目录
NetworkPolicy简介
资源规范
示例1:禁止所有入站流量规则
示例2: 创建NetworkPolicy2 放行dev名称空间
示例3:出站流量规则
示例4:合并出入站流量控制
GlobalNetworkPolicy全局访问策略
资源规范
示例5: 创建 GlobalNetworkPolicy Ingress、Egress
NetworkPolicy简介
- 我们经常需要按租户进行网络隔离,k8s 提供了 networkpolicy 来定义网络策略,从而实现网络隔离以满足租户隔离及部分租户下业务隔离等。Network Policy 提供了基于策略的网络控制,用于隔离应用并减少攻击面。它使用标签选择器模拟传统的分段网络,并通过策略控制它们之间的流量以及来自外部的流量。但这个 networkpolicy 需要有第三方外接网络插件的支持,如Calico、Romana、Weave Net和trireme等
资源规范
apiVersion: networking.k8s.io/v1 #资源隶属的API群组及版本号
kind: NetworkPolicy #资源类型的名称,名称空间级别资源
metadata: #资源元数据
name <string> #资源名称标识
namespace <string> #NetworkPolicy是名称空间级别的资源
spec:#期望的状态
podSelector <Object> #当前规则生效的同一名称空间中的一组目标Pod对象,必选字段;
#空值表示当前名称空间中的所有Pod资源
policyTypes<[]string> #Ingress表示生效ingress字段;Egress表示生效
# egress字段,同时提供表示二者均有效
ingress <[]0bject>#入站流量源端点对象列表,白名单,空值表示“所有”
- from <[jobject> #具体的端点对象列表,空值表示所有合法端点
- ipBlock <0bject> # IP地址块范围内的端点,不能与另外两个字段同时使用
- namespaceSelector <0bject>#匹配的名称空间内的端点
podSelector <Object># 由Pod标签选择器匹配到的端点,空值表示<none>
ports <[ ]0bject>#具体的端口对象列表,空值表示所有合法端口
engress,<[jobject> #出站流量目标端点对象列表,白名单,空值表示“所有”
- to <[]0bject> #具体的端点对象列表,空值表示所有合法端点,格式同ingres.from;
ports <[j0bject> #具体的端口对象列表,空值表示所有合法端口
策略匹配规则为
1.不区分规则前后次序与权重
2.以最大允许权限为最优匹配
#测试在default名称空间下访问dev名称空间
[root@k8s-master Network]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deployment-demo-fb544c5d8-r7pc8 1/1 Running 0 28h 192.168.51.1 k8s-node3 <none> <none>
deployment-demo-fb544c5d8-splfr 1/1 Running 0 28h 192.168.12.1 k8s-node2 <none> <none>
[root@k8s-master ~]# kubectl get pod -o wide -n dev
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deployment-demo-867c7d9d55-kzctj 1/1 Running 0 134m 192.168.51.4 k8s-node3 <none> <none>
deployment-demo-867c7d9d55-l88qg 1/1 Running 0 134m 192.168.12.2 k8s-node2 <none> <none>
#default名称空间访问 dev名称空间pod 默认是可以相互通信的
[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it -- /bin/sh
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
- 为所有名称空间打上标签
[root@k8s-master Network]# kubectl label ns default name=default
namespace/default labeled
[root@k8s-master Network]# kubectl label ns kube-system name=kube-system
namespace/default kube-system
[root@k8s-master Network]# kubectl get ns --show-labels
NAME STATUS AGE LABELS
default Active 3d9h name=default
dev Active 45h name=dev
kube-node-lease Active 3d9h name=kube-node-lease
kube-public Active 3d9h name=kube-public
kube-system Active 3d9h name=kube-system
test Active 38h name=test
......
