Skip to content

Latest commit

 

History

History
147 lines (123 loc) · 3.82 KB

1.MD

File metadata and controls

147 lines (123 loc) · 3.82 KB

To retrieve a list of all endpoints managed by Cilium, the Cilium Endpoint (or cep) resource can be used:

kubectl get cep --all-namespaces

allow access to /public path

# vim public.yaml

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "public"
  namespace: "production"
spec:
  endpointSelector:
    matchLabels:
      app: app
  ingress:
  - fromEntities:
     - cluster
    toPorts:
    - ports:
      - port: '80'
        protocol: TCP
      rules:
        http:
          - path: "/public.*"



k apply -f public.yaml

allow access form finance NS to /private path

# vim private.yaml
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "private"
  namespace: "production"
spec:
  endpointSelector:
    matchLabels:
      app: app
  ingress:
  - fromEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: finance
    toPorts:
    - ports:
      - port: '80'
        protocol: TCP
      rules:
        http:
          - path: "/private.*"




k apply -f private.yaml

private api from finance namespace

k exec  -n finance finance  --  curl http://portal.production/private/api123 --connect-timeout 1

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Server Name: ping_pong_server
URL: http://portal.production/private/api123
Client IP: 10.0.1.252
Method: GET
Protocol: HTTP/1.1
Headers:
X-Envoy-Internal: true
X-Request-Id: 5b49ea5f-abc6-4337-bdb2-8a8f932ca5ee
X-Envoy-Expected-Rq-Timeout-Ms: 3600000
User-Agent: curl/8.5.0
Accept: */*
X-Forwarded-Proto: http
100   310  100   310    0     0  78800      0 --:--:-- --:--:-- --:--:--  100k

public api from finance namespace

k exec  -n finance finance  --  curl http://portal.production/public/api123  --connect-timeout 1

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Server Name: ping_pong_server
URL: http://portal.production/public/api123
Client IP: 10.0.1.252
Method: GET
Protocol: HTTP/1.1
Headers:
Accept: */*
X-Forwarded-Proto: http
X-Envoy-Internal: true
X-Request-Id: bc4e8755-9d03-4299-8539-10f1bb32793a
X-Envoy-Expected-Rq-Timeout-Ms: 3600000
User-Agent: curl/8.5.0
100   309  100   309    0     0  73958      0 --:--:-- --:--:-- --:--:--  100k

private api from external namespace

k exec  -n external external  --  curl http://portal.production/private/api123 --connect-timeout 1

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Access denied
100    15  100    15    0     0   3069      0 --:--:-- --:--:-- --:--:--  3750

public api from external namespace

k exec  -n external external  --  curl http://portal.production/public/api123  --connect-timeout 1

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Server Name: ping_pong_server
URL: http://portal.production/public/api123
Client IP: 10.0.1.252
Method: GET
Protocol: HTTP/1.1
Headers:
User-Agent: curl/8.5.0
Accept: */*
X-Forwarded-Proto: http
X-Envoy-Internal: true
X-Request-Id: 7e766755-1322-4ef5-b190-3ffde601492d
X-Envoy-Expected-Rq-Timeout-Ms: 3600000
100   309  100   309    0     0  76655      0 --:--:-- --:--:-- --:--:--  100k