k8s之NetworkPolicy (flannel默認(rèn)不支持)
在 Kubernetes 中要實現(xiàn)容器之間網(wǎng)絡(luò)的隔離,是通過一個專門的 API 對象 NetworkPolicy(網(wǎng)絡(luò)策略)來實現(xiàn)的,要讓網(wǎng)絡(luò)策略生效,就需要特定的網(wǎng)絡(luò)插件支持,目前已經(jīng)實現(xiàn)了 NetworkPolicy 的網(wǎng)絡(luò)插件包括 Calico、Weave 和 kube-router 等項目,但是并不包括 Flannel 項目。所以說,如果想要在使用 Flannel 的同時還使用 NetworkPolicy 的話,你就需要再額外安裝一個網(wǎng)絡(luò)插件,比如 Calico 項目,來負(fù)責(zé)執(zhí)行 NetworkPolicy。本測試環(huán)境使用的是 Calico 網(wǎng)絡(luò)插件,可以直接使用
默認(rèn)情況下 Pod 是可以接收來自任何發(fā)送方的請求,也可以向任何接收方發(fā)送請求。如果要對這個情況作出限制,就必須通過 NetworkPolicy 對象來指定。
以下定義了一個網(wǎng)絡(luò)策略資源清單文件,內(nèi)容如下:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 10.233.0.0/16
except:
- 10.233.93.0/24
- namespaceSelector:
matchLabels:
project: test
- podSelector:
matchLabels:
app: busybox
- ports:
- protocol: TCP
port: 80
egress:
- to:
- ipBlock:
cidr: 10.233.93.0/24
ports:
- protocol: TCP
port: 5978
Ingress參數(shù)解釋:
spec:
podSelector:
matchLabels:
app: nginx ###定義了pod對象,表示當(dāng)前ns中標(biāo)簽為app: nginx的pod
如果想要NetworkPolicy作用于當(dāng)前ns中的所有pod,則用如下形式:
spec:
podSelector: {}
spec:
policyTypes: ###網(wǎng)絡(luò)策略的類型
- Ingress
- Egress
每個 NetworkPolicy 包含一個 policyTypes 列表,可以是一個 Ingress、Egress 或者都包含,該字段表示給當(dāng)前策略是否應(yīng)用于所匹配的 Pod 的入口流量、出口流量或者二者都包含,如果沒有指定 policyTypes,則默認(rèn)情況下表示 Ingress 入口流量,如果配置了任何出口流量規(guī)則,則將指定為 Egress。
ingress: ###配置pod的ingress策略
- from:
- ipBlock: ###配置允許的網(wǎng)絡(luò)訪問
cidr: 10.233.0.0/16
except: ###不允許某個網(wǎng)絡(luò)訪問
- 10.233.93.0/24
- namespaceSelector: ###允許標(biāo)簽為project: test的ns下的所有的pod訪問
matchLabels:
project: test
- podSelector: ###此處代表當(dāng)前ns下的pod,默認(rèn)是允許同一ns下的pod互通,添加了此處選項代表只允許當(dāng)前ns下label為app: busybox的pod訪問label為app: nginx的pod應(yīng)用
matchLabels:
app: busybox
- ports: ####允許被訪問的端口
- protocol: TCP
port: 80
一旦 Pod 被 NetworkPolicy 選中,那么這個 Pod 就會進(jìn)入“拒絕所有”(Deny All)的狀態(tài),即這個 Pod 既不允許被外界訪問,也不允許對外界發(fā)起訪問,所以 NetworkPolicy 定義的規(guī)則,其實就是“白名單”了。
ingress測試
在default的ns下啟動兩個web服務(wù)的pod,如下:
[root@master ~]# kubectl get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 9d 10.233.96.3 node2 <none> <none>
web 1/1 Running 0 9d 10.233.96.4 node2 <none> <none>
創(chuàng)建networkpolicy,如下:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: denynetwork
spec:
podSelector:
matchLabels:
app: nginx ####被訪問pod的label標(biāo)簽
policyTypes:
- Egress
- Ingress ###添加規(guī)則類型
ingress:
- from:
- podSelector: ###此處代表當(dāng)前ns下的pod,默認(rèn)是允許同一ns下的pod互通,添加了此處選項代表只允許當(dāng)前ns下label為app: web的pod訪問label為app: nginx的pod應(yīng)用
matchLabels:
app: web
創(chuàng)建如下:
[root@master ~]# kubectl get networkpolicy
NAME POD-SELECTOR AGE
denynetwork app=nginx 9d ###可以看到被訪問的pod標(biāo)簽
[root@master ~]#
podSelector測試:
##############
如上,web pod位于node2上,進(jìn)入pod的網(wǎng)絡(luò)命令空間
[root@node2 ~]# crictl ps | grep web
dcf892535ed93 3f8a00f137a0d 9 days ago Running count 0 205811ac7b0f0 web
[root@node2 ~]#
[root@node2 ~]# crictl inspect dcf892535ed93 | grep -i pid
"pid": 16814,
"pid": 1
"type": "pid"
[root@node2 ~]#
[root@node2 ~]# nsenter -t 16814 -n bash ####進(jìn)入pod的網(wǎng)絡(luò)命令空間
[root@node2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default
link/ether 9a:6b:07:ab:e4:0d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.233.96.4/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::986b:7ff:feab:e40d/64 scope link
valid_lft forever preferred_lft forever
[root@node2 ~]# ping 10.233.96.3 #####此處可以看到無放訪問nginx pod
PING 10.233.96.3 (10.233.96.3) 56(84) bytes of data.
