• k8s网络策略

    环境说明

    操作系统版本 内核版本 Docker版本 Kubernetes版本
    7.6.1810 4.19.12 19.03.13 v1.18.18

    操作系统版本

    $ cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core)

    内核版本

    $ uname -r
4.19.12-1.el7.elrepo.x86_64

    Docker版本

    $ docker --version
Docker version 19.03.13, build 4484c46

    Kubernetes版本

    $ kubectl get node
NAME         STATUS   ROLES    AGE     VERSION
k8s-master   Ready    <none>   7d22h   v1.18.18
k8s-node01   Ready    <none>   7d22h   v1.18.18
k8s-node02   Ready    <none>   7d22h   v1.18.18
k8s-node03   Ready    <none>   7d22h   v1.18.18

    此实验参考 kubernetes官网calico官网

    web命名空间跑业务容器,client命名空间跑测试业务容器,以下是容器的运行情况

    $ kubectl get pod -n web -owide 
NAME                    READY   STATUS    RESTARTS   AGE    IP             NODE         NOMINATED NODE   READINESS GATES
http-647dffb4db-vwxmf   1/1     Running   0          17s    20.0.58.213    k8s-node02   <none>           <none>
nginx-5cd55947c-jfgpd   1/1     Running   1          6h8m   20.0.235.233   k8s-master   <none>           <none>

$ kubectl get pod -n client -owide    
NAME                       READY   STATUS    RESTARTS   AGE     IP             NODE         NOMINATED NODE   READINESS GATES
busybox-5778d9f5ff-dsfxd   1/1     Running   1          5h50m   20.0.135.156   k8s-node03   <none>           <none>
centos-6774cc9984-84wlh    1/1     Running   0          6m45s   20.0.85.222    k8s-node01   <none>           <none>

    限制任何pod进入web命名空间的任何pod,下面的实验都基于这个限制。

    $ cat > web-np-deny.yaml <<-EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-deny
  namespace: web
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Ingress
EOF

$ kubectl apply -f web-np-deny.yaml
networkpolicy.networking.k8s.io/web-deny created

    网络策略分类

    ipBlock

    # 不同IP段,设置前验证
$ kubectl exec -it busybox-5778d9f5ff-dsfxd -n client -- wget -q --timeout=3 http.web.svc.cluster.local -O -
wget: download timed out
command terminated with exit code 1

$ kubectl exec -it centos-6774cc9984-84wlh -n client -- wget -q --timeout=3 http.web.svc.cluster.local -O -
wget: download timed out
command terminated with exit code 1

$ cat > web-np-ipblock.yaml<<-EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-ipblock
  namespace: web
spec:
  podSelector:
    matchLabels:
      app: httpd
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 20.0.0.0/16
        except:
        - 20.0.135.0/24
    ports:
    - port: 80
      protocol: TCP
EOF

$ kubectl apply -f web-np-ipblock.yaml 
networkpolicy.networking.k8s.io/web-ipblock created

# 设置后验证
$ kubectl exec -it centos-6774cc9984-84wlh -n client -- wget -q --timeout=3 http.web.svc.cluster.local -O -
<html><body><h1>It works!</h1></body></html>

$ kubectl exec -it busybox-5778d9f5ff-dsfxd -n client -- wget -q --timeout=3 http.web.svc.cluster.local -O -
wget: download timed out
command terminated with exit code 1

    注意: ingress下的字段。如果是 与 的关系,那么不需要用 - 。如果是 或 的关系,请使用 -
    上面的示例是 20.0.0.0/16 网段,除了 20.0.135.0/24 之外,在这个范围的所有IP地址都可以访问 web 命名空间下带有 app=httpd 标签pod的 80 端口。

    namespaceSelector

    # 不同命名空间,设置前测试
$  kubectl -n web exec -it busybox-5778d9f5ff-dsfxd -- curl --connect-time 3 http.web.svc.cluster.local
curl: (28) Connection timed out after 3001 milliseconds
command terminated with exit code 28

$ cat > web-np-web-allow.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-allow
  namespace: web
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          role: client
EOF

$ kubectl apply -f web-np-web-allow.yaml
networkpolicy.networking.k8s.io/web-allow created

# 设置后测试
$ kubectl -n web exec -it busybox-5778d9f5ff-dsfxd -- curl --connect-time 3 http.web.svc.cluster.local
<html><body><h1>It works!</h1></body></html>

