【云原生 | Kubernetes 系列】Networkpolicy实验9则
值允许namespace为python,标签为 python-nginx-selector的pod访问标签为python-tomcat-app1-selector 的pod。通过ns python下的pod可以访问,通过ns default 和linux的pod也可以访问,但ip为172.100.109.123的pod无法访问。效果和上题类似,但上单端口范围只有3个,这里没有指定,那么只要打开的端
·
- linux ns部署nginx和tomcat,并让nginx可以将来自于/app的请求转发至当前ns的tomcat pod
- python ns部署nginx和tomcat,并让nginx可以将来自于/app的请求转发至当前ns的tomcat pod
- 测试容器(创建多个pod用于后期不同节点进行测试)
1. 环境准备
1.1 创建ns并加label
root@k8s-master-01:~# kubectl create ns linux
namespace/linux created
root@k8s-master-01:~# kubectl create ns python
namespace/python created
root@k8s-master-01:~# kubectl label ns linux nsname=linux
namespace/linux labeled
root@k8s-master-01:~# kubectl label ns python nsname=python
namespace/python labeled
创建3个pod,ns分别是default,go,python
root@k8s-master-01:~# kubectl run test-centos-pod --image=harbor.intra.com/baseimages/centos-base:7.9.2009 sleep 100000000 -n linux
pod/test-centos-pod created
root@k8s-master-01:~# kubectl run test-centos-pod --image=harbor.intra.com/baseimages/centos-base:7.9.2009 sleep 100000000 -n python
pod/test-centos-pod created
root@k8s-master-01:~# kubectl run test-centos-pod --image=harbor.intra.com/baseimages/centos-base:7.9.2009 sleep 100000000
pod/test-centos-pod created
1.2 创建linux pods
创建linux 的nginx和tomcat pod
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/linux-ns1# kubectl apply -f .
deployment.apps/linux-nginx-deployment created
service/linux-nginx-service created
deployment.apps/linux-tomcat-app1-deployment created
service/linux-tomcat-app1-service created
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/linux-ns1# kubectl get pods -n linux
NAME READY STATUS RESTARTS AGE
linux-nginx-deployment-5cd9566d7f-rrd98 1/1 Running 0 89s
linux-tomcat-app1-deployment-6f8864d5d9-trdh9 1/1 Running 0 89s
test-centos-pod 1/1 Running 0 118s
配置tomcat
# kubectl exec -it linux-tomcat-app1-deployment-6f8864d5d9-trdh9 -n linux bash
root@linux-tomcat-app1-deployment-6f8864d5d9-trdh9:/usr/local/tomcat# cd webapps
root@linux-tomcat-app1-deployment-6f8864d5d9-trdh9:/usr/local/tomcat/webapps# mkdir app
root@linux-tomcat-app1-deployment-6f8864d5d9-trdh9:/usr/local/tomcat/webapps# echo "linux app in tomcat" >> app/index.jsp
## 访问测试
root@k8s-master-01:~# curl http://192.168.31.113:30005/app/
linux app in tomcat
配置nginx
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 -n linux sh
## ping通tomcat的svc
/ # ping linux-tomcat-app1-service.linux.svc.magedu.local -c 1
PING linux-tomcat-app1-service.linux.svc.magedu.local (10.200.60.176): 56 data bytes
64 bytes from 10.200.60.176: seq=0 ttl=64 time=0.031 ms
--- linux-tomcat-app1-service.linux.svc.magedu.local ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.031/0.031/0.031 ms
## 修改nginx的配置文件
/ # vi /etc/nginx/conf.d/default.conf
## 追加以下行
location /app {
proxy_pass http://linux-tomcat-app1-service.linux.svc.magedu.local;
}
## 重启nginx
/ # nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/ # nginx -s reload
2022/08/17 04:59:08 [notice] 55#55: signal process started
## 测试访问nginx
root@k8s-master-01:~# curl 192.168.31.113:30004/app/
linux app in tomcat
1.3 创建python pods
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f nginx.yaml -f tomcat.yaml
deployment.apps/python-nginx-deployment created
service/python-nginx-service created
deployment.apps/python-tomcat-app1-deployment created
service/python-tomcat-app1-service created
为了不让这两个ns在一个node上可以先给linux的node打上cordon,运行起来后再uncordon
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get pods -n python -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
python-nginx-deployment-7bbc6bf578-bntx4 1/1 Running 0 5m27s 172.100.76.175 192.168.31.113 <none> <none>
python-tomcat-app1-deployment-6b795c66d5-bp55c 1/1 Running 0 5m26s 172.100.76.176 192.168.31.113 <none> <none>
test-centos-pod 1/1 Running 0 2m50s 172.100.140.70 192.168.31.112 <none> <none>
