kubernetes-networkpolicy
网络策略
限制网络访问:
服务发现写了。不同的namespace内的pod 可以相互通信。这样是不是有点不太安全,calico网络组件支持网络策略定制。
网络策略应用于那个名称空间则保护对应的名称空间下的pod。
ingress #入站流量
engress #出站流量
两种选择器: 基于标签label
podselector: pod筛选
namespaceselector: namespace筛选
两种关系。与 或
多个 -或 的条件 并列关系,,列表 -
-from:
- namespaceSelector:
- podSelector:
与的条件, 两个条件同时满足
-namespaceSelector:
podSelector:
做个实验,
不同namespace:
注意下这个是白名单
ingess 保护当前namespace内的资源。
限制project下打了web=bz1标签的pod 禁止访问default下打了app=tomcat 标签的pod.
标签:
[root@master01 ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
tom-dep-5cd5954c9-l874k 1/1 Running 4 21h 10.244.140.65 node02 <none> <none>
web-test-f47f968f6-wbkv4 1/1 Running 5 21h 10.244.140.67 node02 <none> <none>
[root@master01 ~]# kubectl get pod -o wide -n project
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
bz1 1/1 Running 0 150m 10.244.196.133 node01 <none> <none>
web-test-5f58c7c548-p782r 1/1 Running 3 21h 10.244.196.128 node01 <none> <none>
[root@master01 ~]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
tom-dep-5cd5954c9-l874k 1/1 Running 4 21h app=tomcat,pod-template-hash=5cd5954c9
web-test-f47f968f6-wbkv4 1/1 Running 5 21h app=web-test,pod-template-hash=f47f968f6
[root@master01 ~]# kubectl get pods -n project --show-labels
NAME READY STATUS RESTARTS AGE LABELS
bz1 1/1 Running 0 150m run=bz1
web-test-5f58c7c548-p782r 1/1 Running 3 21h app=web-test,pod-template-hash=5f58c7c548
[root@master01 ~]# kubectl get namespaces project --show-labels
NAME STATUS AGE LABELS
project Active 19d kubernetes.io/metadata.name=project,name=project
[root@master01 ~]# kubectl get namespaces default --show-labels
NAME STATUS AGE LABELS
default Active 25d kubernetes.io/metadata.name=default,name=default
部署networkpolicy
[root@master01 ~]# cat networkpolicy/networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy1
namespace: default #应用于default下
spec:
podSelector: # pod 筛选
matchLabels:
app: tomcat #打了app=tomcat 标签
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector: # project筛选
matchLabels:
name: project
podSelector: #pod筛选
matchLabels:
app: web-test
ports:
- protocol: TCP
port: 8080
##上面的yaml文件意思就是 允许project namespace下的打了app=web-test标签的pod访问default namespace 下打了app=tomcat 标签的pod 的8080端口。。。。白名单。。
[root@master01 ~]# kubectl describe networkpolicies.networking.k8s.io networkpolicy1
Name: networkpolicy1
Namespace: default
Created on: 2023-03-07 10:40:05 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=tomcat
Allowing ingress traffic:
To Port: 8080/TCP
From: #指与条件。。。。。。project下打了app=web-test
NamespaceSelector: name=project
PodSelector: app=web-test
Not affecting egress traffic
Policy Types: Ingress
验证一下。。。project下有两个pod bz1和web-test
上面创建了一个网络策略允许app=web-test 的pod访问default下的app=tomcat的pod
进入bz1 验证下。。则可以访问nginx不能访问tomcat
[root@master01 ~]# kubectl exec -ti -n project bz1 -- /bin/sh
/ # wget 10.244.140.65:8080
Connecting to 10.244.140.65:8080 (10.244.140.65:8080)
^C
/ # wget 10.244.140.67:80
Connecting to 10.244.140.67:80 (10.244.140.67:80)
saving to 'index.html'
index.html 100% |*******************************************************************************************************************| 615 0:00:00 ETA
'index.html' saved
/ # cat index.html
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
相同namespace内.限制某个pod访问,,则对应开放白名单。排除在外。
- from:
- namespaceSelector: {} #通配,指所有namespace 中app=web-test可以访问
podSelector: #pod筛选
matchLabels:
app: web-test
不写namespaceselector指,当前namespace内打了app=web-test可以访问 其他就不可以访问了。。。
- from:
- podSelector: #pod筛选
matchLabels:
app: web-test
条件则不一样。。。多个from 和一个from
满足一个from即可
例子:
[root@master01 ~]# kubectl describe networkpolicies.networking.k8s.io networkpolicy1
Name: networkpolicy1
Namespace: default
Created on: 2023-03-07 10:40:05 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=tomcat
Allowing ingress traffic:
To Port: 8080/TCP
From: ###多个from 并列条件
NamespaceSelector: name=project
From: ###多个from 并列条件
PodSelector: app=web-test
Not affecting egress traffic
Policy Types: Ingress
[root@master01 ~]# cat networkpolicy/networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy1
namespace: default
spec:
podSelector:
matchLabels:
app: tomcat
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: project
- podSelector:
matchLabels:
app: web-test
ports:
- protocol: TCP
port: 8080
常见就允许自己当前namespace 内。。禁止其他namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
这玩意儿有点绕。。。反正就是白名单条件。。出入站规则,,,且条件,有与或 。。。并列条件为或。 单一条件为与。。。。。。
官网:https://kubernetes.io/zh-cn/docs/concepts/services-networking/network-policies/
本文链接:
/archives/networkpolicy
版权声明:
本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
Emporer-Linux!
喜欢就支持一下吧