본문 바로가기
자격증/CKA

[CKA] Network Policy

후드리챱챱 2023. 5. 2. 23:15
반응형

[문제]

- Create a new NetworkPolicy named allow-port-from-namespace in the existing namespace devops.
- Ensure that the new NetworkPolicy allows Pods in namespace migops to connect to port 80 of Pods in namespace devpos.

 

[풀이]

- 검색 키워드 : network policy

 

1. pod 및 namespace의 label 확인

migops namespace label 확인

# kubectl get namespaces migops  --show-labels 
NAME     STATUS   AGE   LABELS
migops   Active   48s   kubernetes.io/metadata.name=migops,team=migops

 

devops namespace label 확인

# kubectl  get namespaces devops --show-labels 
NAME     STATUS   AGE   LABELS
devops   Active   12m   kubernetes.io/metadata.name=devops,team=devops

 

devops에 구성된 pod 및 pod의 label 확인 

# kubectl get pod -n devops --show-labels 
NAME   READY   STATUS    RESTARTS   AGE   LABELS
web    1/1     Running   0          73s   app=web

 

2. network policy 생성

docs 내 service/networking/networkpolicy.yaml 참고

- https://kubernetes.io/docs/concepts/services-networking/network-policies/

# cat allow-port-from-namespace.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: devops
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              team: migops
      ports:
        - protocol: TCP
          port: 80

# kubectl apply -f allow-port-from-namespace.yaml 
networkpolicy.networking.k8s.io/allow-port-from-namespace created

# kubectl get networkpolicies.networking.k8s.io -n devops
NAME                        POD-SELECTOR   AGE
allow-port-from-namespace   app=web        11s

# kubectl describe networkpolicies.networking.k8s.io -n devops
Name:         allow-port-from-namespace
Namespace:    devops
Created on:   2023-05-02 23:07:02 +0900 KST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     app=web
  Allowing ingress traffic:
    To Port: 80/TCP
    From:
      NamespaceSelector: team=migops
  Not affecting egress traffic
  Policy Types: Ingress

 

 

[참고]

- 유투브 따배씨

반응형

'자격증 > CKA' 카테고리의 다른 글

[CKA] Kube-DNS  (0) 2023.05.02
[CKA] ServiceAccount Role Binding  (0) 2023.05.01
[CKA] ServiceAccount Role Binding  (0) 2023.05.01
[CKA] User Cluster Role Binding  (0) 2023.05.01
[CKA] User Role Binding  (0) 2023.04.29

'자격증/CKA' Related Articles

티스토리툴바