目录
[root@master01 cksstudy]# vi studyns01.yaml
apiVersion: v1
kind: Namespace
metadata:
name: studyns01
labels:
role: studyns01
[root@master01 cksstudy]# vi studyns02.yaml
apiVersion: v1
kind: Namespace
metadata:
name: studyns02
labels:
role: studyns02
[root@master01 cksstudy]# vi studyns03.yaml
apiVersion: v1
kind: Namespace
metadata:
name: studyns03
labels:
role: studyns03
[root@master01 cksstudy]# vi studyns04.yaml
apiVersion: v1
kind: Namespace
metadata:
name: studyns04
labels:
role: studyns04
[root@master01 cksstudy]# vi studypod01.yaml
apiVersion: v1
kind: Pod
metadata:
name: studypod01
namespace: studyns01
labels:
role: studypod01
spec:
containers:
- name: studypod01
image: training/webapp
command:
- python
- app.py
imagePullPolicy: IfNotPresent
restartPolicy: Always
[root@master01 cksstudy]# vi studypod02.yaml
apiVersion: v1
kind: Pod
metadata:
name: studypod02
namespace: studyns01
labels:
role: studypod02
spec:
containers:
- name: studypod02
image: training/webapp
command:
- python
- app.py
imagePullPolicy: IfNotPresent
restartPolicy: Always
[root@master01 cksstudy]# vi studypod03.yaml
apiVersion: v1
kind: Pod
metadata:
name: studypod03
namespace: studyns01
labels:
role: studypod03
spec:
containers:
- name: studypod03
image: training/webapp
command:
- python
- app.py
imagePullPolicy: IfNotPresent
restartPolicy: Always
[root@master01 cksstudy]# vi studypod04.yaml
apiVersion: v1
kind: Pod
metadata:
name: studypod04
namespace: studyns02
labels:
role: studypod04
spec:
containers:
- name: studypod04
image: training/webapp
command:
- python
- app.py
imagePullPolicy: IfNotPresent
restartPolicy: Always
[root@master01 cksstudy]# vi studypod05.yaml
apiVersion: v1
kind: Pod
metadata:
name: studypod05
namespace: studyns03
labels:
role: studypod05
spec:
containers:
- name: studypod05
image: training/webapp
command:
- python
- app.py
imagePullPolicy: IfNotPresent
restartPolicy: Always
[root@master01 cksstudy]# vi studypod06.yaml
apiVersion: v1
kind: Pod
metadata:
name: studypod06
namespace: studyns04
labels:
role: studypod06
spec:
containers:
- name: studypod06
image: training/webapp
command:
- python
- app.py
imagePullPolicy: IfNotPresent
restartPolicy: Always
[root@master01 cksstudy]# kubectl apply -f .
[root@master01 cksstudy]# kubectl -n studyns01 get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
studypod01 1/1 Running 0 14s 10.10.30.108 worker02 <none> <none>
studypod02 1/1 Running 0 14s 10.10.5.46 worker01 <none> <none>
studypod03 1/1 Running 0 14s 10.10.5.47 worker01 <none> <none>
[root@master01 cksstudy]# kubectl -n studyns02 get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
studypod04 1/1 Running 0 16s 10.10.30.109 worker02 <none> <none>
[root@master01 cksstudy]# kubectl -n studyns03 get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
studypod05 1/1 Running 0 19s 10.10.5.48 worker01 <none> <none>
[root@master01 cksstudy]# kubectl -n studyns04 get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
studypod06 1/1 Running 0 21s 10.10.30.110 worker02 <none> <none>
[root@master01 cksstudy]# kubectl -n studyns01 exec -ti studypod01 -- /bin/sh
# ping -c 1 10.10.5.46
PING 10.10.5.46 (10.10.5.46) 56(84) bytes of data.
64 bytes from 10.10.5.46: icmp_seq=1 ttl=62 time=0.374 ms
--- 10.10.5.46 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.374/0.374/0.374/0.000 ms
# ping -c 1 10.10.5.47
PING 10.10.5.47 (10.10.5.47) 56(84) bytes of data.
64 bytes from 10.10.5.47: icmp_seq=1 ttl=62 time=0.522 ms
--- 10.10.5.47 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.522/0.522/0.522/0.000 ms
# ping -c 1 10.10.30.109
PING 10.10.30.109 (10.10.30.109) 56(84) bytes of data.
