Kubernetes 之 NetworkPolicy Ingress及Egress简介及案例
NetworkPolicy Ingress及Egress简介及案例
kubectl create ns linux
kubectl create ns python
kubectl label ns linux nsname=linux
kubectl label ns python nsname=python
#linux 命名空间 建立 tomcat和nginx 容器
[root@xianchaonode1 ~]# docker pull nginx:1.20.2-alpine
[root@xianchaonode1 ~]# docker pull tomcat:7.0.109-jdk8-openjdk
[root@xianchaonode2 ~]# docker pull nginx:1.20.2-alpine
[root@xianchaonode2 ~]# docker pull tomcat:7.0.109-jdk8-openjdk
[root@xianchaomaster1 linux-ns1]# cat nginx.yaml
kind: Deployment
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
metadata:
labels:
app: linux-nginx-deployment-label
name: linux-nginx-deployment
namespace: linux
spec:
replicas: 1
selector:
matchLabels:
app: linux-nginx-selector
template:
metadata:
labels:
app: linux-nginx-selector
spec:
containers:
- name: linux-nginx-container
image: nginx:1.20.2-alpine
#command: ["/apps/tomcat/bin/run_tomcat.sh"]
imagePullPolicy: IfNotPresent
#imagePullPolicy: Always
ports:
- containerPort: 80
protocol: TCP
name: http
- containerPort: 443
protocol: TCP
name: https
env:
- name: "password"
value: "123456"
- name: "age"
value: "18"
# resources:
# limits:
# cpu: 2
# memory: 2Gi
# requests:
# cpu: 500m
# memory: 1Gi
---
kind: Service
apiVersion: v1
metadata:
labels:
app: linux-nginx-service-label
name: linux-nginx-service
namespace: linux
spec:
type: NodePort
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
nodePort: 30008
- name: https
port: 443
protocol: TCP
targetPort: 443
nodePort: 30443
selector:
app: linux-nginx-selector
[root@xianchaomaster1 linux-ns1]# kubectl apply -f nginx.yaml
---
#cat tomcat.yaml
kind: Deployment
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
metadata:
labels:
app: linux-tomcat-app1-deployment-label
name: linux-tomcat-app1-deployment
namespace: linux
spec:
replicas: 1
selector:
matchLabels:
app: linux-tomcat-app1-selector
template:
metadata:
labels:
app: linux-tomcat-app1-selector
spec:
containers:
- name: linux-tomcat-app1-container
image: tomcat:7.0.109-jdk8-openjdk
#command: ["/apps/tomcat/bin/run_tomcat.sh"]
imagePullPolicy: IfNotPresent
#imagePullPolicy: Always
ports:
- containerPort: 8080
protocol: TCP
name: http
env:
- name: "password"
value: "123456"
- name: "age"
value: "18"
# resources:
# limits:
# cpu: 2
# memory: 2Gi
# requests:
# cpu: 500m
# memory: 1Gi
---
kind: Service
apiVersion: v1
metadata:
labels:
app: linux-tomcat-app1-service-label
name: linux-tomcat-app1-service
namespace: linux
spec:
type: NodePort
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
nodePort: 30006
selector:
app: linux-tomcat-app1-selector
[root@xianchaomaster1 linux-ns1]# kubectl apply -f tomcat.yaml
[root@xianchaomaster1 ~]# kubectl get pods -o wide -n linux
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
linux-nginx-deployment-58855fdbbf-6lzk7 1/1 Running 0 22m 10.244.121.25 xianchaonode1 <none> <none>
linux-tomcat-app1-deployment-5f797bb6cf-dk2qv 1/1 Running 0 22m 10.244.121.8 xianchaonode1 <none> <none>
[root@xianchaomaster1 ~]# kubectl get pods -o wide -n python
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
python-nginx-deployment-79c76dc944-rkn5m 1/1 Running 0 21m 10.244.121.55 xianchaonode1 <none> <none>
python-tomcat-app1-deployment-9f84588c5-z64tq 1/1 Running 0 20m 10.244.121.6 xianchaonode1 <none> <none>
[root@xianchaomaster1 python-ns2]# kubectl get pods -n default | grep Running
details-v1-65bbfd4f58-2kvrt 2/2 Running 0 3d23h
myapp-777f4ccb8c-hrwts 1/1 Running 0 21h
mysql-0 3/3 Running 0 4d11h
productpage-v1-6b746f74dc-dnqr9 2/2 Running 0 4d11h
ratings-v1-b45758b-vklgv 2/2 Running 0 3d23h
reviews-v1-74894b48c8-mvzhd 2/2 Running 1 4d11h
reviews-v2-f649764d-zb9b9 2/2 Running 1 4d11h
reviews-v3-6c675c6774-c2qc2 2/2 Running 0 4d11h
sleep-557747455f-5kprc 2/2 Running 0 3d23h
EG1:ingress-以pod为限制单位、只允许同namespace含有特定标签的源pod访问目标pod的所有端口
1.不允许从其它namespace访问目标pod,即默认禁止了跨ns访问目标pod.
