容器编排系统K8s之NetworkPolicy资源
前文我们了解了k8s的网络插件flannel的基础工作逻辑,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14225657.html;今天我们来聊一下k8s上的NetworkPolicy相关话题;
NetworkPolicy资源是做什么用的?
我们知道在k8s上我们可以用名称空间来隔离多个资源,在不同名称空间下我们可以创建相同名称和相同类型的资源;有些资源还必须依赖名称空间才可以被创建;但是在k8s上,名称空间不可以隔离网络,所谓隔离网络是指不管pod创建在那个名称空间下,都可以被其他名称空间下pod访问到;如果我们想要限制对应名称空间下的pod被别的名称空间或外部客户端访问,我们可以在对应名称空间下创建NetworkPolicy资源;该资源可以限制哪些pod可以被外部客户端访问,或者哪些pod不能够被哪个或哪些名称空间的pod访问;除了能够限制对应名称空间下的pod网络入站流量,它还可以限制对应名称空间下的pod出站的流量,允许或拒绝某个或某些个pod访问外部某名称空间下pod或外部某服务等;我们可以简单的理解NetworkingPolicy就是对应名称空间的一道防火墙;我们把NetworkPolicy资源创建在那个名称空间下,那么它就能实现对该名称空间下的pod进行流量管控;
NetworkPolicy基础工作逻辑
提示:首先networkpolicy是作用于一个名称空间下的pod资源之上而进行的流量管控;它可以通过pod选择器来选择对应名称空间下pod,满足对应选择器的条件的pod,将受到networkpolicy中定义的策略管控,默认pod选择器没有明确定义表示匹配对应名称空间下的所有pod;Egress是用来定义pod出站策略,默认显式定义的策略都是被允许出站的,没有定义表示拒绝;对于ingress也是同样的逻辑,只有显式定义的规则才被允许,没有定义就表示拒绝;对于出站流量来说,默认我们定义或不定义它都不会生效,都是允许放行的,只有显式配置对应出站规则生效,它才会生效,对应定义的出站流量才会被限制;
示例:定义dev名称空间下的pod不允许任何客户端访问
[root@master01 ~]# cat denyall-ingress-dev.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {}
policyTypes:
- Ingress
[root@master01 ~]#
提示:以上资源清单表示对dev名称空间下的pod的入站流量进行管控,拒绝所有客户端访问对应dev名称空间下的pod;这其中包含dev名称空间下的pod;
应用资源清单
在应用之前请确保你说部署的网络插件支持网络策略,默认flannel网络插件不支持网络策略,我们需要部署canel这个网络插件,该插件能够结合flannel插件,让其拥有calico的网络策略功能;
部署canel
[root@master01 ~]# kubectl apply -f https://docs.projectcalico.org/manifests/canal.yaml
configmap/canal-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrole.rbac.authorization.k8s.io/flannel configured
clusterrolebinding.rbac.authorization.k8s.io/canal-flannel created
clusterrolebinding.rbac.authorization.k8s.io/canal-calico created
daemonset.apps/canal created
serviceaccount/canal created
deployment.apps/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
poddisruptionbudget.policy/calico-kube-controllers created
[root@master01 ~]#
提示:等待上述的pod都正常运行以后,我们就可以应用上述清单,让其网络策略生效;
创建dev名称空间,并在其下创建一个deploy控制器,控制器创建3个nginx pod
[root@master01 manifests]# cat pod-demo.yaml
apiVersion: v1
kind: Namespace
metadata:
name: dev
labels:
name: dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-dep
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx
rel: stable
template:
metadata:
labels:
app: nginx
rel: stable
spec:
containers:
- name: nginx
image: nginx:1.14-alpine
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
[root@master01 manifests]# kubectl apply -f pod-demo.yaml
namespace/dev unchanged
deployment.apps/nginx-dep created
[root@master01 manifests]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5d9tb 1/1 Running 0 51s 10.244.4.6 node04.k8s.org <none> <none>
nginx-dep-cb74c595f-ftmn9 1/1 Running 0 51s 10.244.1.5 node01.k8s.org <none> <none>
nginx-dep-cb74c595f-jf9p9 1/1 Running 0 51s 10.244.3.4 node03.k8s.org <none> <none>
[root@master01 manifests]#
在没有应用上述网络策略前,用default里的pod访问对应dev名称空间下pod,看看是否可以正常访问?
