k8s-网络策略配置
1、networkpolicy
networkpolicy是K8S API中标准的资源类型,是定义在一组POD资源上的控制进(Ingress)出(Egress)POD流量的规则
networkpolicy资源中重要概念:
POD组:podSelector通过matchLabel或者matchExpression的标签选择器选择的POD集合,即策略将在哪些POD上生效
Ingress:进入POD的流量策略,可以定义源端点(spec.ingress.from)和目标端口(spec.ingress.ports)
Egress:出POD的流量策略,可以定义目标端点(spec.egress.to)和目标端口(spec.egress.ports)
端点(to,from): 可以通过nameSpace或者ipBlock 来定义
1.1、实验
namespace:demov10
kind: Namespace
apiVersion: v1
metadata:
name: demov10
namespace: demov10
labels:
project: demov10
---
kind: Service
apiVersion: v1
metadata:
name: demov10
namespace: demov10
spec:
selector:
app: demov10
ports:
- name: demov10
port: 80
targetPort: 80
protocol: TCP
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: demov10
namespace: demov10
spec:
replicas: 2
selector:
matchLabels:
app: demov10
template:
metadata:
name: demov10
namespace: demov10
labels:
app: demov10
spec:
containers:
- name: demov10
image: ikubernetes/demoapp:v1.0
imagePullPolicy: Always
ports:
- name: demov10
containerPort: 80
protocol: TCP
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 50m
memory: 50Mi
namespace:demov11
kind: Namespace
apiVersion: v1
metadata:
name: demov11
namespace: demov11
labels:
project: demov11
---
kind: Service
apiVersion: v1
metadata:
name: demov11
namespace: demov11
spec:
selector:
app: demov11
ports:
- name: demov11
port: 80
targetPort: 80
protocol: TCP
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: demov11
namespace: demov11
spec:
replicas: 2
selector:
matchLabels:
app: demov11
template:
metadata:
name: demov11
namespace: demov11
labels:
app: demov11
spec:
containers:
- name: demov11
image: ikubernetes/demoapp:v1.1
imagePullPolicy: Always
ports:
- name: demov11
containerPort: 80
protocol: TCP
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 50m
memory: 50Mi
1.1.1、设置策略使demov10名称空间下的POD,
ingress:只能本名称空间下的pod才能访问
egress:能够访问外网
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allown
namespace: demov10
spec:
podSelector: #根据标签选择POD
matchLabels:
app: demov10
policyTypes: ["Ingress","Egress"]
ingress:
# - from:
# - namespaceSelector:
# matchLabels:
# project: demov10
# - ipBlock:
# cidr: 10.200.0.0/24
- from:
- namespaceSelector:
matchExpressions:
- key: project
operator: In
values: ["demov10"] #只允许本名称空间的POD的流量进入POD
ports:
- protocol: TCP
port: 80 #只对外开放80端口
egress:
- to:
- namespaceSelector:
matchExpressions:
- key: project
operator: In
values: ["demov10"] #允许访问本名称空间下的POD
- ipBlock:
except:
- 10.200.0.0/16 #拒绝访问集群POD网段
cidr: 0.0.0.0/0
- to:
- ipBlock:
cidr: 10.200.0.0/16
ports:
- protocol: UDP
port: 53 #放通POD网段的DNS服务
验证:
demov10:
demov11:
从demov11下的POD访问demov10POD:都无法访问
节点上也无法访问:
1.2、隔离名称空间
一般各个名称空间应当相互隔离,但是通常应当允许内部POD以及来自集群上管理类应用专用名称空间的请求(如:kube-system,kubernetes-dashbord等)和DNS服务等。如给demov10建立一个默认策略:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default #策略名称
namespace: demov10 #生效名称空间
spec:
podSelector: {} #生效的pod,{}表示所有
policyTypes: ["Ingress","Egress"] #类型
ingress: #进站流量
- from:
- namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values: [demov10,demov11,kube-system,logs,monitoring,kubernetes-dashboard]
egress: #出站流量
- to:
- namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values: ["demov10"]
- to:
ports:
- protocol: UDP
port: 53
- to: #到apiserver
- ipBlock:
cidr: 10.0.2.200/32
ports:
- protocol: TCP
port: 6443
在做实验时有个问题在配置出站到apiserver时,使用namespaceSelcetor.podSelector和ports 放通6443始终不能成功,示例中使用ipBlock实现
2、globalnetworkpolicy
networkpolicy不支持基于集群全局的操作,只能针对每个namesapce单独创建策略,globalnetworkpolicy时基于集群全局的网络策略
如:
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: namespace-default
spec:
order: 0.0 #策略编号,数字学校越先应用,如有冲突,后面的会覆盖前面的
namespaceSelector: name not in {"kube-system","kubernetes-dashboard","logs","monitoring"} #作用于的名称空间,not in为除了这些namespace
types: ["Ingress","Egress"]
ingress:
- action: Allow #动作,Allow为允许
source:
namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring"} #源namesapce
egress:
- action: Allow 放行所有出流量