^C
--- 10.233.96.3 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms
[root@node2 ~]#
#######################
######################
為web pod添加app: web的標(biāo)簽,如下:
root@master ~]# kubectl label po web app=web
pod/web labeled
[root@master ~]#
#####################
再次測試訪問nginx,如下:
root@master ~]# ssh node2
Last login: Sat Mar 4 14:26:28 2023 from 192.168.5.240
[root@node2 ~]# nsenter -t 16814 -n bash
[root@node2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default
link/ether 9a:6b:07:ab:e4:0d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.233.96.4/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::986b:7ff:feab:e40d/64 scope link
valid_lft forever preferred_lft forever
[root@node2 ~]# ping 10.233.96.3
PING 10.233.96.3 (10.233.96.3) 56(84) bytes of data.
64 bytes from 10.233.96.3: icmp_seq=1 ttl=63 time=0.333 ms
64 bytes from 10.233.96.3: icmp_seq=2 ttl=63 time=0.127 ms
^C
--- 10.233.96.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.127/0.230/0.333/0.103 ms
[root@node2 ~]# curl 10.233.96.3 ####可以正常訪問服務(wù)
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a >nginx.org</a>.<br/>
Commercial support is available at
<a >nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@node2 ~]#
namespaceSelector測試
編輯networkpolicy.yaml文件
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: denynetwork
spec:
podSelector:
matchLabels:
app: nginx ####被訪問pod的label標(biāo)簽
policyTypes:
- Egress
- Ingress ###添加規(guī)則類型
ingress:
- from:
- namespaceSelector: ###添加了此處選項代表只允許label為prject:test的ns下的pod訪問label為app: nginx的pod應(yīng)用
matchLabels:
project: test
創(chuàng)建如下:
[root@master ~]# kubectl get networkpolicy
NAME POD-SELECTOR AGE
denynetwork app=nginx 9d ###可以看到被訪問的pod標(biāo)簽
創(chuàng)建ns以及測試pod
#######創(chuàng)建ns
[root@master ~]# kubectl create ns test
#####創(chuàng)建測試pod
apiVersion: v1
kind: Pod
metadata:
name: busybox
namespace: test #####選擇test的ns
spec:
containers:
- name: busybox
image: docker.io/library/busybox:latest
imagePullPolicy: IfNotPresent
command: ["init"]
啟動pod如下:
[root@master ~]# kubectl get po -n test -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
busybox 1/1 Running 0 9d 10.233.90.4 node1 <none> <none>
[root@master ~]#
###################
進(jìn)入busybox的網(wǎng)絡(luò)命令,如下:
[root@node1 ~]# crictl ps | grep busybox
755e001322ef6 2fb6fc2d97e10 9 days ago Running busybox 0 b5e1dfe3d3746 busybox
[root@node1 ~]#
[root@node1 ~]#
[root@node1 ~]# crictl inspect 755e001322ef6| grep -i pid
"pid": 44236,
"pid": 1
"type": "pid"
[root@node1 ~]# nsenter -t 44236 -n bash
[root@node1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default
link/ether 42:2b:78:3a:6a:c1 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.233.90.4/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::402b:78ff:fe3a:6ac1/64 scope link
valid_lft forever preferred_lft forever
[root@node1 ~]# ping 10.233.96.3
PING 10.233.96.3 (10.233.96.3) 56(84) bytes of data.
