Part2 服务和网络

05. 网络策略 NetworkPolicy (7%)

Task

在现有的 namespace my-app 中创建一个名为 allow-port-from-namespace 的新 NetworkPolicy 。

确保新的 NetworkPolicy 允许 namespace my-app 中的 Pods 连接到 namespace fubar 中的端口 9000 。

进一步确保新的 NetworkPolicy ：

• 不允许对没有在监听端口 9000 的 Pods 的访问

• 不允许不是来自 namespace my-app 的 Pods 的访问

解题：

cat > 05-networkpolicy.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: my-app
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector: {}
    ports:
    - protocol: TCP
      port: 9000
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: fubar
    ports:
    - protocol: TCP
      port: 9000
EOF

kubectl label ns fubar name=fubar

kubectl create -f 05-networkpolicy.yaml

06. 创建 Service (7%)

Task

Reconfigure the existing deployment front-end and add a port specification named http exposing port 80/tcp of the existing container nginx .

Create a new service named front-end-svc exposing the container port http .

Configure the new service to alse expose the individual Pods via a NodePort on the nodes on which they are scheduled.

解题：

07. Ingress (7%)

Task

Create a new nginx Ingress resource as follows:

• Name: ping

• Namespace: ing-internal

• Exposing service hi on path /hi using service port 5678

解题：