また続き。ネットワークポリシーはない状態。

access-nginx -> default-deny

ポリシーの作成順に関係があるのか。

core@kb1 ~ $ kubectl create -f - <<EOF
> kind: NetworkPolicy
> apiVersion: networking.k8s.io/v1
> metadata:
>   name: access-nginx
>   namespace: policy-demo
> spec:
>   podSelector:
>     matchLabels:
>       run: nginx
>   ingress:
>     - from:
>       - podSelector:
>           matchLabels:
>             run: access
> EOF
networkpolicy.networking.k8s.io/access-nginx created
core@kb1 ~ $ kubectl create -f - <<EOF
> kind: NetworkPolicy
> apiVersion: networking.k8s.io/v1
> metadata:
>   name: default-deny
>   namespace: policy-demo
> spec:
>   podSelector:
>     matchLabels: {}
> EOF
networkpolicy.networking.k8s.io/default-deny created

pod:access で

/ # echo $HOSTNAME
access-7c5df8f4c-b8p5b
/ # wget -q --timeout=5 nginx -O -
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

pod:cant-access で。いけない。

/ # echo $HOSTNAME
cant-access-7587658dc7-h5b7f
/ # wget -q --timeout=5 nginx -O -
wget: download timed out

いっこでもポリシーがあるとdefault-denyで適用順序に関係なく許可優先とか？あとで確認しよう。

お掃除

$ kubectl delete ns policy-demo
namespace "policy-demo" deleted
$ kubectl get all --namespace=policy-demo
No resources found.