    上面的示例是允许命名空间 client 下的所有pod可以访问命名空间 web 下的所有pod。

    podSelector

    # 相同命名空间不同pod,设置前验证
$  kubectl -n web exec -it nginx-5cd55947c-jfgpd -- curl --connect-timeout 3 http.web.svc.cluster.local
curl: (28) Connection timed out after 3000 milliseconds
command terminated with exit code 28

$ cat > web-np-web-allow.yaml<<-EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-allow
  namespace: web
spec:
  podSelector:
    matchLabels:
      app: httpd
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: nginx
EOF

$ kubectl apply -f web-np-web-allow.yaml
networkpolicy.networking.k8s.io/web-allow created

# 设置后验证
$ kubectl -n web exec -it nginx-5cd55947c-jfgpd -- curl --connect-timeout 3 http.web.svc.cluster.local
<html><body><h1>It works!</h1></body></html>

    允许命名空间 web 下,带有 app=nginx 的pod,允许访问 web 命名空间下,带有 app=httpd 的pod。

    namespaceSelector 和 podSelector

    # 不同命名空间下特定pod访问,设置前访问
$ kubectl -n client exec -it busybox-5778d9f5ff-dsfxd -- wget -q --timeout=3 http.web.svc.cluster.local -O -
wget: download timed out
command terminated with exit code 1

$ kubectl -n client exec -it centos-6774cc9984-84wlh -- wget -q --timeout=3 nginx.web.svc.cluster.local -O -
wget: download timed out
command terminated with exit code 1

$ cat > web-np-clientPod-allow.yaml <<-EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: clientpod-allow
  namespace: web
spec:
  podSelector:
    matchLabels:
      app: httpd
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: client
      namespaceSelector:
        matchLabels:
          role: client
    ports:
    - port: 80
      protocol: TCP
EOF

$ kubectl apply -f web-np-clientPod-allow.yaml 
networkpolicy.networking.k8s.io/clientpod-allow created

# 设置后访问
$ kubectl -n client exec -it busybox-5778d9f5ff-dsfxd -- wget -q --timeout=3 http.web.svc.cluster.local -O -
<html><body><h1>It works!</h1></body></html>

$ kubectl -n client exec -it centos-6774cc9984-84wlh -- wget -q --timeout=3 nginx.web.svc.cluster.local -O -
wget: download timed out
command terminated with exit code 1

    上面的示例是允许命名空间带有 role=client 的标签 且 pod带有 app=client 的标签去访问 httpd 80 端口的服务。

    扩展知识

    其实上面的网络策略是由 calico 网络插件来实现的,如果上面的网络策略限制的不精准的话,可以直接查看calico生成的网络策略。

    $ calicoctl get networkpolicy -n web
NAMESPACE   NAME                          
web         knp.default.clientpod-allow   
web         knp.default.web-deny

$ calicoctl get networkpolicy -n web knp.default.clientpod-allow -oyaml
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  creationTimestamp: "2021-08-23T01:54:45Z"
  name: knp.default.clientpod-allow
  namespace: web
  resourceVersion: "1743939"
  uid: 989ac5e1-239b-4428-a3d7-82612e642ad9
spec:
  ingress:
  - action: Allow
    destination:
      ports:
      - 80
    protocol: TCP
    source:
      namespaceSelector: role == 'client'
      selector: projectcalico.org/orchestrator == 'k8s' && app == 'client'
  order: 1000
  selector: projectcalico.org/orchestrator == 'k8s' && app == 'httpd'
  types:
  - Ingress

    calico 网络策略出现两个 action 参数。那说明有两个规则生效,导致权限控制不精准。
  • 相关阅读:
    单例模式-Singlleton
    C#中静态与非静态方法比较
    关于orcale的数据库脚本,记录下来,方便自己以后用到查找
    关于Oracle和SQLServer数据库在.net中拼接数据库语句的不同
    Oracle数据类型与.NET中的对应关系
    Got a packet bigger than 'max_allowed_packet' bytes
    .NET、C#和ASP.NET三者之间的区别(转)
    The use specified as definer('root'@'%') does not exist的解决办法
    app.config .exe.config .vshost.exe.config配置
    python学习:(3)自动化表单提交
  • 原文地址:https://www.cnblogs.com/mycloudedu/p/15167057.html
Copyright © 2020-2023  润新知