-
Notifications
You must be signed in to change notification settings - Fork 15
/
ipblock-list.yml
140 lines (140 loc) · 3.26 KB
/
ipblock-list.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
---
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
namespace: default
name: macvlan1-ipblock
spec:
config: '{
"cniVersion": "0.3.1",
"name": "macvlan1-ipblock",
"plugins": [
{
"type": "macvlan",
"mode": "bridge",
"capabilities": {"ips": true },
"ipam":{
"type":"static"
}
}]
}'
---
apiVersion: v1
kind: Namespace
metadata:
name: test-ipblock-list
---
# Pods
apiVersion: v1
kind: Pod
metadata:
name: pod-server
namespace: test-ipblock-list
annotations:
k8s.v1.cni.cncf.io/networks: '[{
"name": "macvlan1-ipblock",
"namespace": "default",
"ips": ["2.2.5.1/24"]
}]'
labels:
app: test-ipblock-list
name: pod-server
spec:
containers:
- name: macvlan-worker1
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
command: ["nc", "-kl", "0.0.0.0", "5555"]
securityContext:
privileged: true
---
apiVersion: v1
kind: Pod
metadata:
name: pod-client-a
namespace: test-ipblock-list
annotations:
k8s.v1.cni.cncf.io/networks: '[{
"name": "macvlan1-ipblock",
"namespace": "default",
"ips": ["2.2.5.11/24"]
}]'
labels:
app: test-ipblock-list
name: pod-client-a
spec:
containers:
- name: macvlan-worker1
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
command: ["nc", "-kl", "0.0.0.0", "5555"]
securityContext:
privileged: true
---
apiVersion: v1
kind: Pod
metadata:
name: pod-client-b
namespace: test-ipblock-list
annotations:
k8s.v1.cni.cncf.io/networks: '[{
"name": "macvlan1-ipblock",
"namespace": "default",
"ips": ["2.2.5.12/24"]
}]'
labels:
app: test-ipblock-list
name: pod-client-b
spec:
containers:
- name: macvlan-worker1
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
command: ["nc", "-kl", "0.0.0.0", "5555"]
securityContext:
privileged: true
---
apiVersion: v1
kind: Pod
metadata:
name: pod-client-c
namespace: test-ipblock-list
annotations:
k8s.v1.cni.cncf.io/networks: '[{
"name": "macvlan1-ipblock",
"namespace": "default",
"ips": ["2.2.5.13/24"]
}]'
labels:
app: test-ipblock-list
name: pod-client-c
spec:
containers:
- name: macvlan-worker1
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
command: ["nc", "-kl", "0.0.0.0", "5555"]
securityContext:
privileged: true
---
# MultiNetworkPolicies
# this policy accepts ingress trafic from pod-client-a to pod-server
# and ingress trafic from pod-client-b to pod-server
# as a result, these policies accepts ingress traffic from pod-client-a
# or from pod-client-b, to pod-server.
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
name: testnetwork-policy-ipblock-1
namespace: test-ipblock-list
annotations:
k8s.v1.cni.cncf.io/policy-for: default/macvlan1-ipblock
spec:
podSelector:
matchLabels:
name: pod-server
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 2.2.5.11/32
- from:
- ipBlock:
cidr: 2.2.5.12/32