应用场景:Docker 容器中
默认Pod的ingress和egress都是禁止流入和流出,只允许做DNS查询
但是需要Java应用程序能够上网
apiVersion: networking.k8s.io/v1 kind: Networkpolicy metadata: name: default-deny-all namespace: sandbox spec: podSelector: {} policyTypes: - Ingress - Egress我一般如下验证我的语法是否OK
yq r 1.yaml -j -P
{ "apiVersion": "networking.k8s.io/v1", "kind": "Networkpolicy", "metadata": { "name": "default-deny-all", "namespace": "sandbox" }, "spec": { "podSelector": {}, "policyTypes": [ "Ingress", "Egress" ] } }apiVersion: networking.k8s.io/v1 kind: Networkpolicy metadata: name: default-allow-dns namespace: sandbox spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - port: 53 protocal: UDP - port: 53 protocal: TCP参数说明
http.proxyHost : 代理服务器地址或者主机名http.proxyPort : 代理服务端口号https.proxyHost : https代理服务器主机名https.proxyPort: 代理端口号http.nonProxyHosts : 指定绕过代理的主机列表,使用 | 分割的模式列表,可以以通配符 * 开头或者结尾,任何匹配这些模式之一的主机都将通过直接连接而不是通过代理访问。该设置对http,https通用在deployment中,设定Java运行参数在deployment.yaml中片段如下
containers: - name: helloworld image: docker-registry.xxx.com/hello_proxy imagePullPolicy: Always ports: - containerPort: 8080 command: ["java"] args: ["-Dhttp.proxyHost=192.168.7.7", "-Dhttp.proxyPort=1328", "-Dhttps.proxyHost=192.168.7.7", "-Dhttps.proxyPort=443", "-jar", "target/app.jar"]