7f\u7528NetworkPolicy\u3002<\/p>\n
\u547d\u540d\u7a7a\u95f4\u7684\u63a7\u5236<\/h3>\n
\u8fd9\u6b21\uff0c\u6211\u4eec\u5c06\u521b\u5efa\u4ee5\u4e0b\u7b56\u7565\uff0c\u5141\u8bb8\u5176\u4ed6\u547d\u540d\u7a7a\u95f4\u7684\u8bbf\u95ee\u3002<\/p>\n
$ <\/span>cat <\/span>np3.yaml\r\nkind: NetworkPolicy\r\napiVersion: networking.k8s.io\/v1\r\nmetadata:\r\n name: allow-access-from-other-ns\r\nspec:\r\n policyTypes:\r\n - Ingress\r\n podSelector:\r\n matchLabels:\r\n app: guestbook\r\n ingress:\r\n - from:\r\n - namespaceSelector:\r\n matchLabels:\r\n project: test<\/span>\r\n - podSelector:\r\n matchLabels:\r\n app: other\r\n$<\/span>\r\n$ <\/span>kubectl apply -f<\/span> np3.yaml\r\nnetworkpolicy.networking.k8s.io\/allow-access-from-other-ns created\r\n<\/code><\/pre>\n\u4e3a\u4e86\u8fdb\u884c\u8fd9\u4e2a\u6d4b\u8bd5\uff0c\u6682\u65f6\u521b\u5efa\u4e00\u4e2a\u540d\u4e3atest\u7684\u547d\u540d\u7a7a\u95f4\uff0c\u5e76\u7ed9\u5176\u6dfb\u52a0\u9879\u76ee\uff1atest\u7684\u6807\u7b7e\u3002<\/p>\n
$ <\/span>kubectl create namespace test\r\n<\/span>namespace\/test created\r\n$ <\/span>kubectl label namespace test <\/span>project<\/span>=<\/span>test\r\n<\/span>namespace\/test labeled\r\n<\/code><\/pre>\n\u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u5c06\u5728testnamespace\u4e2d\u521b\u5efa\u4e00\u4e2a\u7528\u4e8e\u6d4b\u8bd5\u7684\u5bb9\u5668\u3002<\/p>\n
$ <\/span>kubectl apply -f<\/span> https:\/\/raw.githubusercontent.com\/kubernetes\/examples\/master\/guestbook-go\/guestbook-controller.json -n<\/span> test<\/span>\r\n$ <\/span>kubectl get pod -n<\/span> test\r\n<\/span>NAME READY STATUS RESTARTS AGE\r\nguestbook-5w6ft 1\/1 Running 0 79m\r\nguestbook-cfzfd 1\/1 Running 0 79m\r\nguestbook-jlfpw 1\/1 Running 0 79m\r\n<\/code><\/pre>\n\u786e\u4fdd\u53ef\u4ee5\u4ece\u8be5\u5bb9\u5668\u8bbf\u95ee\u6700\u521d\u90e8\u7f72\u5728 defaultnamespace \u4e2d\u7684 Guestbook \u5e94\u7528\u7a0b\u5e8f\u3002<\/p>\n
$ <\/span>kubectl exec <\/span>guestbook-5w6ft
<\/p>\n
- \n