[root@master01 manifests]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5d9tb 1/1 Running 0 86s 10.244.4.6 node04.k8s.org <none> <none>
nginx-dep-cb74c595f-ftmn9 1/1 Running 0 86s 10.244.1.5 node01.k8s.org <none> <none>
nginx-dep-cb74c595f-jf9p9 1/1 Running 0 86s 10.244.3.4 node03.k8s.org <none> <none>
[root@master01 manifests]# kubectl get pods
NAME READY STATUS RESTARTS AGE
web-0 1/1 Running 6 3d16h
web-1 1/1 Running 5 3d16h
web-2 1/1 Running 6 3d16h
[root@master01 manifests]# kubectl exec web-0 -it -- /bin/sh
/ # wget -O - -q 10.244.4.6
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p> <p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p>
</body>
</html>
/ #
提示:可以看到用default名称空间下的pod,是可以正常访问dev名称空间下的pod;
应用资源网络策略清单
[root@master01 ~]# cat denyall-ingress-dev.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {}
policyTypes:
- Ingress
[root@master01 ~]# kubectl apply -f denyall-ingress-dev.yaml
networkpolicy.networking.k8s.io/deny-all-ingress created
[root@master01 ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-ingress <none> 10s
[root@master01 ~]# kubectl describe netpol deny-all-ingress -n dev
Name: deny-all-ingress
Namespace: dev
Created on: 2021-01-04 15:34:40 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Not affecting egress traffic
Policy Types: Ingress
[root@master01 ~]#
提示:从上面的netpol资源的详细信息中可以了解到,对应netpol资源pod选择器为none表示选择对应名称空间下的所有pod,allowing ingress traffic 也是为none表示没有任何客户端允许访问该名称空间下的pod;没有出站策略,表示拒绝所有出站流量;默认只是入站规则生效,所以这里的出站规则不生效,即不限制出站流量;policyTypes表示对应的那个策略生效,默认不指定是Ingress;
验证:使用default名称空间下的pod访问dev名称空间下的pod,看看是否还可以正常访问?
提示:可以看到现在default名称空间下的pod是不能访问dev名称空间下的pod;
验证:dev名称空间下的pod访问同名称空间下的pod,看看是否可以允许访问?
提示:可以看到在dev名称空间下的pod也没法访问dev名称空间下的pod,但是自己可以访问自己,其原因是自己访问自己,流量不会出站,在lo接口就被处理了,所以自己访问自己不受限制;
验证:使用dev名称空间下的pod访问default名称空间下的pod,看看是否被允许 ?
提示:可以看到使用dev名称空间下的pod访问default名称空间下的pod上没有问题,说明刚才的那条规则只是现在了dev名称空间下的pod的入站流量,并没有限制其出站流量;上面访问10.244.4.5和3.3响应404,是因为对应pod上的web服务没有主页;
示例:限制dev名称空间下的pod的出站流量,拒绝所有pod流量出站
[root@master01 ~]# cat denyall-Egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: dev
spec:
podSelector: {}
policyTypes:
- Egress
[root@master01 ~]#
提示:policyTypes字段用来控制那个类型的规则生效,该字段是一个列表,默认是Ingress,表示只对入站流量做限制,如果明确手动定义为Egress表示,只限制出站流量;出站策略和入站策略的逻辑都是一样的,只要没有明且定义的,都是表示拒绝操作,只有明确定义的才表示对应允许操作;上述没有定义任何出站规则,表示拒绝所有pod访问外部服务;
应用资源清单
[root@master01 ~]# kubectl apply -f denyall-Egress.yaml
networkpolicy.networking.k8s.io/deny-all-egress created
[root@master01 ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-egress <none> 10s
deny-all-ingress <none> 24m
[root@master01 ~]# kubectl describe netpol deny-all-egress -n dev
Name: deny-all-egress
Namespace: dev
Created on: 2021-01-04 15:59:16 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Not affecting ingress traffic
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Egress
[root@master01 ~]#
验证:进入dev名称空间下的pod交互式接口,看看是否可以访问其他名称空间下的pod?
