I have one cluster with 3 pods and 3 services (first, second and third).
my services are:
aks-helloworld-first cluster ip:10.67.251.251
aks-helloworld-sec cluster ip:10.67.248.67
aks-helloworld-third cluster ip: 10.67.240.154the pods are:
aks-helloworld-first selector:app=helloworld-first
aks-helloworld-sec selector: app=helloworld-sec
aks-helloworld-third selector: app=helloworld-thirdI added the following virtual service:
kind: VirtualService
metadata:
name: aks-helloworld-first-route
spec:
hosts:
- aks-helloworld-first
http:
- match:
- sourceLabels:
app: helloworld-third
route:
- destination:
host: aks-helloworld-firstI expected to be able to access to "first" only through "third". But when trying to access to "first" through "second" I was able to do it as well.
I run kubectl exec to the "second" pod and run: curl -v http://10.67.251.251 I was able to access the "first" pod
What am I missing?
Virtual Service is a set of rules for routing external traffic.
It seems, that you want to isolate one pod from another. And for this you might need to set up NetworkPolicy
By default, all pods are non-isolated; they accept traffic from any source. That's why
I run kubectl exec to the "second" pod and run: curl -v http://10.67.251.251 I was able to access the "first" pod
Pods become isolated by having a NetworkPolicy that selects them.
For example, to accomplish
access to "first" only through "third"
You'll need this NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: helloworld-first
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: helloworld-third
ports:
- my-http