# kubectl exec -it centos-net-test1 bash/
# curl python-tomcat-app1-service.python.svc.magedu.local/app/index,jsp #来自于default ns的请求会被禁止
2.非明确允许的pod,同namespace 也无法访问
3.不允许从宿主机访问目标pod。
4.该策略只允许同namespace含有特定标签的源pod访问目标pod,比如tomcat只允许了有特定标签的源pod nginx访问。
5.该策略不影响其它namespace的pod内部之间的相互访问,即linux的pod与linux的pod访问正常。
6.该策略不影响各namespace的pod与非明确禁止的pod之间的访问,即linux的pod访问python的其它pod也正常。
添加测试页面
[root@xianchaomaster1 ~]# kubectl get pods -o wide -n python
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
python-nginx-deployment-79c76dc944-rkn5m 1/1 Running 0 21m 10.244.121.55 xianchaonode1 <none> <none>
python-tomcat-app1-deployment-9f84588c5-z64tq 1/1 Running 0 20m 10.244.121.6 xianchaonode1 <none> <none>
kubectl exec -it python-tomcat-app1-deployment-9f84588c5-z64tq bash -n python
root@python-tomcat-app1-deployment-9f84588c5-z64tq:/usr/local/tomcat# cd webapps
root@python-tomcat-app1-deployment-9f84588c5-z64tq:/usr/local/tomcat/webapps# mkdir app
root@python-tomcat-app1-deployment-9f84588c5-z64tq:/usr/local/tomcat/webapps# echo "Python Namespace App1"
#case1-ingress-podSelector.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
app: python-tomcat-app1-selector #对匹配到的目的Pod应用以下规则
ingress: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- from:
- podSelector:
matchLabels:
#app: python-nginx-selector #如果存在多个matchLabel条件,如果存在多个matchLabel条件,是and的关系,即要同时满足条件A、条件B、条件X
project: "python"
[root@xianchaomaster1 python-ns2]# kubectl apply -f case1-ingress-podSelector.yaml
[root@xianchaomaster1 python-ns2]# kubectl get networkpolicies.networking.k8s.io -n python
NAME POD-SELECTOR AGE
tomcat-access--networkpolicy app=python-tomcat-app1-selector 6s
[root@xianchaomaster1 python-ns2]# kubectl describe networkpolicies.networking.k8s.io tomcat-access--networkpolicy -n python
Name: tomcat-access--networkpolicy
Namespace: python
Created on: 2023-04-13 20:18:08 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=python-tomcat-app1-selector
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
PodSelector: project=python
Not affecting egress traffic
Policy Types: Ingress
#此时只有python命名空间的 Nginx pod才可以访问 因为有project: "python" 标签
[root@xianchaomaster1 python-ns2]# kubectl exec -it python-nginx-deployment-79c76dc944-rkn5m sh -n python
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 10.244.121.6:8080/app/
Python Namespace App1
##defalut空间下的容器 不能访问
[root@xianchaomaster1 python-ns2]# kubectl exec -it sleep-557747455f-5kprc sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Defaulting container name to sleep.
Use 'kubectl describe pod/sleep-557747455f-5kprc -n default' to see all of the containers in this pod.
