Created
June 5, 2024 05:24
-
-
Save gysel/c80c3f2bacf8ca18671b211cffb3fdf2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.k8s.io/v1 | |
| kind: NetworkPolicy | |
| metadata: | |
| name: unblu-egress | |
| spec: | |
| egress: | |
| - to: | |
| - ipBlock: | |
| # ipinfo.io hostname | |
| cidr: 34.117.186.192/32 | |
| # Workaround: allow coredns service | |
| # Problem: hard-coding the service IP seems like a really bad idea | |
| #- ipBlock: | |
| # cidr: 10.247.3.10/32 | |
| - to: | |
| - namespaceSelector: | |
| matchLabels: | |
| kubernetes.io/metadata.name: kube-system | |
| podSelector: | |
| matchLabels: | |
| k8s-app: coredns | |
| #k8s-app: kube-dns | |
| podSelector: | |
| matchLabels: | |
| component: test | |
| policyTypes: | |
| - Egress |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: test | |
| labels: | |
| component: test | |
| spec: | |
| containers: | |
| - name: test | |
| image: curlimages/curl | |
| resources: | |
| limits: | |
| memory: "128Mi" | |
| cpu: "500m" | |
| command: | |
| - sleep | |
| args: | |
| - "3600" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # setup | |
| kubectl create namespace netpol-test | |
| kubens netpol-test | |
| kubectl apply -f pod.yaml | |
| kubectl apply -f netpol.yaml | |
| # should work | |
| kubectl exec -it test -- curl -v ipinfo.io | |
| # should NOT work | |
| kubectl exec -it test -- curl -v google.com | |
| # cleanup | |
| kubectl delete namespace netpol-test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment