环境说明
操作系统版本 | 内核版本 | Docker版本 | Kubernetes版本 |
7.6.1810 | 4.19.12 | 19.03.13 | v1.18.18 |
$ cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
$ uname -r
4.19.12-1.el7.elrepo.x86_64
$ docker --version
Docker version 19.03.13, build 4484c46
$ kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready <none> 7d22h v1.18.18
k8s-node01 Ready <none> 7d22h v1.18.18
k8s-node02 Ready <none> 7d22h v1.18.18
k8s-node03 Ready <none> 7d22h v1.18.18
此实验参考 kubernetes官网 和 calico官网
web命名空间跑业务容器,client命名空间跑测试业务容器,以下是容器的运行情况
$ kubectl get pod -n web -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
http-647dffb4db-vwxmf 1/1 Running 0 17s 20.0.58.213 k8s-node02 <none> <none>
nginx-5cd55947c-jfgpd 1/1 Running 1 6h8m 20.0.235.233 k8s-master <none> <none>
$ kubectl get pod -n client -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
busybox-5778d9f5ff-dsfxd 1/1 Running 1 5h50m 20.0.135.156 k8s-node03 <none> <none>
centos-6774cc9984-84wlh 1/1 Running 0 6m45s 20.0.85.222 k8s-node01 <none> <none>
限制任何pod进入web命名空间的任何pod,下面的实验都基于这个限制。
$ cat > web-np-deny.yaml <<-EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-deny
namespace: web
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
EOF
$ kubectl apply -f web-np-deny.yaml
networkpolicy.networking.k8s.io/web-deny created
网络策略分类
ipBlock
namespaceSelector
$ kubectl -n web exec -it nginx-5cd55947c-jfgpd -- curl --connect-time 3 http.web.svc.cluster.local
curl: (28) Connection timed out after 3001 milliseconds
command terminated with exit code 28
$ cat > web-np-web-allow.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-allow
namespace: web
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
role: web
EOF
$ kubectl apply -f web-np-web-allow.yaml
networkpolicy.networking.k8s.io/web-allow created
$ kubectl -n web exec -it nginx-5cd55947c-jfgpd -- curl --connect-time 3 http.web.svc.cluster.local
<html><body><h1>It works!</h1></body></html>