提示:可以看到现在dev名称空间下的pod访问default名称空间下的pod就不能访问了;
验证:删除入站限制,使用dev名称空间下的pod互相访问,看看是否可以正常访问呢?
[root@master01 ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-egress <none> 5m50s
deny-all-ingress <none> 30m
[root@master01 ~]# kubectl delete netpol deny-all-ingress -n dev
networkpolicy.networking.k8s.io "deny-all-ingress" deleted
[root@master01 ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-egress <none> 6m9s
[root@master01 ~]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5d9tb 1/1 Running 0 34m 10.244.4.6 node04.k8s.org <none> <none>
nginx-dep-cb74c595f-ftmn9 1/1 Running 0 34m 10.244.1.5 node01.k8s.org <none> <none>
nginx-dep-cb74c595f-jf9p9 1/1 Running 0 34m 10.244.3.4 node03.k8s.org <none> <none>
[root@master01 ~]# kubectl exec -it nginx-dep-cb74c595f-5d9tb -n dev -- /bin/sh
/ # wget -O - -q 10.244.1.5
^C
/ # wget -O - -q 10.244.3.4
^C
/ # wget -O - -q 10.244.4.6
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p> <p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p>
</body>
</html>
/ #
提示:可以看到限制了出站流量以后,在同一名称空间下的pod也是无法正常访问的;但是自己可以访问自己;
示例:限制dev名称空间下的pod的出站流量,允许dev名称空间下的pod互相访问
[root@master01 ~]# cat allow-dev-Egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dev-egress
namespace: dev
spec:
podSelector: {}
egress:
- to:
- podSelector:
matchLabels:
app: nginx
rel: stable
ports:
- port: 80
protocol: TCP
policyTypes:
- Egress
[root@master01 ~]#
提示:限制出站流量,可以在spec.egress中来定义允许的出站的规则;其中to字段是用来描述被访问端,其值类型是一个列表对象;podSelector字段是用来描述被访问端pod选择器,只有满足对应pod选择器的条件的pod都被允许出站;spec.egress.ports字段是用来描述被访问端点端口信息;该字段为一个列表对象;这里需要注意,默认没有在规则指定其名称空间表示匹配当前netpol所在名称空间;以上清单表示dev下的pod允许访问dev名称空间下标签为app=nginx,rel=stable的pod的80端口;
删除deny-all-egress出站策略,应用其配置清单
[root@master01 ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-egress <none> 26m
[root@master01 ~]# kubectl delete netpol deny-all-egress -n dev
networkpolicy.networking.k8s.io "deny-all-egress" deleted
[root@master01 ~]# kubectl apply -f allow-dev-Egress.yaml
networkpolicy.networking.k8s.io/allow-dev-egress created
[root@master01 ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
allow-dev-egress <none> 10s
[root@master01 ~]# kubectl describe netpol allow-dev-egress -n dev
Name: allow-dev-egress
Namespace: dev
Created on: 2021-01-04 16:34:23 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Not affecting ingress traffic
Allowing egress traffic:
To Port: 80/TCP
To:
PodSelector: app=nginx,rel=stable
Policy Types: Egress
[root@master01 ~]#
验证:进入dev名称空间下pod的里,看看是否可以正常访问dev名称空间下的pod?
