k8s 网络策略
2023-09-11 14:20:30 时间
1、networkpolicy
networkpolicy是K8S API中标准的资源类型,是定义在一组POD资源上的控制进(Ingress)出(Egress)POD流量的规则
networkpolicy资源中重要概念:
POD组:podSelector通过matchLabel或者matchExpression的标签选择器选择的POD集合,即策略将在哪些POD上生效
Ingress:进入POD的流量策略,可以定义源端点(spec.ingress.from)和目标端口(spec.ingress.ports)
Egress:出POD的流量策略,可以定义目标端点(spec.egress.to)和目标端口(spec.egress.ports)
端点(to,from): 可以通过nameSpace或者ipBlock 来定义
1.1、实验
namespace:demov10
kind: Namespace apiVersion: v1 metadata: name: demov10 namespace: demov10 labels: project: demov10 --- kind: Service apiVersion: v1 metadata: name: demov10 namespace: demov10 spec: selector: app: demov10 ports: - name: demov10 port: 80 targetPort: 80 protocol: TCP --- kind: Deployment apiVersion: apps/v1 metadata: name: demov10 namespace: demov10 spec: replicas: 2 selector: matchLabels: app: demov10 template: metadata: name: demov10 namespace: demov10 labels: app: demov10 spec: containers: - name: demov10 image: ikubernetes/demoapp:v1.0 imagePullPolicy: Always ports: - name: demov10 containerPort: 80 protocol: TCP resources: limits: cpu: 100m memory: 100Mi requests: cpu: 50m memory: 50Mi
namespace:demov11
kind: Namespace apiVersion: v1 metadata: name: demov11 namespace: demov11 labels: project: demov11 --- kind: Service apiVersion: v1 metadata: name: demov11 namespace: demov11 spec: selector: app: demov11 ports: - name: demov11 port: 80 targetPort: 80 protocol: TCP --- kind: Deployment apiVersion: apps/v1 metadata: name: demov11 namespace: demov11 spec: replicas: 2 selector: matchLabels: app: demov11 template: metadata: name: demov11 namespace: demov11 labels: app: demov11 spec: containers: - name: demov11 image: ikubernetes/demoapp:v1.1 imagePullPolicy: Always ports: - name: demov11 containerPort: 80 protocol: TCP resources: limits: cpu: 100m memory: 100Mi requests: cpu: 50m memory: 50Mi
1.1.1、设置策略使demov10名称空间下的POD,
ingress:只能本名称空间下的pod才能访问
egress:能够访问外网
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allown namespace: demov10 spec: podSelector: #根据标签选择POD matchLabels: app: demov10 policyTypes: ["Ingress","Egress"] ingress: # - from: # - namespaceSelector: # matchLabels: # project: demov10 # - ipBlock: # cidr: 10.200.0.0/24 - from: - namespaceSelector: matchExpressions: - key: project operator: In values: ["demov10"] #只允许本名称空间的POD的流量进入POD ports: - protocol: TCP port: 80 #只对外开放80端口 egress: - to: - namespaceSelector: matchExpressions: - key: project operator: In values: ["demov10"] #允许访问本名称空间下的POD - ipBlock: except: - 10.200.0.0/16 #拒绝访问集群POD网段 cidr: 0.0.0.0/0 - to: - ipBlock: cidr: 10.200.0.0/16 ports: - protocol: UDP port: 53 #放通POD网段的DNS服务
验证:
demov10:
demov11:
从demov11下的POD访问demov10POD:都无法访问
节点上也无法访问:
1.2、隔离名称空间
一般各个名称空间应当相互隔离,但是通常应当允许内部POD以及来自集群上管理类应用专用名称空间的请求(如:kube-system,kubernetes-dashbord等)和DNS服务等。如给demov10建立一个默认策略:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default #策略名称 namespace: demov10 #生效名称空间 spec: podSelector: {} #生效的pod,{}表示所有 policyTypes: ["Ingress","Egress"] #类型 ingress: #进站流量 - from: - namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: In values: [demov10,demov11,kube-system,logs,monitoring,kubernetes-dashboard] egress: #出站流量 - to: - namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: In values: ["demov10"] - to: ports: - protocol: UDP port: 53 - to: #到apiserver - ipBlock: cidr: 10.0.2.200/32 ports: - protocol: TCP port: 6443
相关文章
- 从零开始入门 K8s | 理解容器运行时接口 CRI
- K8s 从懵圈到熟练 – 集群网络详解
- K8S网络策略示例:防止未经授权的SSH流量进入集群
- k8s网络之Calico网络
- K8S Dashboard部署tomcat集群
- 【GO】K8s 管理系统项目13[API部分--Workflow]
- 【K8s】第3篇 一篇文章带你部署安装k8s集群(linux-amd64)(ubuntu)
- k47.第十八章 K8s运维篇-网络策略
- y69.第三章 Kubernetes从入门到精通 -- k8s网络(四二)
- 解决k8s核心组件calico pod资源不创建问题
- 【云原生】k8s 离线部署讲解和实战操作
- 【云原生】k8s NetworkPolicy 网络策略是怎么样的
- K8S NetworkPolicy网络策略介绍与实战
- K8s 应用的网络可观测性: Cilium VS DeepFlow
- K8S集群Calico网络组件报错BIRD is not ready: BGP not established with
- k8s概念