| |
1632 次浏览 |
55次 |
|
|
Network Policy
Network Policy提供了基于策略的网络控制,用于隔离应用并减少攻击面。它使用标签选择器模拟传统的分段网络,并通过策略控制它们之间的流量以及来自外部的流量。
在使用Network Policy之前,需要注意
apiserver开启extensions/ v1beta1/networkpolicies
网络插件要支持Network Policy, 如Calico、Romana、Weave
Net和trireme等
策略
Namespace隔离
默认情况下,所有Pod之间是全通的。每个Namespace可以配置独立的网络策略,来隔离Pod之间的流量。比如隔离namespace的所有Pod之间的流量(包括从外部到该namespace中所有Pod的流量以及namespace内部Pod相互之间的流量):
| kubectl
annotate ns <namespace> "net.beta.kubernetes.io /network-policy={\"ingress\":
{\"isolation\": \"DefaultDeny\ "}}" |
注:目前,Network Policy仅支持Ingress流量控制。
Pod隔离
通过使用标签选择器(包括namespaceSelector和podSelector)来控制Pod之间的流量。比如下面的Network
Policy
允许default namespace中带有role=frontend标签的Pod访问default
namespace中带有role=db标签Pod的6379端口
允许带有project=myprojects标签的namespace中所有Pod访问default
namespace中带有role=db标签Pod的6379端口
apiVersion:
extensions/v1beta1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
ingress:
- from:
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: tcp
port: 6379 |
示例
以calico为例看一下Network Policy的具体用法。
首先配置kubelet使用CNI网络插件
| kubelet
--network-plugin =cni --cni-conf-dir =/etc/cni/net.d
--cni-bin-d ir=/opt/cni/bin ... |
安装calio网络插件
#
注意修改CIDR,需要跟k8s pod-network -cidr一致 ,默认为192.168.0.0/16
kubectl apply -f http://docs.projectcalico.org/ v2.1/getting -started/kubernetes/
installation/ hosted/ kubeadm/1.6/calico.yaml |
首先部署一个nginx服务
$
kubectl run nginx --image= nginx --replicas=2
deployment "nginx" created
$ kubectl expose deployment nginx --port=80
service "nginx" exposed |
此时,通过其他Pod是可以访问nginx服务的
$
kubectl run busybox --rm -ti - -image =busybox
/bin/sh
Waiting for pod default/ busybox-472357175 -y0m47
to be running, status is Pending, pod ready:
false
Hit enter for command prompt
/ # wget --spider --timeout =1 nginx
Connecting to nginx (10.100.0.16:80)
/ # |
开启default namespace的DefaultDeny Network Policy后,其他Pod(包括namespace外部)不能访问nginx了:
$
kubectl annotate ns default "net.beta.kubernetes.io/network
-policy= {\"ingress\": {\"isolation\":
\"DefaultDeny\"}}"
$ kubectl run busybox --rm -ti --image=busybox
/bin/sh
Waiting for pod default/busybox- 472357175-y0m47
to be running, status is Pending, pod ready:
false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
wget: download timed out
/ # |
最后再创建一个运行带有access=true的Pod访问的网络策略
$
cat nginx-policy.yaml
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
$ kubectl create -f nginx-policy.yaml
networkpolicy "access-nginx" created
# 不带access=true标签的Pod还是无法访问nginx服务
$ kubectl run busybox --rm -ti --image=busybox
/bin/sh
Waiting for pod default/busybox -472357175-y0m47
to be running, status is Pending, pod ready:
false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
wget: download timed out
/ #
# 而带有access=true标签的Pod可以访问nginx服务
$ kubectl run busybox --rm -ti --labels= "access=true"
--image =busybox /bin/sh
Waiting for pod default/busybox -472357175-y0m47
to be running, status is Pending, pod ready:
false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ # |
最后开启nginx服务的外部访问:
$
cat nginx-external-policy.yaml
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
name: front-end-access
namespace: sock-shop
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- ports:
- protocol: TCP
port: 80
$ kubectl create -f nginx-external-policy.yaml |
|
| |
1632 次浏览 |
55次 |
|
捐助 |
|
|
| |