[root@master01 ~]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5d9tb 1/1 Running 0 65m 10.244.4.6 node04.k8s.org <none> <none>
nginx-dep-cb74c595f-ftmn9 1/1 Running 0 65m 10.244.1.5 node01.k8s.org <none> <none>
nginx-dep-cb74c595f-jf9p9 1/1 Running 0 65m 10.244.3.4 node03.k8s.org <none> <none>
[root@master01 ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-5d9tb -- /bin/sh
/ # wget -O - -q 10.244.1.5
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p> <p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p>
</body>
</html>
/ # wget -O - -q 10.244.3.4
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p> <p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p>
</body>
</html>
/ #
提示:可以看到dev名称空间pod访问dev名称空间下的pod可以正常访问;
验证:使用dev名称空间pod访问default名称空间下,标签为app=nginx,rel=stable的pod,看看是否可以正常访问?
[root@master01 ~]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
nginx-dep-cb74c595f-27qjp 1/1 Running 2 88m
nginx-dep-cb74c595f-b92s4 1/1 Running 1 88m
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 88m
[root@master01 ~]# kubectl get pods -o wide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
nginx-dep-cb74c595f-5mwl2 1/1 Running 1 89m 10.244.4.18 node04.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-vxc9z 1/1 Running 1 89m 10.244.3.12 node03.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-z265t 1/1 Running 1 89m 10.244.2.13 node02.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
web-0 1/1 Running 8 3d20h 10.244.2.14 node02.k8s.org <none> <none> app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-0
web-1 1/1 Running 7 3d20h 10.244.4.16 node04.k8s.org <none> <none> app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-1
web-2 1/1 Running 8 3d20h 10.244.3.11 node03.k8s.org <none> <none> app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-2
[root@master01 ~]# kubectl exec -it nginx-dep-cb74c595f-27qjp -n dev -- /bin/sh
/ # wget -O - -q 10.244.4.18
^C
/ # wget -O - -q 10.244.3.12
^C
/ # wget -O - -q 10.244.2.13
^C
/ #
提示:可以看到dev名称空间下的pod访问default名称空间下标签为app=nginx,rel=stable的pod也是无法正常访问,原因是我们在策略中没有指定对应访问目标的名称空间,默认就是对应netpol所在名称空间;
示例:允许dev名称空间下的pod访问default和dev名称空间下标签为app=nginx,rel=stable的pod
[root@master01 ~]# cat allow-dev-def-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dev-egress
namespace: dev
spec:
podSelector: {}
egress:
- to:
- namespaceSelector:
matchExpressions:
- key: name
operator: In
values: ["def","dev"]
podSelector:
matchLabels:
app: nginx
rel: stable
ports:
- port: 80
protocol: TCP
policyTypes:
- Egress
[root@master01 ~]#
提示:spec.egress.to中的namespeceSelector字段使用来描述被访问端所在名称空间;podSelector字段是用来描述被访问端的pod;如果这两个字段中只有一个字段前用了“-”,那么namespaceSelector和podSelector所指定的条件是与关系,即两个条件必须都满足;如果两个字段都用了“-”开头,则两个字段所指定的条件就是或关系,即满足其中一个字段的条件都可以被规则匹配;上述示例表示dev下的所有pod能够访问名称空间上的标签是name=def或name=dev的名称空间下的pod,并且这些pod的标签必须是app=nginx,rel=stable;即要想被dev名称空间下的pod所访问,对应pod的应该同时满足两个条件,第一对应名称空间上有name=def或者name=dev的标签;其次pod本身要有两个标签,app=nginx和rel=stable;这两个条件缺一不可;
删除原有netpol,应用新的清单
[root@master01 ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
allow-dev-egress <none> 28m
[root@master01 ~]# kubectl delete netpol allow-dev-egress -n dev
networkpolicy.networking.k8s.io "allow-dev-egress" deleted
[root@master01 ~]# kubectl apply -f allow-dev-def-egress.yaml
networkpolicy.networking.k8s.io/allow-dev-egress created
[root@master01 ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
allow-dev-egress <none> 5s
[root@master01 ~]# kubectl describe netpol allow-dev-egress -n dev
Name: allow-dev-egress
Namespace: dev
Created on: 2021-01-04 19:44:32 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Not affecting ingress traffic
Allowing egress traffic:
To Port: 80/TCP
To:
NamespaceSelector: name in (def,dev)
PodSelector: app=nginx,rel=stable
Policy Types: Egress
[root@master01 ~]#
提示:可以看到对应的出站规则就有两个条件,首先称空间必须匹配,name=def或者name=dev,即对应名称空间必须要这样的标签;其次pod必须满足有app=nginx,rel=stable的标签;
给default名称空间打上name=def的标签
[root@master01 ~]# kubectl get ns --show-labels
NAME STATUS AGE LABELS
default Active 27d <none>
dev Active 4h24m name=dev
ingress-nginx Active 13d app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
kube-node-lease Active 27d <none>
kube-public Active 27d <none>
kube-system Active 27d <none>
kubernetes-dashboard Active 2d5h <none>
prod Active 57m name=prod
[root@master01 ~]# kubectl label ns default name=def
namespace/default labeled
[root@master01 ~]# kubectl get ns --show-labels
NAME STATUS AGE LABELS
default Active 27d name=def
dev Active 4h24m name=dev
ingress-nginx Active 13d app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
kube-node-lease Active 27d <none>
kube-public Active 27d <none>
kube-system Active 27d <none>
kubernetes-dashboard Active 2d5h <none>
prod Active 58m name=prod
[root@master01 ~]#
验证:用dev下的pod访问default和dev名称空间下pod标签为app=nginx,rel=stable的pod,看看对应pod是否能够被访问到?
[root@master01 ~]# kubectl get pods -n dev -o wide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
nginx-dep-cb74c595f-27qjp 1/1 Running 2 116m 10.244.1.18 node01.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-b92s4 1/1 Running 1 116m 10.244.4.17 node04.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 116m 10.244.1.19 node01.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
[root@master01 ~]# kubectl get pods -o wide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
nginx-dep-cb74c595f-5mwl2 1/1 Running 1 117m 10.244.4.18 node04.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-vxc9z 1/1 Running 1 117m 10.244.3.12 node03.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-z265t 1/1 Running 1 117m 10.244.2.13 node02.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
web-0 1/1 Running 8 3d21h 10.244.2.14 node02.k8s.org <none> <none> app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-0
web-1 1/1 Running 7 3d21h 10.244.4.16 node04.k8s.org <none> <none> app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-1
web-2 1/1 Running 8 3d21h 10.244.3.11 node03.k8s.org <none> <none> app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-2
[root@master01 ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.17
Connecting to 10.244.4.17 (10.244.4.17:80)
/ # wget --spider --timeout=1 10.244.1.19
Connecting to 10.244.1.19 (10.244.1.19:80)
/ # wget --spider --timeout=1 10.244.4.18
Connecting to 10.244.4.18 (10.244.4.18:80)
/ # wget --spider --timeout=1 10.244.3.12
Connecting to 10.244.3.12 (10.244.3.12:80)
/ # wget --spider --timeout=1 10.244.2.13
Connecting to 10.244.2.13 (10.244.2.13:80)
/ # wget --spider --timeout=1 10.244.2.14
Connecting to 10.244.2.14 (10.244.2.14:80)
wget: download timed out
/ #
提示:可以看到用dev名称空间的pod访问名称空间上有name=def或name=dev标签并且对应pod上有app=nginx和rel=stable的标签的pod是能够正常访问到,如果不能满足对应名称空间和pod标签的pod就不能被访问;上面示例中最后一个podip不满足pod的标签,所以访问不到对应pod;
示例:允许dev名称空间下的pod访问名称空间上有name=def或name=dev标签的名称空间下的pod或者名称空间上有name=prod标签,并且对应名称空间下的pod必须有app=nginx,rel=stable的标签;