/ $ curl 10.244.121.6:8080/app、
无回显
case2: ingress-以pod加端口为限制单位、只允同namespace含有特定标签的源pod访问目标pod的指定端口:
1.只允许指定的源pod访问同namespace目标pod的指定端口
2.非允许的端口将被禁止访问
[root@xianchaomaster1 python-ns2]# cat case2-ingress-podSelector-ns-SinglePort.yaml
#
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
app: python-tomcat-app1-selector
ingress:
- from:
- podSelector:
matchLabels:
#app: python-nginx-selector #指定访问源的匹配条件,如果存在多个matchLabel条件,是and的关系,即要同时满足条件A、条件B、条件X
project: "python"
ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- protocol: TCP
port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问
#port: 80
[root@xianchaomaster1 python-ns2]# kubectl apply -f case2-ingress-podSelector-ns-SinglePort.yaml
#进入python命名空间 的 Nginx 容器中
[root@xianchaomaster1 python-ns2]# kubectl exec -it python-nginx-deployment-79c76dc944-rkn5m sh -n python
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # curl 10.244.121.6:8080/app/
Python Namespace App1
#此时另外一个终端 改为只开放80端口 立即生效 就无法访问8080端口了
/ # curl 10.244.121.6:8080/app/
无回显
case3: ingress-允许同namespace的所有pod访问当前namespace的目标pod多个指定端口:
#1.跨namespace禁止访问:linux ns的pod访问不了python ns中的pod
#2.同namespace的其它pod都可以访问目的pod的指定目标端口(含多目标端口)
#这个网络策略(NetworkPolicy)只允许来自同一命名空间(Namespace)下的Pod才能访问该匹配标签为`app: python-tomcat-app1-selector`的Pod的8080、3306和6379端口。
#如果要允许来自其他命名空间的Pod访问,需要添加PodSelector的namespaceSelector或者为from添加IP地址块或使用服务标签选择器(Service selector)等规则来定义入站网络流量。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access-networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector: #目标pod
matchLabels:
app: python-tomcat-app1-selector
ingress:
- from:
- podSelector: #匹配源pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制)
matchLabels: {}
ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- protocol: TCP
port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问
#port: 80
- protocol: TCP
port: 3306
- protocol: TCP
port: 6379
# kubectl apply -f case3-ingress-podSelector-ns-MultiPort.yaml
#1.跨namespace禁止访问
#linux ns的pod访问不了python ns中的pod
root@k8s-master1:~# kubectl exec -it linux-nginx-deployment-58855fdbbf-6lzk7 sh -n linux
/ # curl 10.244.121.6:8080/app/
无回显
#2.同namespace的其它pod都可以访问目的pod的指定目标端口(含多目标端口)
root@k8s-master1:~# kubectl exec -it python-nginx-deployment-79c76dc944-rkn5m bash -n python
#同一个ns中的任意Pod均可以访问目的Pod
/ # curl 10.244.121.6:8080/app/
Python Namespace App1
case4: ingress-允许同namespace的所有pod访问当前namespace的目标pod所有端口
1.其它namespace无法访问目标ns的pod。
2.同namespace的pod可以访问当前namespace中的所有pod的任意端口
# case4-ingress-podSelector-ns.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector: #目标pod
matchLabels: {} #匹配所有目标pod
ingress:
- from:
- podSelector: #匹配源pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制)
matchLabels: {}
#ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
#- protocol: TCP
# port: {} #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问
#port: 80
#- protocol: TCP
# port: 3306
#- protocol: TCP
# port: 6379
# kubectl apply -f case4-ingress-podSelector-ns.yamlcase5:ingressipBlock白名单
1.只要在白名单范围内没有被except指定禁止的源podIP,都允许访问。
2.在只设置了ipBlock匹配的前提下,其它namespace 中没有在except范围的pod 也可以访问目标pod,及linux ns中的pod只要不在except地址范围内,也可以访问python ns中的pod了
#case5-ingress-ipBlock.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector: #目标pod
matchLabels:
app: python-tomcat-app1-selector
ingress:
- from:
# - podSelector: #匹配源pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制)
# matchLabels: {}
- ipBlock:
cidr: 10.200.0.0/16 #白名单,允许访问的地址范围,没有允许的将禁止访问目标pod
except:
- 10.200.219.0/24 #在以上范围内禁止访问的源IP地址
- 10.200.229.0/24 #在以上范围内禁止访问的源IP地址
- 10.200.207.31/32 #在以上范围内禁止访问的源IP地址
ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- protocol: TCP
port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问
#port: 80
- protocol: TCP
port: 3306
- protocol: TCP
port: 6379
# kubectl apply -f case5-ingress-ipBlock.yaml
case6:ingress-namespace Selector-ns选择器
1.被明确允许的namespace中的pod可以访问目标pod
2.没有明确声明允许的namespace将禁止访问
3.没有明确声明允许的话,即使同一个namespace也禁止访问
4.比如只允许了linux和python两个ns,那么default中的pod将无法访问
