Kubernetes CKS 2021--网络策略networkpolicy
Kubernetes网络 -- 策略 2021
2023-09-11 14:15:45 时间
Kubernetes NetworkPolicy 实战
tags: NetworkPolicy
文章目录
1. NetworkPolicy 策略
k8s官网: network policies
2. Practice - Frontend to Backend traffic
root@master:~# k run frontend --image=nginx
pod/frontend created
root@master:~# k run backend --image=nginx
pod/backend created
root@master:~# k expose pod frontend --port 80
service/frontend exposed
root@master:~# k expose pod backend --port 80
service/backend exposed
root@master:~# k get pods,svc
NAME READY STATUS RESTARTS AGE
pod/backend 1/1 Running 0 49s
pod/frontend 1/1 Running 0 58s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/backend ClusterIP 10.104.232.138 <none> 80/TCP 14s
service/frontend ClusterIP 10.111.199.32 <none> 80/TCP 23s
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 91d
root@master:~# k exec frontend -- curl backend
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 11547 0 --:--:-- --:--:-- --:--:-- 11547
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@master:~# k exec backend -- curl frontend
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 119k 0 --:--:-- --:--:-- --:--:-- 119k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@master:~# vim default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
root@master:~# k create -f default-deny.yaml
networkpolicy.networking.k8s.io/deny created
root@master:~# vim frontend.yaml
# allows frontend pods to communicate with backend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend
namespace: default
spec:
podSelector:
matchLabels:
run: frontend
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
run: backend
root@master:~# k -f frontend.yaml create
networkpolicy.networking.k8s.io/frontend created
root@master:~# k exec frontend -- curl backend
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0
root@master:~# vim backend.yaml
# allows backend pods to have incoming traffic from frontend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
root@master:~# k -f backend.yaml create
networkpolicy.networking.k8s.io/backend created
root@master:~# k exec frontend -- curl backend
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0
root@master:~# k get pods --show-labels -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
backend 1/1 Running 0 29m 192.168.104.27 node2 <none> <none> run=backend
frontend 1/1 Running 0 30m 192.168.166.179 node1 <none> <none> run=frontend
root@master:~# k exec frontend -- curl 192.168.104.27
% Total % Received % X<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
ferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 18545 0 --:--:-- --:--:-- --:--:-- 19125
root@master:~# k exec backend -- curl 192.168.166.179
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
100 612 100 612 0 0 298k 0 --:--:-- --:--:-- --:--:-- 298k
3. Practice - Backend to Database traffic
kubectl create ns cassandra
kubectl edit ns cassandra
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2021-04-20T07:19:22Z"
name: cassandra
resourceVersion: "533198"
uid: 766ae069-4dc9-4acd-a4db-ce852c293cc6
labels: #添加
ns: cassandra #添加
spec:
finalizers:
- kubernetes
status:
phase: Active
root@master:~# k -n cassandra run cassandra --image=nginx
pod/cassandra created
root@master:~# k -n cassandra get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cassandra 1/1 Running 0 73m 192.168.104.26 node2 <none> <none>
root@master:~# k exec backend -- curl 192.168.104.26
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 597k 0 --:--:-- --:--:-- --:--:-- 0
vim backend.yaml
# allows backend pods to have incoming traffic from frontend pods and to cassandra namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
egress:
- to:
- namespaceSelector:
matchLabels:
ns: cassandra
root@master:~# k apply -f backend.yaml
Warning: resource networkpolicies/backend is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
networkpolicy.networking.k8s.io/backend configured
root@master:~# k exec backend -- curl 192.168.104.26
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 597k 0 --:--:-- --:--:-- --:--:-- 597k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@master:~# cat cassandra-deny.yaml
# deny all incoming and outgoing traffic from all pods in namespace cassandra
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cassandra-deny
namespace: cassandra
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
root@master:~# k create -f cassandra-deny.yaml
networkpolicy.networking.k8s.io/cassandra-deny created
root@master:~# k exec backend -- curl 192.168.104.26
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0^C
# allows cassandra pods having incoming connection from backend namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cassandra
namespace: cassandra
spec:
podSelector:
matchLabels:
run: cassandra
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
ns: default
root@master:~# k create -f cassandra.yaml
networkpolicy.networking.k8s.io/cassandra created
root@master:~# k edit ns default
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2021-01-19T03:27:58Z"
labels: #添加
ns: default #添加
name: default
resourceVersion: "541475"
uid: 2d566715-f0a4-49b3-b590-dfa7df30d0ba
spec:
finalizers:
- kubernetes
status:
phase: Active
root@master:~# k exec backend -- curl 192.168.104.26
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 298k 0 --:--:-- --:--:-- --:--:-- 597k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
参考:
相关文章
- 【华为云技术分享】跟唐老师学习云网络 - Kubernetes网络实现
- kubernetes创建pod
- Kubernetes 容器网络模型和典型实现
- kubernetes 服务发现 Node_Exporter 监控 Kubernetes 集群节点
- Jenkins X:基于Kubernetes的CI/CD平台
- 【云原生 | Kubernetes 系列】--Envoy日志保存
- 使用Kubernetes里的job计算圆周率后2000位
- k2.第一章 基于kubeadm安装kubernetes v1.20 -- 集群部署(二)
- 《Kubernetes网络权威指南》读书笔记 | 打通CNI与Kubernetes:Kubernetes网络驱动
- 《Kubernetes网络权威指南》读书笔记 | 终于等到你:Kubernetes网络
- 《Kubernetes网络权威指南》读书笔记 | 如何做好技术选型:容器组网方案沙场点兵
- 《Kubernetes网络权威指南》读书笔记 | 打开万花筒:Docker的四大网络模式
- 《Kubernetes网络权威指南》读书笔记 | 主角登场:Linux容器
- 《Kubernetes网络权威指南》读书笔记 | Macvlan的救护员:IPvlan
- 《Kubernetes网络权威指南》读书笔记 | iptables
- 《Kubernetes网络权威指南》读书笔记 | 千呼万唤始出来:veth pair
- Kubernetes集群Pod控制器之Job控制器(二十六)
- 【云原生 • Kubernetes】kubernetes 核心技术 - Label 和 Selector
- Kubernetes 高可用的APIServer
- Kubernetes 调度过程
- Kubernetes 存储管理:怎样对业务数据进行持久化存储?
- Kubernetes ELK日志采集思路
- 【云原生 | Kubernetes 系列】---AlertManager安装及告警发送
- 【云原生 | Kubernetes 系列】---CephFS和OSS
- Kubernetes 网络基础知识
- Kubernetes_CNI_Calico_Calico的网络策略NetworkPolicy
- Kubernetes部署_使用kubernetes部署prometheus+grafana监控系统(Kubernetes工作实践类)