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get pods -n linux -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
linux-nginx-deployment-5cd9566d7f-rrd98 1/1 Running 0 91m 172.100.109.124 192.168.31.111 <none> <none>
linux-tomcat-app1-deployment-6f8864d5d9-trdh9 1/1 Running 0 91m 172.100.109.125 192.168.31.111 <none> <none>
test-centos-pod 1/1 Running 0 91m 172.100.109.123 192.168.31.111 <none> <none>
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2#
准备python的两个环境
root@k8s-master-01:~# kubectl exec -it python-tomcat-app1-deployment-6b795c66d5-bp55c -n python bash
root@python-tomcat-app1-deployment-6b795c66d5-bp55c:/usr/local/tomcat/webapps# mkdir app
root@python-tomcat-app1-deployment-6b795c66d5-bp55c:/usr/local/tomcat/webapps# echo "python app in tomcat" >> app/index.jsp
## 测试python的tomcat
root@k8s-master-01:~# curl 192.168.31.113:30015/app/
python app in tomcat
## 修改nginx配置
/ # vi /etc/nginx/conf.d/default.conf
## 追加以下内容
location /app {
proxy_pass http://python-tomcat-app1-service.python.svc.magedu.local;
}
## 重启服务
/ # nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/ # nginx -s reload
2022/08/17 05:18:35 [notice] 44#44: signal process started
## 测试访问nginx
root@k8s-master-01:~# curl 192.168.31.113:30014/app/
python app in tomcat
2. NetworkPolicy实验
默认情况下在ns linux下的nginx可以访问ns python的tomcat
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 -n linux sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
## 全称
/ # curl python-tomcat-app1-service.python.svc.magedu.local/app/index.jsp
python app in tomcat
## 缩写
/ # curl python-tomcat-app1-service.python/app/index.jsp
python app in tomcat
2.1 case1 Ingress 以pod为单位,只允许通ns下特定pod访问
- 不允许其他namespace访问tomcat pod
- 如果明确允许的pod,即使在同一个ns也访问不了
- 不允许从宿主机访问pod
- 只允许同ns拥有特定标签的pod访问目标
值允许namespace为python,标签为 python-nginx-selector的pod访问标签为python-tomcat-app1-selector 的pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
app: python-tomcat-app1-selector #对匹配到的目的Pod应用以下规则
ingress: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- from:
- podSelector:
matchLabels:
app: python-nginx-selector
#project: "python"
效果:
创建完后会在ns下生成一个networkpolicy
root@k8s-master-01:~# kubectl get networkpolicies.networking.k8s.io -n python
NAME POD-SELECTOR AGE
tomcat-access--networkpolicy app=python-tomcat-app1-selector 6m14s
root@k8s-master-01:~# kubectl describe networkpolicies.networking.k8s.io tomcat-access--networkpolicy -n python
Name: tomcat-access--networkpolicy
Namespace: python
Created on: 2022-08-17 13:40:48 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=python-tomcat-app1-selector
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
PodSelector: app=python-nginx-selector
Not affecting egress traffic
Policy Types: Ingress
同namespace的nginx访问允许
root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # ping python-tomcat-app1-service.python.svc.magedu.local
PING python-tomcat-app1-service.python.svc.magedu.local (10.200.232.133): 56 data bytes
64 bytes from 10.200.232.133: seq=0 ttl=64 time=0.282 ms
同namespace无标签的centos访问被拒绝
root@k8s-master-01:~# kubectl exec -it test-centos-pod -n python
error: you must specify at least one command for the container
root@k8s-master-01:~# ping python-tomcat-app1-service.python.svc.magedu.local -c 1
ping: python-tomcat-app1-service.python.svc.magedu.local: Temporary failure in name resolution
root@k8s-master-01:~#
不同ns的nginx访问被拒绝
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-7bbc6bf578-bntx4 -n linux sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Error from server (NotFound): pods "linux-nginx-deployment-7bbc6bf578-bntx4" not found
root@k8s-master-01:~# ping python-tomcat-app1-service.python.svc.magedu.local
ping: python-tomcat-app1-service.python.svc.magedu.local: Temporary failure in name
通过主机访问被拒绝
root@k8s-master-01:~# curl 192.168.31.113:30015/app/