[root@master01 ~]# cat allow-dev-def-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dev-egress
namespace: dev
spec:
podSelector: {}
egress:
- to:
- namespaceSelector:
matchExpressions:
- key: name
operator: In
values: ["def","dev"]
- to:
- namespaceSelector:
matchLables:
name: prod
podSelector:
matchLabels:
app: nginx
rel: stable
ports:
- port: 80
protocol: TCP
policyTypes:
- Egress
[root@master01 ~]#
应用配置清单
[root@master01 ~]# kubectl apply -f allow-dev-def-egress.yaml
networkpolicy.networking.k8s.io/allow-dev-egress created
[root@master01 ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
allow-dev-egress <none> 10s
[root@master01 ~]# kubectl describe netpol allow-dev-egress -n dev
Name: allow-dev-egress
Namespace: dev
Created on: 2021-01-04 20:44:42 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Not affecting ingress traffic
Allowing egress traffic:
To Port: <any> (traffic allowed to all ports)
To:
NamespaceSelector: name in (def,dev)
----------
To Port: 80/TCP
To:
NamespaceSelector: name=prod
PodSelector: app=nginx,rel=stable
Policy Types: Egress
[root@master01 ~]#
验证:用dev名称空间下的pod访问dev名称空间下的pod,看看是否可以正常访问?
[root@master01 ~]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-27qjp 1/1 Running 2 168m 10.244.1.18 node01.k8s.org <none> <none>
nginx-dep-cb74c595f-b92s4 1/1 Running 1 168m 10.244.4.17 node04.k8s.org <none> <none>
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 168m 10.244.1.19 node01.k8s.org <none> <none>
[root@master01 ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.17
Connecting to 10.244.4.17 (10.244.4.17:80)
/ # wget --spider --timeout=1 10.244.1.19
Connecting to 10.244.1.19 (10.244.1.19:80)
/ # exit
[root@master01 ~]#
提示:可以看到dev名称空间下的pod相互访问没有问题;
验证:用dev名称空间下的pod访问default名称空间下的pod ,看看是否可以正常访问?
[root@master01 ~]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-27qjp 1/1 Running 2 170m 10.244.1.18 node01.k8s.org <none> <none>
nginx-dep-cb74c595f-b92s4 1/1 Running 1 170m 10.244.4.17 node04.k8s.org <none> <none>
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 170m 10.244.1.19 node01.k8s.org <none> <none>
[root@master01 ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5mwl2 1/1 Running 1 171m 10.244.4.18 node04.k8s.org <none> <none>
nginx-dep-cb74c595f-vxc9z 1/1 Running 1 171m 10.244.3.12 node03.k8s.org <none> <none>
nginx-dep-cb74c595f-z265t 1/1 Running 1 171m 10.244.2.13 node02.k8s.org <none> <none>
web-0 1/1 Running 8 3d22h 10.244.2.14 node02.k8s.org <none> <none>
web-1 1/1 Running 7 3d22h 10.244.4.16 node04.k8s.org <none> <none>
web-2 1/1 Running 8 3d22h 10.244.3.11 node03.k8s.org <none> <none>
[root@master01 ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.18
Connecting to 10.244.4.18 (10.244.4.18:80)
/ # wget --spider --timeout=1 10.244.3.12
Connecting to 10.244.3.12 (10.244.3.12:80)
/ # wget --spider --timeout=1 10.244.2.13
Connecting to 10.244.2.13 (10.244.2.13:80)
/ # wget --spider --timeout=1 10.244.2.14
Connecting to 10.244.2.14 (10.244.2.14:80)
/ # wget --spider --timeout=1 10.244.4.16
Connecting to 10.244.4.16 (10.244.4.16:80)
wget: server returned error: HTTP/1.1 403 Forbidden
/ # wget --spider --timeout=1 10.244.3.11
Connecting to 10.244.3.11 (10.244.3.11:80)
wget: server returned error: HTTP/1.1 403 Forbidden
/ #
提示:可以看到default名称空间下的所有pod都能够被dev名称空间下的pod所访问;后面显示403是因为对应web服务没有主页;
验证:使用dev名称空间下的pod访问prod名称空间下的pod,看看对应pod是否能够被访问?