64 bytes from 10.10.30.109: icmp_seq=1 ttl=63 time=0.109 ms
--- 10.10.30.109 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.109/0.109/0.109/0.000 ms
# ping -c 1 10.10.5.48
PING 10.10.5.48 (10.10.5.48) 56(84) bytes of data.
64 bytes from 10.10.5.48: icmp_seq=1 ttl=62 time=0.408 ms
--- 10.10.5.48 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.408/0.408/0.408/0.000 ms
# ping -c 1 10.10.30.110
PING 10.10.30.110 (10.10.30.110) 56(84) bytes of data.
64 bytes from 10.10.30.110: icmp_seq=1 ttl=63 time=0.073 ms
--- 10.10.30.110 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.073/0.073/0.073/0.000 ms
[root@master01 cksstudy]# vi studynp01.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: studynp01
namespace: studyns01
spec:
podSelector:
matchLabels:
role: studypod01
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 10.10.0.0/16
except:
- 10.10.30.0/24
- namespaceSelector:
matchLabels:
role: studyns03
- podSelector:
matchLabels:
role: studypod02
ports:
- protocol: TCP
port: 5000
egress:
- to:
- ipBlock:
cidr: 10.10.30.0/24
ports:
- protocol: TCP
port: 5000
[root@master01 cksstudy]# kubectl apply -f studynp01.yaml
释义说明:
如上网络策略示例表示:
[root@master01 ~]# kubectl -n studyns02 exec -ti studypod04 -- /bin/bash
root@studypod04:/opt/webapp# nc -v 10.10.30.108 5000 #根据策略应该不通
[root@master01 ~]# kubectl -n studyns01 exec -ti studypod03 -- /bin/bash
root@studypod03:/opt/webapp# nc -v 10.10.30.108 5000 #根据策略应该能通
Connection to 10.10.30.108 5000 port [tcp/*] succeeded!
[root@master01 ~]# kubectl -n studyns03 exec -ti studypod05 -- /bin/bash
root@studypod05:/opt/webapp# nc -v 10.10.30.108 5000 #根据策略应该能通
Connection to 10.10.30.108 5000 port [tcp/*] succeeded!
[root@master01 ~]# kubectl -n studyns01 exec -ti studypod02 -- /bin/bash
root@studypod02:/opt/webapp# nc -v 10.10.30.108 5000 #根据策略应该能通
Connection to 10.10.30.108 5000 port [tcp/*] succeeded!
[root@master01 ~]# kubectl -n studyns01 exec -ti studypod01 -- /bin/bash
root@studypod01:/opt/webapp# nc -v 10.10.30.109 5000 #根据策略应该能通
Connection to 10.10.30.109 5000 port [tcp/*] succeeded!
^C
root@studypod01:/opt/webapp# nc -v 10.10.30.110 5000 #根据策略应该能通
Connection to 10.10.30.110 5000 port [tcp/*] succeeded!
^C
root@studypod01:/opt/webapp# nc -v 10.10.5.46 5000 #根据策略应该不通
^C
在 ingress 的 from 部分或 egress 的 to 部分中指定四种选择器:
...
ingress:
- from:
- namespaceSelector:
matchLabels:
user: alice
podSelector:
matchLabels:
role: client
...
示例002:允许来自带有user=xhyns标签的命名空间下的任何Pod,或来自该策略所在命名空间的带有role=xhyuser的Pod的入请求连接。
...
ingress:
- from:
- namespaceSelector:
matchLabels:
user: xhyns
- podSelector:
matchLabels:
role: xhyuser
...
默认情况下,如果命名空间中不存在任何策略,则所有进出该命名空间中 Pod 的流量都被允许。 可通过如下方式修改命名空间中的默认行为。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: studyns01
spec:
podSelector: {}
policyTypes:
- Ingress
如上可以当做最后匹配策略,确保即使容器没有匹配到其他任何 NetworkPolicy,也仍然可以被隔离。 此策略不会更改默认的出口隔离行为。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
namespace: studyns01
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- {}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: studyns01
spec:
podSelector: {}
policyTypes:
- Egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
namespace: studyns01
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
匹配此策略后,能保证即使添加了导致某些 Pod 被视为“隔离”的策略也能显式的允许该命名空间中的所有出站流量。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
如上可以当做最后匹配策略,确保即使没有被其他任何 NetworkPolicy 选择的 Pod 也不会被允许入站或出站流量。