# kubectl label ns linux nsname=linux
# kubectl label ns python nsname=python
# case6-ingress-namespaceSelector.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tomcat-access--networkpolicy
namespace: python
spec:
policyTypes:
- Ingress
podSelector: #目标pod
matchLabels: {} #允许访问python namespace 中的所有pod
# app: python-tomcat-app1-selector #可以只允许访问python namespace中指定的pod
ingress:
- from:
# - podSelector: #匹配源pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制)
# matchLabels: {}
# - ipBlock:
# cidr: 10.200.0.0/16 #指定禁止访问的源网段
# except:
# - 10.200.218.0/24 #在以上范围内禁止访问的源IP地址
- namespaceSelector:
# matchLabels: {} #允许所有namespace访问python namespace指定的目标端口或指定的pod加指定端口
matchLabels:
nsname: linux #只允许指定的namespace访问
- namespaceSelector:
matchLabels:
nsname: python #只允许指定的namespace访问
ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP
- protocol: TCP
port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问
#port: 80
- protocol: TCP
port: 3306
- protocol: TCP
port: 6379
# kubectl apply -f case6-ingress-namespaceSelector.yaml
case7:Eqress-podSelector-Pod出口方向目的IP及目的端口限制-只允许访问指定的目的地址范围及端口:
限制指定的pod可以访指定的ip
1.基于Egress白名单,定义ns中匹配成功的pod可以访问ipBlock指定的地址和ports指定的端口
2.匹配成功的pod访问未明确定义在Egress的白名单的其它IP的请求,将拒绝。
3.没有匹配成功的源pod,主动发起的出口访问请求不受影响。
#case7-Egress-ipBlock.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-access-networkpolicy
namespace: python
spec:
policyTypes:
- Egress
podSelector: #目标pod选择器
matchLabels: #基于label匹配目标pod
app: python-tomcat-app1-selector #匹配python namespace中app的值为python-tomcat-app1-selector的pod,然后基于egress中的指定网络策略进行出口方向的网络限制
egress:
- to:
- ipBlock:
cidr: 10.200.0.0/16 #允许匹配到的pod出口访问的目的CIDR地址范围
- ipBlock:
cidr: 172.31.7.106/32 #允许匹配到的pod出口访问的目的主机
- ipBlock:
cidr: 0.0.0.0/0 #允许匹配到的pod出口访问的目的主机
ports:
- protocol: TCP
port: 80 #允许匹配到的pod访问目的端口为80的访问
- protocol: TCP
port: 53 #允许匹配到的pod访问目的端口为53 即DNS的解析
- protocol: UDP
port: 53 #允许匹配到的pod访问目的端口为53 即DNS的解析
# kubectl apply -f case7-Egress-ipBlock.yaml
case8:Eqress-podSelector-Pod出口方向目的Pod限制-只允许访问指定的pod及端口:
基于podSelector选择器,限制源pod能够访问的目的pod
1.匹配成功的源pod只能访问指定的目的pod的指定端口
2.其它没有允许的出口请求将禁止访问
#case8-Egress-PodSelector.yaml\
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-access-networkpolicy
namespace: python
spec:
policyTypes:
- Egress
podSelector: #目标pod选择器
matchLabels: #基于label匹配目标pod
app: python-nginx-selector #匹配python namespace中app的值为python-tomcat-app1-selector的pod,然后基于egress中的指定网络策略进行出口方向的网络限制
egress:
- to:
# - ipBlock:
# cidr: 10.200.0.0/16 #允许访问的目的CIDR地址范围
# - ipBlock:
# cidr: 172.31.7.106/32 #允许访问的目的主机地址
# - ipBlock:
# cidr: 10.200.218.4/32 #白名单,允许访问的目的主机地址
- podSelector: #匹配pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制)
matchLabels:
app: python-tomcat-app1-selector
ports:
- protocol: TCP
port: 8080 #允许80端口的访问
- protocol: TCP
port: 53 #允许DNS的解析
- protocol: UDP
port: 53
# kubectl apply -f case8-Egress-PodSelector.yamlcase9: Egress-namespaceSelector:
限制匹配成功的pod没有访问指定的namespace
1.匹配成功的源pod可以访问指定的目标namespace。
2.不能访问除指定的namespace以外的其它namespace及外网。
3.比如允许指定的源pod访问linux和python ns中的8080、3306、6379等端口,但是其它ns无法访问
#case9-Egress-namespaceSelector.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-access-networkpolicy
namespace: python
spec:
policyTypes:
- Egress
podSelector: #目标pod选择器
matchLabels: #基于label匹配目标pod
app: python-nginx-selector #匹配python namespace中app的值为python-tomcat-app1-selector的pod,然后基于egress中的指定网络策略进行出口方向的网络限制
egress:
- to:
# - ipBlock:
# cidr: 10.200.0.0/16 #允许访问的目的CIDR地址范围
# - ipBlock:
# cidr: 172.31.7.106/32 #允许访问的目的主机地址
# - ipBlock:
# cidr: 10.200.218.4/32 #允许访问的目的主机地址
# - podSelector: #匹配pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制)
# matchLabels:
# app: python-tomcat-app1-selector
- namespaceSelector:
matchLabels:
nsname: python #指定允许访问的目的namespace
- namespaceSelector:
matchLabels:
nsname: linux #指定允许访问的目的namespace
ports:
- protocol: TCP
port: 8080 #允许80端口的访问
- protocol: TCP
port: 53 #允许DNS的解析
- protocol: UDP
port: 53
kubectl apply -f case9-Egress-namespaceSelector.yaml
浙公网安备 33010602011771号