1. Firewall rules in kubernetes kubernetes 集群中的防火墙规则 2. Implemented by the Network Plugin CNI(Calico/Weave) 网络插件的实施方案 3. Namespace level 命名空间的级别 4. Restrict the ingress and/or Egress for a goup of pods based on certain rules and conditions 根据某些规则和条件限制一组Pod的进入和/或出口
注: 先决条件是必须使用支持NetworkPolicy的网络解决方案
默认状况下没有网络策略的状态并且:
- by default every pod can access every pod 默认的可以访问任何pods
- pods are not isolated pods 不是孤立的
![image.png](https://img-blog.csdnimg.cn/img_convert/f3e7a5a8b2796fc72b4c45ffc9336529.png#align=left&display=inline&height=552&margin=[object Object]&name=image.png&originHeight=552&originWidth=995&size=212889&status=done&style=none&width=995)
2.3. IP块(例外:始终允许往返运行Pod的节点的流量,无论Pod或节点的IP地址如何)3. 练习题3.1. Create Default Deny NetworkPolicy–创建一个默认的拒绝的网络规则解析:
如上:使用nginx标准镜像创建两个pod,对外暴露80端口,进入两个容器curl对方返回index.html验证容器是互通 的。
root@cks-master:~# kubectl run frontend --image=nginxpod/frontend createdroot@cks-master:~# kubectl run bac��ϧ,����kend --image=nginxpod/backend createdroot@cks-master:~# kubectl expose pods frontend --port=80service/frontend exposedroot@cks-master:~# kubectl expose pods backend --port=80service/backend exposedroot@cks-master:~# kubectl get pods,svc NAME READY STATUS RESTARTS AGEpod/backend 1/1 Running 0 34spod/frontend 1/1 Running 0 39sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEservice/backend ClusterIP 10.104.226.85 <none> 80/TCP 7sservice/frontend ClusterIP 10.98.161.118 <none> 80/TCP 16sservice/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 37droot@cks-master:~# kubectl exec frontend curl backendkubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>100 612 100 612 0 0 298k 0 --:--:-- --:--:-- --:--:-- 298k root@cks-master:~# kubectl exec backend curl frontendkubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 612 100 612 0 0 298k 0 --:--:-- --:--:-- --:--:-- 298k<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>
进入kubernetes官方文档找到网络策略页面,(https://kubernetes.io/docs/concepts/services-networking/network-policies/)找到实例copy内容。
root@cks-master:~/work# vim default-deny.yamlroot@cks-master:~/work# kubectl apply -f default-deny.yaml networkpolicy.networking.k8s.io/default-deny createdroot@cks-master:~/work# cat default-deny.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: default-deny namespace: defaultspec: podSelector: {} policyTypes: - Ingress - Egressroot@cks-master:~/work# kubectl exec frontend curl backendkubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0^Croot@cks-master:~/work# kubectl exec backend curl frontendkubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:19 --:--:-- 0curl: (6) Could not resolve host: frontendcommand terminated with exit code 6
通过以上例子验证了通过default-deny 网络策略实现了backend 和frontend两个服务实现了拒绝访问。
我觉得这个地方稍微要复杂下入如下图
# cat backend.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: backend namespace: defaultspec: podSelector: matchLabels: run: backend policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: run: frontend
### cat frontend.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: frontend namespace: defaultspec: podSelector: matchLabels: run: frontend policyTypes: - Egress egress: - to: - podSelector: matchLabels: run: backend
关于matchLabels的由来:
kubectl apply -f backend.yaml
kubectl apply -f frontend.yaml
但是还是不通,为什么呢?
忽略了一个本质,没有放通域名解析服务,不知道还记得默认的dns端口吗?kubernetes内部的服务的解析是靠coredns来完成的,当然了老的版本还有过kube-dns?skydns没有记错的话。so要允许dns协议。
## deny.yaml##apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny namespace: defaultspec: podSelector: {} policyTypes: - Egress - Ingress egress: - to: ports: - port: 53 protocol: TCP - port: 53 protocol: UDP3.3. based on namespaceSelector-基于命名空间标签允许backend标签的pod去访问符合namespace标签的应用
关于namespace的labels(默认建立是没有的,可以自己添加)