• Kubernetes之网络策略(Network Policy)


    字段定义如下:

    // NetworkPolicySpec provides the specification of a NetworkPolicy
    type NetworkPolicySpec struct {
        // Selects the pods to which this NetworkPolicy object applies. The array of
        // ingress rules is applied to any pods selected by this field. Multiple network
        // policies can select the same set of pods. In this case, the ingress rules for
        // each are combined additively. This field is NOT optional and follows standard
        // label selector semantics. An empty podSelector matches all pods in this
        // namespace.
        PodSelector metav1.LabelSelector `json:"podSelector" protobuf:"bytes,1,opt,name=podSelector"`
    
        // List of ingress rules to be applied to the selected pods. Traffic is allowed to
        // a pod if there are no NetworkPolicies selecting the pod
        // (and cluster policy otherwise allows the traffic), OR if the traffic source is
        // the pod's local node, OR if the traffic matches at least one ingress rule
        // across all of the NetworkPolicy objects whose podSelector matches the pod. If
        // this field is empty then this NetworkPolicy does not allow any traffic (and serves
        // solely to ensure that the pods it selects are isolated by default)
        // +optional
        Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"`
    
        // List of egress rules to be applied to the selected pods. Outgoing traffic is
        // allowed if there are no NetworkPolicies selecting the pod (and cluster policy
        // otherwise allows the traffic), OR if the traffic matches at least one egress rule
        // across all of the NetworkPolicy objects whose podSelector matches the pod. If
        // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
        // solely to ensure that the pods it selects are isolated by default).
        // This field is beta-level in 1.8
        // +optional
        Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
    
        // List of rule types that the NetworkPolicy relates to.
        // Valid options are "Ingress", "Egress", or "Ingress,Egress".
        // If this field is not specified, it will default based on the existence of Ingress or Egress rules;
        // policies that contain an Egress section are assumed to affect Egress, and all policies
        // (whether or not they contain an Ingress section) are assumed to affect Ingress.
        // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
        // Likewise, if you want to write a policy that specifies that no egress is allowed,
        // you must specify a policyTypes value that include "Egress" (since such a policy would not include
        // an Egress section and would otherwise default to just [ "Ingress" ]).
        // This field is beta-level in 1.8
        // +optional
        PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"`
    }
    
    // NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
    // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
    type NetworkPolicyIngressRule struct {
        // List of ports which should be made accessible on the pods selected for this
        // rule. Each item in this list is combined using a logical OR. If this field is
        // empty or missing, this rule matches all ports (traffic not restricted by port).
        // If this field is present and contains at least one item, then this rule allows
        // traffic only if the traffic matches at least one port in the list.
        // +optional
        Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
    
        // List of sources which should be able to access the pods selected for this rule.
        // Items in this list are combined using a logical OR operation. If this field is
        // empty or missing, this rule matches all sources (traffic not restricted by
        // source). If this field is present and contains at least on item, this rule
        // allows traffic only if the traffic matches at least one item in the from list.
        // +optional
        From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"`
    }
    
    // NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
    // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
    // This type is beta-level in 1.8
    type NetworkPolicyEgressRule struct {
        // List of destination ports for outgoing traffic.
        // Each item in this list is combined using a logical OR. If this field is
        // empty or missing, this rule matches all ports (traffic not restricted by port).
        // If this field is present and contains at least one item, then this rule allows
        // traffic only if the traffic matches at least one port in the list.
        // +optional
        Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
    
        // List of destinations for outgoing traffic of pods selected for this rule.
        // Items in this list are combined using a logical OR operation. If this field is
        // empty or missing, this rule matches all destinations (traffic not restricted by
        // destination). If this field is present and contains at least one item, this rule
        // allows traffic only if the traffic matches at least one item in the to list.
        // +optional
        To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"`
    }

    .spec.PodSelector

    顾名思义,它是pod选择器,基于标签选择与Network Policy处于同一namespace下的pod,如果pod被选中,则对其应用Network Policy中定义的规则。此为可选字段,当没有此字段时,表示选中所有pod。

    .spec.PolicyTypes

    Network Policy定义的规则可以分成两种,一种是入pod的Ingress规则,一种是出pod的Egress规则。本字段可以看作是一个开关,如果其中包含Ingress,则Ingress部分定义的规则生效,如果是Egress则Egress部分定义的规则生效,如果都包含则全部生效。当然此字段也可选,如果没有指定的话,则默认Ingress生效,如果Egress部分有定义的话,Egress才生效。怎么理解这句话,下文会提到,没有明确定义Ingress、Egress部分,它也是一种规则,默认规则而非没有规则。

    .spec.ingress与.spec.egress

    前者定义入pod规则,后者定义出pod规则,详细参考这里,这里只讲一下重点。上例中ingress与egress都只包含一条规则,两者都是数组,可以包含多条规则。当包含多条时,条目之间的逻辑关系是“或”,只要匹配其中一条就可以。.spec.ingress[].from
    也是数组,数组成员对访问pod的外部source进行描述,符合条件的source才可以访问pod,有多种方法,如示例中的ip地址块、名称空间、pod标签等,数组中的成员也是逻辑或的关系。spec.ingress[].from.prots表示允许通过的协议及端口号。

    .spec.egress.to定义的是pod想要访问的外部destination,其它与ingress相同。

    Demo示例:

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: test-network-policy
      namespace: default
    spec:
      podSelector:
        matchLabels:
          role: db
      policyTypes:
      - Ingress
      - Egress
      ingress:
      - from:
        - ipBlock:
            cidr: 172.17.0.0/16
            except:
            - 172.17.1.0/24
        - namespaceSelector:
            matchLabels:
              project: myproject
        - podSelector:
            matchLabels:
              role: frontend
        ports:
        - protocol: TCP
          port: 6379
      egress:
      - to:
        - ipBlock:
            cidr: 10.0.0.0/24
        ports:
        - protocol: TCP
          port: 5978

    参考链接:

    https://www.cnblogs.com/tylerzhou/p/10995797.html

  • 相关阅读:
    编译Openmv固件&增加串口
    边缘 AI 平台的比较
    CVPR2021 | 重新思考BatchNorm中的Batch
    ICCV2021 |重新思考人群中的计数和定位:一个纯粹基于点的框架
    ICCV2021 | 重新思考视觉transformers的空间维度
    CVPR2021 | Transformer用于End-to-End视频实例分割
    漫谈CUDA优化
    AAAI 2021 最佳论文公布
    综述专栏 | 姿态估计综述
    为什么GEMM是深度学习的核心
  • 原文地址:https://www.cnblogs.com/wangjq19920210/p/15020270.html
Copyright © 2020-2023  润新知