[root@master01 ~]# kubectl get ns prod --show-labels
NAME STATUS AGE LABELS
prod Active 118m name=prod
[root@master01 ~]# kubectl get pods -n prod -o wide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
nginx-dep-cb74c595f-rzbv2 1/1 Running 0 118m 10.244.4.19 node04.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-v8ssx 1/1 Running 0 118m 10.244.3.13 node03.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-zsqcc 1/1 Running 0 118m 10.244.2.15 node02.k8s.org <none> <none> app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep1-f85fdcdbc-kdq5b 1/1 Running 0 117m 10.244.1.21 node01.k8s.org <none> <none> app=nginx,pod-template-hash=f85fdcdbc
nginx-dep1-f85fdcdbc-n8cvs 1/1 Running 0 117m 10.244.3.14 node03.k8s.org <none> <none> app=nginx,pod-template-hash=f85fdcdbc
nginx-dep1-f85fdcdbc-vz2mp 1/1 Running 0 117m 10.244.4.20 node04.k8s.org <none> <none> app=nginx,pod-template-hash=f85fdcdbc
[root@master01 ~]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
nginx-dep-cb74c595f-27qjp 1/1 Running 2 174m
nginx-dep-cb74c595f-b92s4 1/1 Running 1 174m
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 174m
[root@master01 ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.20
Connecting to 10.244.4.20 (10.244.4.20:80)
wget: download timed out
/ # wget --spider --timeout=1 10.244.3.14
Connecting to 10.244.3.14 (10.244.3.14:80)
wget: download timed out
/ # wget --spider --timeout=1 10.244.1.21
Connecting to 10.244.1.21 (10.244.1.21:80)
wget: download timed out
/ # wget --spider --timeout=1 10.244.2.15
Connecting to 10.244.2.15 (10.244.2.15:80)
/ # wget --spider --timeout=1 10.244.3.13
Connecting to 10.244.3.13 (10.244.3.13:80)
/ # wget --spider --timeout=1 10.244.4.19
Connecting to 10.244.4.19 (10.244.4.19:80)
/ #
提示:可以看到在prod名称空间下对应pod标签为app=nginx,rel=stable的pod都能够被dev下的pod所访问,如果对应标签不是app=nginx,rel=stable的pod则不能被访问到;
从上面的示例可以总结,在k8s上网络策略是白名单机制,所谓白名单机制是指,只有明确定义的策略才会被允许放行,默认没有指定的规则就是拒绝的,即条件不匹配的都会被拒绝;其次对于ingress或egress来说,对应的from或to都是用来指定访问端或被访问端的信息;如果我们在对应的字段中没有定义namespaceSelector字段,默认ingress或egrss会匹配当前netpol所在名称空间,即在没有明确指定namespaceSelector字段时,对应的其他条件都是针对当前netpol所在名称空间;多个条件组合使用,如果多个条件都在一个列表中,则表示多个条件间是与关系,即指定的条件需要同时满足对应策略才会放行;如果多个条件不再同一个列表中,则多个条件之间是或关系,即满足其中一个条件都会被对应策略放行;
容器编排系统K8s之NetworkPolicy资源的更多相关文章
- 容器编排系统K8s之APIService资源
前文我们聊到了k8s上crd资源的使用和相关说明,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14267400.html:今天我们来了解下k8s的第二种扩展 ...