curl: (7) Failed to connect to 192.168.31.113 port 30015: Connection timed out
通过nginx跳转tomcat访问允许
root@k8s-master-01:~# curl 192.168.31.113:30014/app/
python app in tomcat
删除规则以免后续互相影响
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl delete -f case1-ingress-podSelector.yaml
networkpolicy.networking.k8s.io "tomcat-access--networkpolicy" deleted
2.2 case2 Ingress 以pod为单位,只允许通ns下特定pod访问的特定端口
相对上一题,多了个端口限制
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
app: python-tomcat-app1-selector
ingress:
- from:
- podSelector:
matchLabels:
app: python-nginx-selector
#project: "python"
ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- protocol: TCP
port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问
生效并查看networkpolicy规则
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case2-ingress-podSelector-ns-SinglePort.yaml
networkpolicy.networking.k8s.io/tomcat-access--networkpolicy created
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python
NAME POD-SELECTOR AGE
tomcat-access--networkpolicy app=python-tomcat-app1-selector 10s
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python
Name: tomcat-access--networkpolicy
Namespace: python
Created on: 2022-08-17 14:06:11 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=python-tomcat-app1-selector
Allowing ingress traffic:
To Port: 8080/TCP
From:
PodSelector: app=python-nginx-selector
Not affecting egress traffic
Policy Types: Ingress
ns python,pod nginx访问允许
root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.76.176:8080/app/
python app in tomcat
ns python,pod centos访问拒绝
root@k8s-master-01:~# kubectl exec -it test-centos-pod -n python bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[root@test-centos-pod /]# curl 172.100.76.176:8080/app/
curl: (7) Failed connect to 172.100.76.176:8080; Connection timed out
ns linux,pod nginx访问拒绝
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 sh -n linux
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.76.176:8080/app/
curl: (28) Failed to connect to 172.100.76.176 port 8080 after 129941 ms: Operation timed out
直接从node访问被拒绝
[root@test-centos-pod /]# curl 172.100.76.176:8080/app/
curl: (7) Failed connect to 172.100.76.176:8080; Connection timed out
2.3 case3 Ingress 以pod为单位,只允许通ns下特定pod访问的多个特定端口
相对上一题,允许访问的端口多一点
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
app: python-tomcat-app1-selector
ingress:
- from:
- podSelector:
matchLabels:
app: python-nginx-selector
ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- protocol: TCP
port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问
- protocol: TCP
port: 80
- protocol: TCP
port: 443
生效配置
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case3-ingress-podSelector-ns-MultiPort.yaml
networkpolicy.networking.k8s.io/tomcat-access--networkpolicy created
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python
NAME POD-SELECTOR AGE
tomcat-access--networkpolicy app=python-tomcat-app1-selector 10s
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python
Name: tomcat-access--networkpolicy
Namespace: python
Created on: 2022-08-17 14:17:47 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=python-tomcat-app1-selector
Allowing ingress traffic:
To Port: 8080/TCP
To Port: 80/TCP
To Port: 443/TCP
From:
PodSelector: <none>
Not affecting egress traffic
Policy Types: Ingress
效果就是当前ns下可以访问这些端口,但非当前ns访问被拒绝
## python ns的pod
root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.76.176:8080/app/
python app in tomcat
/ # curl 172.100.76.176:8080/app/
python app in tomcat
/ # curl 172.100.76.176:8080/app/
python app in tomcat
## 非python ns的pod
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 sh -n linux
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.76.176:8080/app/
curl: (28) Failed to connect to 172.100.76.176 port 8080 after 130380 ms: Operation timed out
