问题描述

使用 kubectl get pod 命令初始化容器用于获取其他 pod 的就绪状态.

Init container with kubectl get pod command is used to get ready status of other pod.

打开 Egress NetworkPolicy 后，init 容器无法访问 Kubernetes API:无法连接到服务器:dial tcp 10.96.0.1:443: i/o timeout.CNI 是印花布.

After Egress NetworkPolicy was turned on init container can't access Kubernetes API: Unable to connect to the server: dial tcp 10.96.0.1:443: i/o timeout. CNI is Calico.

尝试了几个规则，但没有一个起作用(服务和主主机 IP，不同的 CIDR 掩码):

Several rules were tried but none of them are working (service and master host IPs, different CIDR masks):

...
  egress:
  - to:
    - ipBlock:
        cidr: 10.96.0.1/32
    ports:
    - protocol: TCP
      port: 443
...

或使用命名空间(默认和 kube-system 命名空间):

or using namespace (default and kube-system namespaces):

...
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: default
    ports:
    - protocol: TCP
      port: 443
...

看起来 ipBlock 规则不起作用，命名空间规则不起作用，因为 kubernetes api 是非标准 pod.

Looks like ipBlock rules just don't work and namespace rules don't work because kubernetes api is non-standard pod.

可以配置吗?Kubernetes 是 1.9.5，Calico 是 3.1.1.

Can it be configured? Kubernetes is 1.9.5, Calico is 3.1.1.

GKE 1.13.7-gke.8 和 calico 3.2.7 仍然存在问题

Problem still exists with GKE 1.13.7-gke.8 and calico 3.2.7

推荐答案

您需要使用 kubectl get endpoints --namespace default kubernetes 获取 master 的真实 ip 并制定一个出口策略以允许

You need to get the real ip of the master using kubectl get endpoints --namespace default kubernetes and make an egress policy to allow that.

---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-apiserver
  namespace: test
spec:
  policyTypes:
  - Egress
  podSelector: {}
  egress:
  - ports:
    - port: 443
      protocol: TCP
    to:
    - ipBlock:
        cidr: x.x.x.x/32

这篇关于如何允许使用出口网络策略访问 kubernetes api?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！