12.6. 验证

12.6.1. 部署示例应用程序
复制链接

要测试出口 IP 规则，请创建一个限制为我们指定的出口 IP 地址的服务。这会模拟预期 IP 地址小子集的外部服务。

运行 echoserver 命令复制请求：

oc -n default run demo-service --image=gcr.io/google_containers/echoserver:1.4

$ oc -n default run demo-service --image=gcr.io/google_containers/echoserver:1.4

Copy to Clipboard

Toggle word wrap

运行以下命令，将 pod 公开为服务，并将入口限制为您指定的出口 IP 地址：

cat <<EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: demo-service
  namespace: default
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
spec:
  selector:
    run: demo-service
  ports:
    - port: 80
      targetPort: 8080
  type: LoadBalancer
  externalTrafficPolicy: Local
  # NOTE: this limits the source IPs that are allowed to connect to our service.  It
  #       is being used as part of this demo, restricting connectivity to our egress
  #       IP addresses only.
  # NOTE: these egress IPs are within the subnet range(s) in which my worker nodes
  #       are deployed.
  loadBalancerSourceRanges:
    - 10.10.100.254/32
    - 10.10.150.254/32
    - 10.10.200.254/32
    - 10.10.100.253/32
    - 10.10.150.253/32
    - 10.10.200.253/32
EOF

$ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: demo-service
  namespace: default
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
spec:
  selector:
    run: demo-service
  ports:
    - port: 80
      targetPort: 8080
  type: LoadBalancer
  externalTrafficPolicy: Local
  # NOTE: this limits the source IPs that are allowed to connect to our service.  It
  #       is being used as part of this demo, restricting connectivity to our egress
  #       IP addresses only.
  # NOTE: these egress IPs are within the subnet range(s) in which my worker nodes
  #       are deployed.
  loadBalancerSourceRanges:
    - 10.10.100.254/32
    - 10.10.150.254/32
    - 10.10.200.254/32
    - 10.10.100.253/32
    - 10.10.150.253/32
    - 10.10.200.253/32
EOF

Copy to Clipboard

Toggle word wrap

运行以下命令，检索负载均衡器主机名并将其保存为环境变量：

export LOAD_BALANCER_HOSTNAME=$(oc get svc -n default demo-service -o json | jq -r '.status.loadBalancer.ingress[].hostname')

$ export LOAD_BALANCER_HOSTNAME=$(oc get svc -n default demo-service -o json | jq -r '.status.loadBalancer.ingress[].hostname')

Copy to Clipboard

Toggle word wrap

12.6.2. 测试命名空间出口
复制链接

启动交互式 shell 来测试命名空间出站规则：

oc run \
  demo-egress-ns \
  -it \
  --namespace=demo-egress-ns \
  --env=LOAD_BALANCER_HOSTNAME=$LOAD_BALANCER_HOSTNAME \
  --image=registry.access.redhat.com/ubi9/ubi -- \
  bash

$ oc run \
  demo-egress-ns \
  -it \
  --namespace=demo-egress-ns \
  --env=LOAD_BALANCER_HOSTNAME=$LOAD_BALANCER_HOSTNAME \
  --image=registry.access.redhat.com/ubi9/ubi -- \
  bash

Copy to Clipboard

Toggle word wrap

向负载均衡器发送请求，并确保您可以成功连接：
```
curl -s http://$LOAD_BALANCER_HOSTNAME
```
```
$ curl -s http://$LOAD_BALANCER_HOSTNAME
```
Copy to Clipboard Toggle word wrap

检查输出是否有成功连接：

注意

client_address 是负载均衡器的内部 IP 地址，而不是您的出口 IP。您可以通过连接到服务限制为 .spec.loadBalancerSourceRanges 来验证您是否已正确配置了客户端地址。

输出示例

CLIENT VALUES:
client_address=10.10.207.247
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://internal-a3e61de18bfca4a53a94a208752b7263-148284314.us-east-1.elb.amazonaws.com:8080/

SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001

HEADERS RECEIVED:
accept=*/*
host=internal-a3e61de18bfca4a53a94a208752b7263-148284314.us-east-1.elb.amazonaws.com
user-agent=curl/7.76.1
BODY:
-no body in request-

CLIENT VALUES:
client_address=10.10.207.247
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://internal-a3e61de18bfca4a53a94a208752b7263-148284314.us-east-1.elb.amazonaws.com:8080/

SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001

HEADERS RECEIVED:
accept=*/*
host=internal-a3e61de18bfca4a53a94a208752b7263-148284314.us-east-1.elb.amazonaws.com
user-agent=curl/7.76.1
BODY:
-no body in request-

Copy to Clipboard

Toggle word wrap

运行以下命令退出 pod：
```
exit
```
```
$ exit
```
Copy to Clipboard Toggle word wrap

12.6.3. 测试 pod 出口
复制链接

启动交互式 shell 来测试 pod 出站规则：

oc run \
  demo-egress-pod \
  -it \
  --namespace=demo-egress-pod \
  --env=LOAD_BALANCER_HOSTNAME=$LOAD_BALANCER_HOSTNAME \
  --image=registry.access.redhat.com/ubi9/ubi -- \
  bash

$ oc run \
  demo-egress-pod \
  -it \
  --namespace=demo-egress-pod \
  --env=LOAD_BALANCER_HOSTNAME=$LOAD_BALANCER_HOSTNAME \
  --image=registry.access.redhat.com/ubi9/ubi -- \
  bash

Copy to Clipboard

Toggle word wrap

运行以下命令，向负载均衡器发送请求：
```
curl -s http://$LOAD_BALANCER_HOSTNAME
```
```
$ curl -s http://$LOAD_BALANCER_HOSTNAME
```
Copy to Clipboard Toggle word wrap

检查输出是否有成功连接：

注意

client_address 是负载均衡器的内部 IP 地址，而不是您的出口 IP。您可以通过连接到服务限制为 .spec.loadBalancerSourceRanges 来验证您是否已正确配置了客户端地址。

输出示例

CLIENT VALUES:
client_address=10.10.207.247
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://internal-a3e61de18bfca4a53a94a208752b7263-148284314.us-east-1.elb.amazonaws.com:8080/

SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001

HEADERS RECEIVED:
accept=*/*
host=internal-a3e61de18bfca4a53a94a208752b7263-148284314.us-east-1.elb.amazonaws.com
user-agent=curl/7.76.1
BODY:
-no body in request-

CLIENT VALUES:
client_address=10.10.207.247
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://internal-a3e61de18bfca4a53a94a208752b7263-148284314.us-east-1.elb.amazonaws.com:8080/

SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001

HEADERS RECEIVED:
accept=*/*
host=internal-a3e61de18bfca4a53a94a208752b7263-148284314.us-east-1.elb.amazonaws.com
user-agent=curl/7.76.1
BODY:
-no body in request-

Copy to Clipboard

Toggle word wrap

运行以下命令退出 pod：
```
exit
```
```
$ exit
```
Copy to Clipboard Toggle word wrap

12.6.4. 可选：测试阻塞的出口
复制链接

可选： 通过运行以下命令，测试在未应用出口规则时流量被成功阻止：

oc run \
  demo-egress-pod-fail \
  -it \
  --namespace=demo-egress-pod \
  --env=LOAD_BALANCER_HOSTNAME=$LOAD_BALANCER_HOSTNAME \
  --image=registry.access.redhat.com/ubi9/ubi -- \
  bash

$ oc run \
  demo-egress-pod-fail \
  -it \
  --namespace=demo-egress-pod \
  --env=LOAD_BALANCER_HOSTNAME=$LOAD_BALANCER_HOSTNAME \
  --image=registry.access.redhat.com/ubi9/ubi -- \
  bash

Copy to Clipboard

Toggle word wrap

运行以下命令，向负载均衡器发送请求：
```
curl -s http://$LOAD_BALANCER_HOSTNAME
```
```
$ curl -s http://$LOAD_BALANCER_HOSTNAME
```
Copy to Clipboard Toggle word wrap
如果命令失败，则成功阻止出口。
运行以下命令退出 pod：
```
exit
```
```
$ exit
```
Copy to Clipboard Toggle word wrap

12.6.1. 部署示例应用程序
复制链接

12.6.2. 测试命名空间出口
复制链接

12.6.3. 测试 pod 出口
复制链接

12.6.4. 可选：测试阻塞的出口
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

12.6. 验证

12.6.1. 部署示例应用程序复制链接链接已复制到粘贴板!

12.6.2. 测试命名空间出口复制链接链接已复制到粘贴板!

12.6.3. 测试 pod 出口复制链接链接已复制到粘贴板!

12.6.4. 可选：测试阻塞的出口复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

12.6.1. 部署示例应用程序
复制链接

12.6.2. 测试命名空间出口
复制链接

12.6.3. 测试 pod 出口
复制链接

12.6.4. 可选：测试阻塞的出口
复制链接