2.4 case4 Ingress 以pod为单位,只允许通同ns下pod访问
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector: #目标pod
matchLabels: {} #匹配所有目标pod
ingress:
- from:
- podSelector: #匹配源pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制)
matchLabels: {}
效果和上题类似,但上单端口范围只有3个,这里没有指定,那么只要打开的端口都能被同ns下的pod访问,但跨ns则会被拒绝
## python ns的pod
root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.76.176:8080/app/
python app in tomcat
## 非python ns的pod
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 sh -n linux
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.76.176:8080/app/
curl: (28) Failed to connect to 172.100.76.176 port 8080 after 130380 ms: Operation timed out
2.5 case5 Ingress ipBlock白名单
- 只要在白名单内,没有被except禁止的Pod ip都允许访问
- 在只设置了ipBlock匹配的前提下,其他namespace中没有在except范围的Pod也可以访问目标Pod.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector: #目标pod
matchLabels:
app: python-tomcat-app1-selector
ingress:
- from:
# - podSelector: #匹配源pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制)
# matchLabels: {}
- ipBlock:
cidr: 172.100.0.0/16 #白名单,允许访问的地址范围,没有允许的将禁止访问目标pod
except:
- 172.100.109.123/32 #在以上范围内禁止访问的源IP地址
ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- protocol: TCP
port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问
#port: 80
- protocol: TCP
port: 3306
- protocol: TCP
port: 6379
配置生效
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case5-ingress-ipBlock.yaml
networkpolicy.networking.k8s.io/tomcat-access--networkpolicy created
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python
NAME POD-SELECTOR AGE
tomcat-access--networkpolicy app=python-tomcat-app1-selector 14s
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python
Name: tomcat-access--networkpolicy
Namespace: python
Created on: 2022-08-17 15:01:55 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=python-tomcat-app1-selector
Allowing ingress traffic:
To Port: 8080/TCP
To Port: 3306/TCP
To Port: 6379/TCP
From:
IPBlock:
CIDR: 172.100.0.0/16
Except: 172.100.109.123/32
Not affecting egress traffic
Policy Types: Ingress
通过ns python下的pod可以访问,通过ns default 和linux的pod也可以访问,但ip为172.100.109.123的pod无法访问
root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.76.176:8080/app/
python app in tomcat
## ip为172.100.109.123的pod无法访问
root@k8s-master-01:/# kubectl exec -it test-centos-pod bash -n linux
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[root@test-centos-pod /]# hostname -I
172.100.109.123
[root@test-centos-pod /]# curl 172.100.76.176:8080/app/
curl: (7) Failed connect to 172.100.76.176:8080; Connection timed out
2.6 只允许某个特定的ns访问当前ns下所有pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector: #目标pod
matchLabels: {} #允许访问python namespace 中的所有pod
ingress:
- from:
- namespaceSelector:
matchLabels:
nsname: linux #只允许指定的namespace访问
- namespaceSelector:
matchLabels:
nsname: python #只允许指定的namespace访问
ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- protocol: TCP
port: 8080
- protocol: TCP
port: 3306
- protocol: TCP
port: 6379
配置生效
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case6-ingress-namespaceSelector.yaml
networkpolicy.networking.k8s.io/tomcat-access--networkpolicy created
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python
NAME POD-SELECTOR AGE
tomcat-access--networkpolicy <none> 20s
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python
Name: tomcat-access--networkpolicy
Namespace: python
Created on: 2022-08-17 15:19:54 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: 8080/TCP
To Port: 3306/TCP
To Port: 6379/TCP
From:
NamespaceSelector: nsname=linux
From:
NamespaceSelector: nsname=python
Not affecting egress traffic
Policy Types: Ingress
## namespace的标签一定要对,否则就会失败
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe ns linux
Name: linux
Labels: kubernetes.io/metadata.name=linux
nsname=linux
Annotations: <none>
Status: Active
No resource quota.
