天天看点
返回

k8s网络策略

环境说明

操作系统版本 内核版本 Docker版本 Kubernetes版本
7.6.1810 4.19.12 19.03.13 v1.18.18 
$ cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
      
$ uname -r
4.19.12-1.el7.elrepo.x86_64
      
$ docker --version
Docker version 19.03.13, build 4484c46
      
$ kubectl get node
NAME         STATUS   ROLES    AGE     VERSION
k8s-master   Ready    <none>   7d22h   v1.18.18
k8s-node01   Ready    <none>   7d22h   v1.18.18
k8s-node02   Ready    <none>   7d22h   v1.18.18
k8s-node03   Ready    <none>   7d22h   v1.18.18

此实验参考 ​​kubernetes官网​​ 和 ​​calico官网​​

web命名空间跑业务容器,client命名空间跑测试业务容器,以下是容器的运行情况

$ kubectl get pod -n web -owide 
NAME                    READY   STATUS    RESTARTS   AGE    IP             NODE         NOMINATED NODE   READINESS GATES
http-647dffb4db-vwxmf   1/1     Running   0          17s    20.0.58.213    k8s-node02   <none>           <none>
nginx-5cd55947c-jfgpd   1/1     Running   1          6h8m   20.0.235.233   k8s-master   <none>           <none>

$ kubectl get pod -n client -owide    
NAME                       READY   STATUS    RESTARTS   AGE     IP             NODE         NOMINATED NODE   READINESS GATES
busybox-5778d9f5ff-dsfxd   1/1     Running   1          5h50m   20.0.135.156   k8s-node03   <none>           <none>
centos-6774cc9984-84wlh    1/1     Running   0          6m45s   20.0.85.222    k8s-node01   <none>           <none>

限制任何pod进入web命名空间的任何pod,下面的实验都基于这个限制。

$ cat > web-np-deny.yaml <<-EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-deny
  namespace: web
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Ingress
EOF

$ kubectl apply -f web-np-deny.yaml
networkpolicy.networking.k8s.io/web-deny created

网络策略分类

ipBlock

namespaceSelector 

$  kubectl -n web exec -it nginx-5cd55947c-jfgpd -- curl --connect-time 3 http.web.svc.cluster.local
curl: (28) Connection timed out after 3001 milliseconds
command terminated with exit code 28

$ cat > web-np-web-allow.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-allow
  namespace: web
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          role: web
EOF

$ kubectl apply -f web-np-web-allow.yaml
networkpolicy.networking.k8s.io/web-allow created

$ kubectl -n web exec -it nginx-5cd55947c-jfgpd -- curl --connect-time 3 http.web.svc.cluster.local
<html><body><h1>It works!</h1></body></html>

podSelector

namespaceSelector 和 namespaceSelector

Docker nginx 命名空间 官网 html
上一篇: 让浏览器变身编辑器
下一篇: Flink学习小记-失败恢复重启策略

继续阅读