LAB-05:网络策略
LAB 需求
在命名空间 fubar 中创建网络策略 allow-port-from-namespace,只允许命名空间 my-app 中的 pod 连上 fubar 中 pod 的 80 端口。
注意: 这里有 2 个 ns ,一个为 fubar (目标 pod 的 ns),另外一个为 my-app(访问源 pod 的 ns)。因此需要查看 my-app 的 labels,然后在 namespaceSelector 中添加对应的 labels。
LAB 预配
# 1、配置两个 namespace
# 创建 fubar 的 ns 资源
user1@k8s-master:~/cka/5$ cat ns-fubar.yaml
apiVersion: v1
kind: Namespace
metadata:
name: fubar
# 创建 my-app 的 ns 资源
user1@k8s-master:~/cka/5$ cat ns-my-app.yaml
apiVersion: v1
kind: Namespace
metadata:
name: my-app
# 部署 fubar 的 ns 资源
user1@k8s-master:~/cka/5$ kubectl apply -f ns-fubar.yaml
namespace/fubar created
# 部署 my-app 的 ns 资源
user1@k8s-master:~/cka/5$ kubectl apply -f ns-my-app.yaml
namespace/my-app created
# 查看 ns 资源
user1@k8s-master:~$ kubectl get ns | grep -e fubar -e my-app
fubar Active 23h
my-app Active 23h
# 2、创建两个 pod,分别在 fubar、my-app 的 ns
# 创建 fubar 里的 pod,提供访问的 80 端口
user1@k8s-master:~/cka/5$ cat fubar-nginx-app-pod-80.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-pod
namespace: fubar
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.18.0
imagePullPolicy: IfNotPresent
# 部署 pod
user1@k8s-master:~/cka/5$ kubectl apply -f fubar-nginx-app-pod-80.yaml
deployment.apps/nginx-pod created
# 创建 my-app 里的 pod,作为访问的 client
user1@k8s-master:~/cka/5$ cat my-app-client-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: client-pod-1
namespace: my-app
labels:
app: client-pod-1
spec:
containers:
- name: client-pod
image: centos:7
command: ["/bin/bash","-c","sleep 3600"]
# 部署 pod
user1@k8s-master:~/cka/5$ kubectl apply -f my-app-client-pod.yaml
pod/client-pod-1 created
# 3、测试访问,可以访问 80 端口,也可以 ping
# 查看 fubar 里的 pod 的地址
user1@k8s-master:~$ kubectl get pod -o wide -n fubar
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-pod-744d557cd6-m7n5t 1/1 Running 2 (7h49m ago) 23h 10.244.140.84 k8s-node-2 <none> <none>
# 测试 curl,可以访问
user1@k8s-master:~$ kubectl exec -n my-app client-pod-1 -- curl -s 10.244.140.84
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
# 测试 ping,可以访问
user1@k8s-master:~$ kubectl exec -n my-app client-pod-1 -- ping 10.244.140.84
PING 10.244.140.84 (10.244.140.84) 56(84) bytes of data.
64 bytes from 10.244.140.84: icmp_seq=1 ttl=62 time=0.471 ms
64 bytes from 10.244.140.84: icmp_seq=2 ttl=62 time=0.524 ms
LAB 答案
# 切换 content
$ kubectl config use-context k8s
# 创建网络策略
user1@k8s-master:~/cka-2022-05-01/5$ cat netwotkpolicy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-from-namespace
namespace: fubar
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: my-app
ports:
- protocol: TCP
port: 80
# 部署网络策略
user1@k8s-master:~/cka-2022-05-01/5$ kubectl apply -f netwotkpolicy.yml
networkpolicy.networking.k8s.io/allow-port-from-namespace created
LAB 验证
# 查看详细网络策略
user1@k8s-master:~/cka-2022-05-01/5$ kubectl describe -n fubar networkpolicies.networking.k8s.io
Name: allow-port-from-namespace
Namespace: fubar
Created on: 2022-05-02 20:35:45 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: kubernetes.io/metadata.name=my-app
Not affecting egress traffic
Policy Types: Ingress
# 测试访问 80 端口和 ping
# curl 访问正常
user1@k8s-master:~$ kubectl exec -n my-app client-pod-1 -- curl -s 10.244.140.84
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
# ping 访问不通
user1@k8s-master:~$ kubectl exec -n my-app client-pod-1 -- ping 10.244.140.84
参考资料
- https://kubernetes.io/zh/docs/concepts/services-networking/network-policies/