- 容器编排系统K8s之crd资源
前文我们了解了k8s节点污点和pod的对节点污点容忍度相关话题,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14255486.html:今天我们来聊一下扩展 ...
- 容器编排系统k8s之Service资源
前文我们了解了k8s上的DemonSet.Job和CronJob控制器的相关话题,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14157306.html:今 ...
- 容器编排系统k8s之Ingress资源
前文我们了解了k8s上的service资源的相关话题,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14161950.html:今天我们来了解下k8s上的In ...
- 容器编排系统K8s之HPA资源
前文我们了解了用Prometheus监控k8s上的节点和pod资源,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14287942.html:今天我们来了解下 ...
- 容器编排系统K8s之ConfigMap、Secret资源
前文我们了解了k8s上的pv/pvc/sc资源的使用和相关说明,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14188621.html:今天我们主要来聊一下 ...
- 容器编排系统K8s之PV、PVC、SC资源
前文我们聊到了k8s中给Pod添加存储卷相关话题,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14180752.html:今天我们来聊一下持久存储卷相关话题 ...
- 容器编排系统K8s之Volume的基础使用
前文我们聊到了k8s上的ingress资源相关话题,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14167581.html:今天们来聊一下k8s上volum ...
- 容器编排系统K8s之访问控制--用户认证
前文我们聊到了k8s的statefulset控制器相关使用说明,回顾请参考:https://www.cnblogs.com/qiuhom-1874/p/14201103.html:今天我们来聊一下k8 ...
随机推荐
- python核心高级学习总结2----------pdb的调试
PDB调试 def getAverage(a,b): result =a+b print("result=%d"%result) return result a=100 b=200 ...
- Python的富比较方法__le__、__ge__之间的关联关系分析
Python的富比较方法包括__le__.__ge__分别表示:小于等于.大于等于,对应的操作运算符为:"<=".">=".那么是否象普通数字运算一 ...
- 第14.6节 使用Python urllib.request模拟浏览器访问网页的实现代码
Python要访问一个网页并读取网页内容非常简单,在利用<第14.5节 利用浏览器获取的http信息构造Python网页访问的http请求头>的方法构建了请求http报文的请求头情况下,使 ...
- XPATH基本语法
1.XPATH与自动化之间的关系 1.XPATH是一门在XML文档中查找信息的语言.XPATH可用来在XML文档中对元素和属性进行遍历. 2.XPATH是用来选择"节点"的一种基于 ...
- 简单且实用的关闭当前应用的auto.js 代码
function closeCurrentPackage() { // 可以稍加修改,关闭指定app let packageName = currentPackage(); app.openAppSe ...
- Hangfire&Autofac与ASP.NET CORE注入失败
Hangfire.Autofac与ASP.NET CORE注入失败 项目里面使用了Hangfire,因为之前没用过吧,遇到了个问题,就是使用了ico容器后,再用Hangfire总是注入不上对象,总是后 ...
- 最简 Spring IOC 容器源码分析
前言 BeanDefinition BeanFactory 简介 Web 容器启动过程 bean 的加载 FactoryBean 循环依赖 bean 生命周期 公众号 前言 许多文章都是分析的 xml ...
- 手动实现Promise.all()
Promise.all()方法用于将多个 Promise 实例,包装成一个新的 Promise 实例. Promise.all()方法的参数可以不是数组,但必须具有 Iterator 接口,且返回的每 ...
- ssh-copy-id三步实现SSH免密登录
背景 在日常工作中,不希望每次登录都输入密码,这里主要介绍一种简单的配置Linux主机间免密登录的方式 先了解两个核心命令: ssh-keygen :产生公钥和私钥对 ssh-copy-id:将北极的 ...
- Git - 简单的使用与Github
Github: Following the instructions to create repo. Git on Linux(centos): download the latest GIT and ...