^C
--- 10.233.96.3 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms
[root@node1 ~]#
##############
為test ns添加標(biāo)簽,如下:
[root@master ~]# kubectl label ns test project=test
namespace/test labeled
[root@master ~]#
再次測試如下:
[root@node1 ~]#
[root@node1 ~]# nsenter -t 44236 -n bash
[root@node1 ~]# ping 10.233.96.3
PING 10.233.96.3 (10.233.96.3) 56(84) bytes of data.
64 bytes from 10.233.96.3: icmp_seq=1 ttl=62 time=2.35 ms
64 bytes from 10.233.96.3: icmp_seq=2 ttl=62 time=1.46 ms
^C
--- 10.233.96.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.468/1.910/2.352/0.442 ms
[root@node1 ~]# curl 10.233.96.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a >nginx.org</a>.<br/>
Commercial support is available at
<a >nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@node1 ~]#
ipBlock測試
編輯networkpolicy.yaml文件:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: denynetwork
namespace: default
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 10.233.0.0/16 #####允許訪問的網(wǎng)段
except:
- 10.233.93.0/24 ####排除此網(wǎng)段(此網(wǎng)段位于node1,所以測試pod也位于node1)
創(chuàng)建測試pod
###########創(chuàng)建pod,如下:
[root@master ~]# kubectl get po -o wide -n test
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
busybox 1/1 Running 0 9d 10.233.90.4 node1 <none> <none>
##########
進(jìn)入pod的網(wǎng)絡(luò)命名空間
[root@master ~]# ssh node1
Last login: Sat Mar 4 14:55:41 2023 from 192.168.5.240
[root@node1 ~]# crictl ps | grep busybox
755e001322ef6 2fb6fc2d97e10 9 days ago Running busybox 0 b5e1dfe3d3746 busybox
[root@node1 ~]#
[root@node1 ~]# crictl inspect 755e001322ef6 | grep -i pid
"pid": 44236,
"pid": 1
"type": "pid"
[root@node1 ~]#
[root@node1 ~]#
[root@node1 ~]# nsenter -t 44236 -n bash
[root@node1 ~]#
[root@node1 ~]# ping 10.233.96.3
PING 10.233.96.3 (10.233.96.3) 56(84) bytes of data.
^C
--- 10.233.96.3 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5000ms
[root@node1 ~]#
#############
修改networkpolicy,取消expect參數(shù)
[root@master ~]# kubectl edit networkpolicy denynetwork
networkpolicy.networking.k8s.io/denynetwork edited
[root@master ~]# kubectl describe networkpolicy denynetwork
Name: denynetwork
Namespace: default
Created on: 2023-02-22 22:39:54 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=nginx
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
IPBlock:
CIDR: 10.233.0.0/16
Except: ####已經(jīng)去掉了10.233.93.0/24的網(wǎng)段的限制
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Egress, Ingress
[root@master ~]#
#######################
再此測試如下:
[root@node1 ~]#
[root@node1 ~]# ping 10.233.96.3
PING 10.233.96.3 (10.233.96.3) 56(84) bytes of data.
