网络策略--ingress
管控入站流量
[root@k8s-master01 ~]# cat /yaml/ingress/netpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: namespace: ingress #首先要创建名称空间 name: demoapp-ingress spec: podSelector: matchLabels: app: demoapp policyTypes: ["Ingress"] #仅生效这个规则 ingress: - from: #规则一 - namespaceSelector: matchExpressions: - key: name operator: In values: [ingress, kube-system, logs, monitoring, kubernetes-dashboard] - ipBlock: cidr: 10.244.0.0/24 - from: #规则二:可以访问pod80端点 - namespaceSelector: matchExpressions: - {key: name, operator: NotIn, values: [default]} #除了default名称空间外其他名称空间端点都可以访问 ports: - protocol: TCP port: 80
[root@k8s-master01 ingress]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress created
[root@k8s-master01 ingress]# kubectl create deployment demoapp --image="ikubernetes/demoapp:v1.0" -n ingress deployment.apps/demoapp created
[root@k8s-master01 ingress]# kubectl create service nodeport demoapp --tcp=80 -n ingress service/demoapp created
为了测试访问控制效果,我们创建deployment/demoapp资源,会自动为pod添加app=demoapp标签,该标签又被service/demoapp作为对应后端端点的过滤条件
[root@k8s-master01 ingress]# kubectl label namespace/default name=default namespace/default labeled
[root@k8s-master01 ingress]# kubectl run client-$RANDOM --image="ikubernetes/demoapp:v1.0" -n default --rm -it --command -- /bin/sh
If you don't see a command prompt, try pressing enter.
[root@client-16541 /]# curl --connect-timeout 5 demoapp.ingress.svc.cluster.local.
curl: (28) Connection timed out after 5001 milliseconds
[root@client-16541 /]#
我们在default名称空间对ingress名称空间的ervice/demoapp发起访问请求,测试是否会被拒绝。这里需要先确保default名称空间有name=default标签。【任何期望能够以标签选择器匹配的名称空间都需要事先规划并且完成标签的添加】
[root@k8s-master01 ~]# kubectl create namespace prod namespace/prod created [root@k8s-master01 ~]# kubectl run client-$RANDOM --image="ikubernetes/demoapp:v1.0" -n prod --rm -it --command -- /bin/sh If you don't see a command prompt, try pressing enter. [root@client-9998 /]# curl --connect-timeout 5 demoapp.ingress.svc.cluster.local. iKubernetes demoapp v1.0 !! ClientIP: 10.244.3.53, ServerName: demoapp-5f7d8f9847-7vkdc, ServerIP: 10.244.1.76! [root@client-9998 /]#
可以看出第二个规则匹配成功,能够访问
[root@k8s-master01 ~]# kubectl get service/demoapp -o json -n ingress { "apiVersion": "v1", "kind": "Service", "metadata": { "creationTimestamp": "2021-09-04T01:14:14Z", "labels": { "app": "demoapp" }, "name": "demoapp", "namespace": "ingress", "resourceVersion": "5157546", "selfLink": "/api/v1/namespaces/ingress/services/demoapp", "uid": "d9995f65-d5da-47c9-b09c-164d0557e917" }, "spec": { "clusterIP": "10.104.236.114", "externalTrafficPolicy": "Cluster", "ports": [ { "name": "80", "nodePort": 32539, "port": 80, "protocol": "TCP", "targetPort": 80 } ], "selector": { "app": "demoapp" }, "sessionAffinity": "None", "type": "NodePort" }, "status": { "loadBalancer": {} } }
[root@zabbix-server ~]# curl --connect-timeout 5 http://k8s-node02:32539
iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: demoapp-5f7d8f9847-7vkdc, ServerIP: 10.244.1.76!
[root@zabbix-server ~]#
浙公网安备 33010602011771号