No LimitRange resource.
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe ns python
Name: python
Labels: kubernetes.io/metadata.name=python
nsname=python
Annotations: <none>
Status: Active
No resource quota.
No LimitRange resource.
linux和python ns的pod访问被允许,其他pod访问被拒绝
## linux ns的pod访问允许
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 sh -n linux
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.76.176:8080/app/
python app in tomcat
## python ns的pod访问被允许
root@k8s-master-01:~# kubectl exec -it test-centos-pod -n python bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[root@test-centos-pod /]# curl 172.100.76.176:8080/app/
python app in tomcat
## 其他ns的访问拒绝
root@k8s-master-01:~# kubectl exec -it test-centos-pod bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[root@test-centos-pod /]# curl 172.100.76.176:8080/app/
curl: (7) Failed connect to 172.100.76.176:8080; Connection timed out
## node直接访问也拒绝
root@k8s-master-01:/# curl 172.100.76.176:8080/app/
curl: (7) Failed to connect to 172.100.76.176 port 8080: Connection timed out
2.7 Egress 出口方向限制目的IP和端口
- 基于Egress白名单,定义ns中匹配成功的pod可以访问ipBlock指定的地址和ports指定的端口.
- 匹配成功的pod访问未明确定义在Egress的白名单的其他IP的请求,将拒绝
- 没有匹配成功的源Pod,主动发起的出口访问请求不受影响.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-access-networkpolicy
namespace: python
spec:
policyTypes:
- Egress
podSelector: #目标pod选择器
matchLabels: #基于label匹配目标pod
app: python-tomcat-app1-selector #匹配python namespace中app的值为python-tomcat-app1-selector的pod,然后基于egress中的指定网络策略进行出口方向的
网络限制
egress:
- to:
- ipBlock:
cidr: 172.100.0.0/16 #允许匹配到的pod出口访问的目的CIDR地址范围
- ipBlock:
cidr: 192.168.31.111/32 #允许匹配到的pod出口访问的目的主机
ports:
- protocol: TCP
port: 80 #允许匹配到的pod访问目的端口为80的访问
- protocol: TCP
port: 30014
- protocol: UDP
port: 53
配置生效
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case7-Egress-ipBlock.yaml
networkpolicy.networking.k8s.io/egress-access-networkpolicy created
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python
NAME POD-SELECTOR AGE
egress-access-networkpolicy app=python-tomcat-app1-selector 2m55s
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python
Name: egress-access-networkpolicy
Namespace: python
Created on: 2022-08-17 15:47:32 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=python-tomcat-app1-selector
Not affecting ingress traffic
Allowing egress traffic:
To Port: 80/TCP
To Port: 30014/TCP
To Port: 53/UDP
To:
IPBlock:
CIDR: 172.100.0.0/16
Except:
To:
IPBlock:
CIDR: 192.168.31.111/32
Except:
Policy Types: Egress
测试
root@python-tomcat-app1-deployment-6b795c66d5-bp55c:/usr/local/tomcat# curl 172.100.109.124/app/
linux app in tomcat
root@python-tomcat-app1-deployment-6b795c66d5-bp55c:/usr/local/tomcat# curl 192.168.31.111:30014/app/
python app in tomcat
2.8 Egress 出口方向限制目的Pod和端口
基于podSelect选择器,限制源pod能够访问目的pod
- 匹配成功的源pod只能访问指定的目的pod的指定端口
- 其他没有被允许的出口请求将被禁止访问
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-access-networkpolicy
namespace: python
spec:
policyTypes:
- Egress
podSelector: #目标pod选择器
matchLabels: #基于label匹配目标pod
app: python-nginx-selector #匹配python namespace中app的值为python-tomcat-app1-selector的pod,然后基于egress中的指定网络策略进行出口方向的网络限制
