一、第三层配置示例
1. 基于Label的策略
使用busybox启动三个pod:box-a,box-b,box-c,测试a->b,c->b联通性
入口策略
配置基于label的策略:只允许a->b
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "a-to-b-allow"
spec:
endpointSelector:
matchLabels:
app: box-b
ingress:
- fromEndpoints:
- matchLabels:
app: box-a
以上配置使用了简单的入口规则来允许带有标签app=box-a的endpoint到带有标签app=box-b的endpoint的通信,其他的默认拒绝。即:b只允许a的流量通过,其他拒绝
配置允许所有的endpoints到app=box-b的通信
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "all-to-b-allow"
spec:
endpointSelector:
matchLabels:
app: box-b
ingress:
- fromEndpoints:
- {}
配置拒绝所有的endpoints到app=box-b的通信
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "all-to-b-deny"
spec:
endpointSelector:
matchLabels:
app: box-b
ingress:
- {}
出口策略
配置基于label的策略,b只能到a
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "a-from-b-allow"
spec:
endpointSelector:
matchLabels:
app: box-b
egress:
- toEndpoints:
- matchLabels:
app: box-a
配置允许app=box-b到所有的endpoints的通信
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "a-from-b-allow"
spec:
endpointSelector:
matchLabels:
app: box-b
egress:
- toEndpoints:
- {}
配置拒绝app=box-b到所有的endpoints的通信
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "a-from-b-allow"
spec:
endpointSelector:
matchLabels:
app: box-b
egress:
- {}
2. 基于Service的策略
配置允许app=h