64 bytes from 10.233.96.3: icmp_seq=1 ttl=62 time=2.76 ms
64 bytes from 10.233.96.3: icmp_seq=2 ttl=62 time=1.55 ms
^C
--- 10.233.96.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.556/2.158/2.761/0.604 ms
[root@node1 ~]# curl 10.233.96.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a >nginx.org</a>.<br/>
Commercial support is available at
<a >nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@node1 ~]#
egress參數(shù)解釋
每個 NetworkPolicy 包含一個 egress 規(guī)則的白名單列表。每個規(guī)則都允許匹配 to 和 port 部分的流量。比如我們這里示例規(guī)則的配置:
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24 ##允許訪問10.0.0.0段的80端口
ports:
- protocol: TCP
port: 80
表示 Kubernetes 會拒絕被隔離 Pod 對外發(fā)起任何請求,除非請求的目的地址屬于 10.0.0.0/24 網(wǎng)段,并且訪問的是該網(wǎng)段地址的 80 端口。
創(chuàng)建networkpolicy測試:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: denynetwork
namespace: default
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
- Egress
egress:
- to:
- ipBlock:
cidr: 10.233.90.0/24 #####允許訪問的網(wǎng)段
ports:
- protocol: TCP
port: 80 ###允許被訪問網(wǎng)絡(luò)的端口
#######創(chuàng)建策略查看
[root@master ~]# kubectl describe networkpolicy denynetwork
Name: denynetwork
Namespace: default
Created on: 2023-02-22 22:39:54 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=nginx
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
To Port: 80/TCP
To:
IPBlock:
CIDR: 10.233.90.0/24
Except:
Policy Types: Ingress, Egress
[root@master ~]#
###########找到app=nginx的pod并訪問
[root@master ~]# kubectl get po -n test -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
egress-test 1/1 Running 0 70s 10.233.90.6 node1 <none> <none>
[root@master ~]# kubectl get po -o wide | grep nginx
nginx 1/1 Running 0 9d 10.233.96.3 node2 <none> <none>
###############進(jìn)入app=nginx的pod的命令空間訪問
[root@node2 ~]# crictl ps | grep nginx
27fd22bdf596d 3f8a00f137a0d 9 days ago Running count 0 cb2afd0d86bcf nginx
[root@node2 ~]# crictl inspect 27fd22bdf596d| grep -i pid
"pid": 11243,
"pid": 1
"type": "pid"
[root@node2 ~]# nsenter -t 11243 -n bash
[root@node2 ~]#
[root@node2 ~]# ping 10.233.90.6 ###因為只允許了tcp協(xié)議,所以ping不通
PING 10.233.90.6 (10.233.90.6) 56(84) bytes of data.
^C
--- 10.233.90.6 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
[root@node2 ~]# curl 10.233.90.6 ####如下可正常訪問80端口
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a >nginx.org</a>.<br/>
Commercial support is available at
<a >nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@node2 ~]#
###########編輯networkpolicy ,將80端口改為81
[root@master ~]# kubectl describe networkpolicy denynetwork
Name: denynetwork
Namespace: default
Created on: 2023-02-22 22:39:54 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=nginx
Not affecting ingress traffic
Allowing egress traffic:
To Port: 81/TCP
To:
IPBlock:
CIDR: 10.233.90.0/24
Except:
Policy Types: Egress
[root@master ~]#
#############再次訪問10.233.90.6的80端口如下:
[root@node2 ~]# curl 10.233.90.6 ###無法訪問
^C
[root@node2 ~]#
###########編輯networkpolicy,放通整個網(wǎng)段測試
[root@master ~]# kubectl edit networkpolicy denynetwork
networkpolicy.networking.k8s.io/denynetwork edited
[root@master ~]# kubectl describe networkpolicy denynetwork
Name: denynetwork
Namespace: default
Created on: 2023-02-22 22:39:54 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=nginx
Not affecting ingress traffic
Allowing egress traffic:
To Port: <any> (traffic allowed to all ports)
To:
IPBlock:
CIDR: 10.233.90.0/24
Except:
Policy Types: Egress
[root@master ~]#
########再次訪問10.233.90.6,如下:
[root@node2 ~]# ping 10.233.90.6
PING 10.233.90.6 (10.233.90.6) 56(84) bytes of data.
64 bytes from 10.233.90.6: icmp_seq=1 ttl=62 time=1.56 ms
^C
--- 10.233.90.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.560/1.560/1.560/0.000 ms
[root@node2 ~]#
[root@node2 ~]# curl 10.233.90.6
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a >nginx.org</a>.<br/>
Commercial support is available at
<a >nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@node2 ~]#
########################
但是無法訪問其他節(jié)點的pod,即使是同網(wǎng)段和節(jié)點,如下:
[root@master ~]# kubectl get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 9d 10.233.96.3 node2 <none> <none>
web 1/1 Running 0 9d 10.233.96.4 node2 <none> <none>
[root@node2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default
link/ether 56:52:52:7c:82:81 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.233.96.3/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5452:52ff:fe7c:8281/64 scope link
valid_lft forever preferred_lft forever
[root@node2 ~]# ping 10.233.96.4
PING 10.233.96.4 (10.233.96.4) 56(84) bytes of data.
^C
--- 10.233.96.4 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms
[root@node2 ~]# curl 10.233.96.4
^C
[root@node2 ~]#
時間是個偉大的作者,必將給出完美的答案。
浙公網(wǎng)安備 33010602011771號