egress:
- to:
- podSelector: #匹配pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制)
matchLabels:
app: python-tomcat-app1-selector
ports:
- protocol: TCP
port: 8080 #允许80端口的访问
- protocol: TCP
port: 53 #允许DNS的解析
- protocol: UDP
port: 53
生效配置
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case8-Egress-PodSelector.yaml
networkpolicy.networking.k8s.io/egress-access-networkpolicy created
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python
NAME POD-SELECTOR AGE
egress-access-networkpolicy app=python-nginx-selector 15s
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python
Name: egress-access-networkpolicy
Namespace: python
Created on: 2022-08-17 15:59:43 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=python-nginx-selector
Not affecting ingress traffic
Allowing egress traffic:
To Port: 8080/TCP
To Port: 53/TCP
To Port: 53/UDP
To:
PodSelector: app=python-tomcat-app1-selector
Policy Types: Egress
此时ns python下的nginx只能访问ns python下的8080端口
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 sh -n python
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.109.124
^C
/ # curl 172.100.109.124/app/
^C
/ # curl 172.100.76.176:8080/app/
python app in tomcat
/ # curl www.baidu.com
curl: (6) Could not resolve host: www.baidu.com
2.9 Egress 只允许特定的Pod访问特定的NS的特定端口
允许linux和python2个ns访问python的python-nginx-selector标签的pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-access-networkpolicy
namespace: python
spec:
policyTypes:
- Egress
podSelector: #目标pod选择器
matchLabels: #基于label匹配目标pod
app: python-nginx-selector #匹配python namespace中app的值为python-tomcat-app1-selector的pod,然后基于egress中的指定网络策略进行出口方向的网络限
制
egress:
- to:
- namespaceSelector:
matchLabels:
nsname: python #指定允许访问的目的namespace
- namespaceSelector:
matchLabels:
nsname: linux #指定允许访问的目的namespace
ports:
- protocol: TCP
port: 8080 #允许80端口的访问
- protocol: TCP
port: 53 #允许DNS的解析
- protocol: UDP
port: 53
部署
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case9-Egress-namespaceSelector.yaml
networkpolicy.networking.k8s.io/egress-access-networkpolicy created
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python
NAME POD-SELECTOR AGE
egress-access-networkpolicy app=python-nginx-selector 18s
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python
Name: egress-access-networkpolicy
Namespace: python
Created on: 2022-08-17 16:13:15 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=python-nginx-selector
Not affecting ingress traffic
Allowing egress traffic:
To Port: 8080/TCP
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: nsname=python
To:
NamespaceSelector: nsname=linux
Policy Types: Egress
测试
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 sh -n python
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 172.100.76.176:8080/app/
python app in tomcat
/ # curl 172.100.109.125:8080/app/
linux app in tomcat
/ # curl 172.100.109.124/app/
curl: (28) Failed to connect to 172.100.109.124 port 80 after 129999 ms: Operation timed out
至此9种不同的情况已经实现,实际工作中会互相嵌套使用.
腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。
更多推荐
0
0- 0
已为社区贡献9条内容
所有评论(0)