Task weight: 9%

Use context: kubectl config use-context k8s-c1-H

There was a security incident where an intruder was able to access the whole cluster from a single hacked backend Pod.

To prevent this create a NetworkPolicy called np-backend in Namespace project-snake . It should allow the *backend-** Pods only to:

connect to *db1-*** Pods on port 1111 connect to db2-**** Pods on port 2222 Use the app label of Pods in your policy.

After implementation, connections from *backend-*** Pods to vault-**** Pods on port 3333 should for example no longer work.


译文:

曾经发生过一起安全事件,一个入侵者能够从一个被入侵的后端Pod访问整个集群。

为了防止这种情况,在 namespace project-snake 中创建一个名为 np-backend 的NetworkPolicy。它应该只允许 *backend-** Pods进入。

  • 连接到1111端口的db1-* Pods
  • 连接到2222端口的db2-* Pods。

在你的策略中使用Pods的 app 标签。

实施后,例如,从 *backend-*** Pods到3333端口的 vault-**** Pods的连接应该不再工作。


解答:
kubectl config use-context k8s-c1-H

查看pod详情

k -n project-snake get pod
k -n project-snake get pod -L app
k -n project-snake get pod -o wide

k -n project-snake exec backend-0 -- curl -s 10.44.0.25:1111
k -n project-snake exec backend-0 -- curl -s 10.44.0.23:2222
k -n project-snake exec backend-0 -- curl -s 10.44.0.22:3333

file

vim 24.yaml

24.yaml

# 24_np.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np-backend
  namespace: project-snake
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Egress                    # policy is only about Egress
  egress:
    -                           # first rule
      to:                           # first condition "to"
      - podSelector:
          matchLabels:
            app: db1
      ports:                        # second condition "port"
      - protocol: TCP
        port: 1111
    -                           # second rule
      to:                           # first condition "to"
      - podSelector:
          matchLabels:
            app: db2
      ports:                        # second condition "port"
      - protocol: TCP
        port: 2222

创建networpolicy

k -f 24.yaml create

验证测试

k -n project-snake exec backend-0 -- curl -s 10.44.0.25:1111
k -n project-snake exec backend-0 -- curl -s 10.44.0.23:2222
k -n project-snake exec backend-0 -- curl -s 10.44.0.22:3333

file


Killer.sh CKA模拟题目 汇总