Kubernetes(k8s)中文文件 名詞解釋:Network Policy_Kubernetes中文社群
阿新 • • 發佈:2018-12-27
Network Policy
Network Policy提供了基於策略的網路控制,用於隔離應用並減少攻擊面。它使用標籤選擇器模擬傳統的分段網路,並通過策略控制它們之間的流量以及來自外部的流量。
在使用Network Policy之前,需要注意
- apiserver開啟extensions/v1beta1/networkpolicies
- 網路外掛要支援Network Policy,如Calico、Romana、Weave Net和trireme等
策略
Namespace隔離
預設情況下,所有Pod之間是全通的。每個Namespace可以配置獨立的網路策略,來隔離Pod之間的流量。比如隔離namespace的所有Pod之間的流量(包括從外部到該namespace中所有Pod的流量以及namespace內部Pod相互之間的流量):
kubectl annotate ns <namespace> "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}"
注:目前,Network Policy僅支援Ingress流量控制。
Pod隔離
通過使用標籤選擇器(包括namespaceSelector和podSelector)來控制Pod之間的流量。比如下面的Network Policy
- 允許default namespace中帶有role=frontend標籤的Pod訪問default namespace中帶有role=db標籤Pod的6379埠
- 允許帶有project=myprojects標籤的namespace中所有Pod訪問default namespace中帶有role=db標籤Pod的6379埠
apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: tcp port: 6379
示例
以calico為例看一下Network Policy的具體用法。
首先配置kubelet使用CNI網路外掛
kubelet --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin ...
安裝calio網路外掛
# 注意修改CIDR,需要跟k8s pod-network-cidr一致,預設為192.168.0.0/16 kubectl apply -f http://docs.projectcalico.org/v2.1/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml
首先部署一個nginx服務
$ kubectl run nginx --image=nginx --replicas=2 deployment "nginx" created $ kubectl expose deployment nginx --port=80 service "nginx" exposed
此時,通過其他Pod是可以訪問nginx服務的
$ kubectl run busybox --rm -ti --image=busybox /bin/sh Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false Hit enter for command prompt / # wget --spider --timeout=1 nginx Connecting to nginx (10.100.0.16:80) / #
開啟default namespace的DefaultDeny Network Policy後,其他Pod(包括namespace外部)不能訪問nginx了:
$ kubectl annotate ns default "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}" $ kubectl run busybox --rm -ti --image=busybox /bin/sh Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false Hit enter for command prompt / # wget --spider --timeout=1 nginx Connecting to nginx (10.100.0.16:80) wget: download timed out / #
最後再建立一個執行帶有access=true的Pod訪問的網路策略
$ cat nginx-policy.yaml kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: access-nginx spec: podSelector: matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: access: "true" $ kubectl create -f nginx-policy.yaml networkpolicy "access-nginx" created # 不帶access=true標籤的Pod還是無法訪問nginx服務 $ kubectl run busybox --rm -ti --image=busybox /bin/sh Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false Hit enter for command prompt / # wget --spider --timeout=1 nginx Connecting to nginx (10.100.0.16:80) wget: download timed out / # # 而帶有access=true標籤的Pod可以訪問nginx服務 $ kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false Hit enter for command prompt / # wget --spider --timeout=1 nginx Connecting to nginx (10.100.0.16:80) / #
最後開啟nginx服務的外部訪問:
$ cat nginx-external-policy.yaml apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: front-end-access namespace: sock-shop spec: podSelector: matchLabels: run: nginx ingress: - ports: - protocol: TCP port: 80 $ kubectl create -f nginx-external-policy.yaml
參考:https://feisky.gitbooks.io/kubernetes/concepts/network-policy.html