背景
针对一个服务如下NetworkPolicy, 表示只有n9e命名空间的POD才能访问 k8s-man 服务
yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: k8s-man
namespace: n9e
labels:
app: k8s-man
version: v1
spec:
podSelector:
matchLabels:
app: k8s-man
version: v1
ingress:
- ports:
- protocol: TCP
from:
- namespaceSelector:
matchLabels:
project: n9e
- ipBlock:
cidr: 172.16.239.0/24
- ipBlock:
cidr: 172.16.46.0/24
policyTypes:
- IngressNetworkPolicy 创建后, 在n9e命名空间中发现使用POD的IP访问 k8s-man服务是可以的, 但是使用 service 不行
排查过程
进入 k8s-man所在的Node节点.
执行 iptables -L | grep k8s-man
找到
MARK tcp -- anywhere anywhere /* cali:vXxAzmXgtXdiHYG_ */ /* Policy n9e/knp.default.k8s-man ingress */ match-set cali40s:SgNpHWMUr8ifdpNh8A29AuF src MARK or 0x10000确认使用的式cali40s:SgNpHWMUr8ifdpNh8A29AuF 这个ipset
执行 ipset list cali40s:SgNpHWMUr8ifdpNh8A29AuF
得到如下结果:
[root@node3 ~]# ipset list cali40s:SgNpHWMUr8ifdpNh8A29AuF
Name: cali40s:SgNpHWMUr8ifdpNh8A29AuF
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 1048576
Size in memory: 888
References: 1
Number of entries: 8
Members:
172.16.139.213
172.16.143.67
172.16.178.43
172.16.178.37
172.16.239.190
172.16.85.24
172.16.46.157
172.16.139.237发现对应的Ip是n9e 命名空间下pod的IP。
猜测是经过service 后发生了NAT转换,Ip成了源POD所在节点的的容器IP端。
修改网络策略如下, 172.16.239.0/24 和 172.16.46.0/24 是源POD节点的容器网段:
yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: k8s-man
namespace: n9e
labels:
app: k8s-man
version: v1
spec:
podSelector:
matchLabels:
app: k8s-man
version: v1
ingress:
- ports:
- protocol: TCP
from:
- namespaceSelector:
matchLabels:
project: n9e
- ipBlock:
cidr: 172.16.239.0/24
- ipBlock:
cidr: 172.16.46.0/24
policyTypes:
- Ingress说明通过service访问的话,源IP经过的NAT转换成了源POD所在节点上的容器IP,导致 NetworkPolicy不生效。