• 第十二章 网络(下)


    12.3.2  实践Network Policy

      当前没有配置任何Network Policy.

    apiVersion: apps/v1beta1
    kind: Deployment
    metadata:
      name: httpd
    spec:
      replicas: 3
      template:
        metadata:
          labels:
            run: httpd
        spec:
          containers:
          - name: httpd
            image: httpd:latest
            imagePullPolicy: IfNotPresent
            ports:
            - containerPort: 80
            
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: httpd-svc
    spec:
      type: NodePort
      selector:
        run: httpd
      ports:
      - protocol: TCP
        nodePort: 30000
        port: 8080
        targetPort: 80
        

     如下,查看Pod和service:

    kubeusr@GalaxyKubernetesMaster:~$ kubectl get pods -o wide
    NAME                     READY     STATUS              RESTARTS   AGE       IP             NODE
    httpd-65f9bdfb75-b5v49   0/1       ContainerCreating   0          3m        <none>         galaxykubernetes01
    httpd-65f9bdfb75-nhpcb   1/1       Running             0          3m        10.244.3.89    galaxykubernetes04
    httpd-65f9bdfb75-qdr2v   1/1       Running             0          3m        10.244.2.196   galaxykubernetes03
    
    
    kubeusr@GalaxyKubernetesMaster:~$ kubectl get service httpd-svc
    NAME        TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
    httpd-svc   NodePort   10.102.11.34   <none>        8080:30000/TCP   6d

    (1)启动一个busybox,在Pod里面既可以访问servcie也可以ping到Pod。

    kubeusr@GalaxyKubernetesMaster:~$ kubectl exec -it busybox-577868d55b-h7df5 bin/sh       #进入Pod
    / # wget httpd-svc:8080
    Connecting to httpd-svc:8080 (10.102.11.34:8080)
    wget: can't open 'index.html': File exists
    / # rm -rf index.html
    / # wget httpd-svc:8080
    Connecting to httpd-svc:8080 (10.102.11.34:8080)
    index.html 100% |*****

    / # ping 10.244.3.89                                                      #  在Pod内部 Ping其他的Pod是可以通的
    PING 10.244.3.89 (10.244.3.89): 56 data bytes
    64 bytes from 10.244.3.89: seq=0 ttl=62 time=0.665 ms
    64 bytes from 10.244.3.89: seq=1 ttl=62 time=0.538 ms

    (2) 集群外可以访问service: 从我的windows电脑可以访问。

    C:UsersFeiLiu>curl 9.42.80.172:30000
    <html><body><h1>It works!</h1></body></html>

     下面开始创建Network Policy:

    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: access-httpd
    spec:
      podSelector:
        matchLabels:
          run: httpd                          #  将访问规则应用于label为run: httpd的 pod,即httpd应用的的三个副本
      ingress:
      - from:
        - podSelector:
            matchLabels:
              access: "true"                  #  ingress中定义只有label为access:“true”的pod才能访问应用。(busybox已经不能访问了,需要加上access:"true"的Lable后才能访问)
        ports:
         - protocol: TCP
           port: 80                           #  只能访问80端口

     集群内节点和集群外的节点已经不能访问service。

      

  • 相关阅读:
    SpringBoot整合Shiro实现基于角色的权限访问控制(RBAC)系统简单设计从零搭建
    Spring Cloud Feign 总结
    Spring Cloud Eureka 总结
    基于Shiro,JWT实现微信小程序登录完整例子
    解决JPA懒加载典型的N+1问题-注解@NamedEntityGraph
    一个微服务+DDD(领域驱动设计)的代码结构示例
    造轮子-AgileConfig基于.NetCore的一个轻量级配置中心
    ASP.NET Core Blazor 初探之 Blazor WebAssembly
    .Net Core
    AServer
  • 原文地址:https://www.cnblogs.com/liufei1983/p/10224819.html
Copyright © 2020-2023  润新知