k8s Networkpolicy 多规则ipblock+port同时匹配测试

与egress为例，我们想要测试的是172.17.197.252网段的1234 TCP端口通以及172.16.247.58/24段的80TCP端口可以出去，其它不通
测试的目的：
1、验证是否ipblock+port同时满足时，才通。
2、可以在networkpolicy中添加多条egress的ipblock+port区段，且不会聚合，即不会说172.17.197.252网段的80 TCP端口也可以通
或者说172.16.247.58/24段的1234的TCP端口可以通。只能在我们写的网络策略中的才通就能说明测试成功。

测试结果如下：

-[appuser@chenqiang-dev ~]$  kubectl -n chenqiang1 exec -it tcp-udp-deployment-6d4c485fb-5t44n bash
root@tcp-udp-deployment-6d4c485fb-5t44n:/# 
^Cbash: connect: Interrupted system call
bash: /dev/tcp/172.16.247.58/1234: Interrupted system call

root@tcp-udp-deployment-6d4c485fb-5t44n:/# 
root@tcp-udp-deployment-6d4c485fb-5t44n:/# 
root@tcp-udp-deployment-6d4c485fb-5t44n:/# 
^Cbash: connect: Interrupted system call
bash: /dev/tcp/172.17.197.252/80: Interrupted system call

具体测试步骤如下：

1、先创建两个networkpolicy，一个拒绝所有pod，一个允许填写规则的。如下

-[appuser@chenqiang-dev tcp-udp]$ kubectl -n chenqiang1 get networkpolicy
NAME                  POD-SELECTOR   AGE
allow-egress          <none>         42m
default-deny-egress   <none>         45m

2、被测试pod在如下两个ns中：

-[appuser@chenqiang-dev tcp-udp]$ kubectl -n chenqiang1 get po -o wide
NAME                                 READY     STATUS    RESTARTS   AGE       IP               NODE           NOMINATED NODE
tcp-udp-deployment-6d4c485fb-5t44n   1/1       Running   0          50m       172.19.22.102    10.130.33.28   <none>
tcp-udp-deployment-6d4c485fb-fg4kp   1/1       Running   0          50m       172.17.197.252   10.130.33.25   <none>
tcp-udp-deployment-6d4c485fb-jm99f   1/1       Running   0          50m       172.16.247.41    10.130.33.26   <none>
tcp-udp-deployment-6d4c485fb-kp446   1/1       Running   0          50m       172.17.36.60     10.130.33.22   <none>
-[appuser@chenqiang-dev tcp-udp]$ kubectl -n helloworld1 get po -o wide 
NAME                                     READY     STATUS    RESTARTS   AGE       IP               NODE           NOMINATED NODE
nginx-hello-deployment-b5b7bf4f5-7d9mf   1/1       Running   0          1h        172.16.247.58    10.130.33.26   <none>
nginx-hello-deployment-b5b7bf4f5-f5n52   1/1       Running   0          1h        172.17.197.241   10.130.33.25   <none>
nginx-hello-deployment-b5b7bf4f5-lskff   1/1       Running   0          1h        172.19.22.66     10.130.33.28   <none>
nginx-hello-deployment-b5b7bf4f5-lvxc8   1/1       Running   0          1h        172.17.36.25     10.130.33.22   <none>

具体创建的网络策略如下：
1、拒绝egress到所有pod

-[appuser@chenqiang-dev tcp-udp]$ cat default-deny-chenqiang1.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  namespace: chenqiang1
  name: default-deny-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress

2、允许egress到特定子网的特定端口

-[appuser@chenqiang-dev tcp-udp]$ cat allow-chenqiang1.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  namespace: chenqiang1
  name: allow-egress
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 172.17.197.252/24
    ports:
    - protocol: TCP
      port: 1234
  - to:
    - ipBlock:
        cidr: 172.16.247.58/24
    ports:
    - protocol: TCP
      port: 80
  podSelector: {}
  policyTypes:
  - Egress

用到的测试pod如下：

-[appuser@chenqiang-dev tcp-udp]$ cat chenqiang1-tcp-udp.yaml 
---
apiVersion: v1
kind: Namespace
metadata:
  name: chenqiang1
---
apiVersion: v1
kind: Secret
metadata:
  name: regcred
  namespace: chenqiang1
data:
  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSJkb2NrZXItcmVnaXN0cnkuc2FpY3N0YWNrLmNvbSI6IHsKCQkJImF1dGgiOiAiWTJobGJuRnBZVzVuT2xCaGMzTjNNSEprIgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xNy4xMi4xLWNlIChsaW51eCkiCgl9Cn0=
type: kubernetes.io/dockerconfigjson

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tcp-udp-deployment
  namespace: chenqiang1
  labels:
    app: tcp-udp
spec:
  replicas: 4
  selector:
    matchLabels:
      app: tcp-udp
  template:
    metadata:
      labels:
        app: tcp-udp
    spec:
      containers:
      - name: tcp-udp
        image: ksdn117/tcp-udp-test:latest
        ports:
          - name: 1234tcp-1212342
            containerPort: 1234
            protocol: TCP
          - name: 5678udp-1256782
            containerPort: 5678
            protocol: UDP
      imagePullSecrets:
      - name: regcred

---
kind: Service
apiVersion: v1
metadata:
  name: tcp-udp-service
  namespace: chenqiang1
  labels:
    ns: chenqiang1
spec:
  selector:
    app: tcp-udp
  ports:
  - protocol: TCP
    port: 1234
    name: 1234tcp
    targetPort: 1234
  - protocol: TCP
    port: 5678
    name: 5678udp
    targetPort: 5678