示例1:禁止所有入站流量规则
- 创建NetworkPolicy 为K8S标准资源 为了说明 策略会以最大允许权限为最优匹配,添加一条默认拒绝所有流量的策略
[root@k8s-master Network]# cat netpol-dev-denyall.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {} #空值匹配所有
policyTypes: ["Ingress", "Egress"] #拒绝所有出站入站流量
egress:
- to:
- podSelector: {} #空值为none
ingress:
- from:
- podSelector: {} #空值为none
[root@k8s-master Network]# kubectl apply -f netpol-dev-denyall.yaml
#测试在default、dev名称空间下相互联通性
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
^C
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
^C
[root@deployment-demo-fb544c5d8-r7pc8 /]# ping 192.168.12.2
PING 192.168.12.2 (192.168.12.2): 56 data bytes
^C
--- 192.168.12.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
#所有流量访问失败
示例2: 创建NetworkPolicy2 放行dev名称空间
-
规则1:标签匹配的名称空间所有流量都能访问dev下所有Pod;
-
规则2:除了default名额空间,其它所有名称空间都可以访问dev下的 80端口
-
组合使用,会以最大允许权限为最优匹配权限
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: demoapp-ingress
namespace: dev
spec:
podSelector:
matchLabels :
app: demoapp #dev名称空间下 拥有这个标签的Pod生效
policyTypes: ["Ingress"] #入站流量
ingress:
- from: #规则1
- namespaceSelector: #名称空间标签匹配
matchExpressions:
- key: name
operator: In
values: [dev,kube-system,logs,monitoring,kubernetes-dashboard]
# 匹配名称空间包含这些标签 如:name=dev、name=kube-system 这里不包含default
# - ipBlock: #网段匹配 以下网段的pod也被允许访问
# cidr: 192.168.0.0/16
- from: #规则2 只是非default名称空间流量访问80端口都允许
- namespaceSelector:
matchExpressions:
- {key: name,operator: NotIn, values: ["default"]} #拒绝defaultq名称空间流量访问80端口都允许
ports:
- protocol: TCP
port: 80
[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml
networkpolicy.networking.k8s.io/demoapp-ingress configured
[root@k8s-master Network]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
demoapp-ingress app=demoapp 38h
deny-all-ingress <none> 8h
[root@k8s-master Network]# kubectl describe netpol demoapp-ingress -n dev
Name: demoapp-ingress
Namespace: dev
Created on: 2021-08-31 17:31:59 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=demoapp
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: name in (dev,kube-system,kubernetes-dashboard,logs,monitoring)
----------
To Port: 80/TCP
From:
NamespaceSelector: name notin (default)
Not affecting egress traffic
Policy Types: Ingress
- 在default名称空间下访问dev名称空间
- 80端口测试 依然无法访问 没有匹配到符合规则的条目
[root@k8s-master ~]# kubectl exec deployment-demo-fb544c5d8-splfr -it -- /bin/sh
[root@deployment-demo-fb544c5d8-splfr /]# curl 192.168.12.2
#失败
#ping测试失败 没有符合规则的条目
[root@deployment-demo-fb544c5d8-splfr /]# ping 192.168.12.2
PING 192.168.12.2 (192.168.12.2): 56 data bytes
- 规则1中添加default名称空间访问权限
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: demoapp-ingress
namespace: dev
spec:
podSelector:
matchLabels :
app: demoapp #dev名称空间下 拥有这个标签的Pod生效
policyTypes: ["Ingress"] #入站流量
ingress:
- from: #规则1
- namespaceSelector: #名称空间标签匹配
matchExpressions:
- key: name
operator: In
values: [dev,kube-system,logs,monitoring,kubernetes-dashboard,default] #新增defualt名称空间
# - ipBlock: #网段匹配 以下网段的pod也被允许访问
# cidr: 192.168.0.0/16
- from: #规则2 只是是非defaultq名称空间流量访问80端口都允许
- namespaceSelector:
matchExpressions:
- {key: name,operator: NotIn, values: ["default"]} #拒绝defaultq名称空间流量访问80端口都允许
ports:
- protocol: TCP
port: 80
[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml
networkpolicy.networking.k8s.io/demoapp-ingress configured
#测试在default名称空间下访问dev名称空间
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
[root@deployment-demo-fb544c5d8-r7pc8 /]# ping 192.168.12.2
PING 192.168.12.2 (192.168.12.2): 56 data bytes
64 bytes from 192.168.12.2: seq=0 ttl=62 time=2.563 ms
64 bytes from 192.168.12.2: seq=1 ttl=62 time=0.758 ms
64 bytes from 192.168.12.2: seq=2 ttl=62 time=0.726 ms
64 bytes from 192.168.12.2: seq=3 ttl=62 time=0.457 ms
- 以上规则1匹配到的最大权限为优匹配权限 拥有dev下所有流量访问
- 规则1中删除default名称空间 规则2中default名称空间更改为logs
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: demoapp-ingress
namespace: dev
spec:
podSelector:
matchLabels :
app: demoapp #dev名称空间下 拥有这个标签的Pod生效
policyTypes: ["Ingress"] #入站流量
ingress:
- from: #规则1
- namespaceSelector: #名称空间标签匹配
matchExpressions:
- key: name
operator: In
values: [dev,kube-system,logs,monitoring,kubernetes-dashboard] #匹配名称空间包含这些标签 如:name=dev、name=kube-system
# - ipBlock: #网段匹配 以下网段的pod也被允许访问
# cidr: 192.168.0.0/16
- from: #规则2 只是是非defaultq名称空间流量访问80端口都允许
- namespaceSelector:
matchExpressions:
- {key: name,operator: NotIn, values: ["logs"]} #拒绝defaultq名称空间流量访问80端口都允许
ports:
- protocol: TCP
port: 80
- 测试在default名称空间下访问dev名称空间
[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml
networkpolicy.networking.k8s.io/demoapp-ingress configured
[root@deployment-demo-fb544c5d8-r7pc8 /]# ping 192.168.12.2
PING 192.168.12.2 (192.168.12.2): 56 data bytes
^C
--- 192.168.12.2 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
- ping 失败因为没有匹配的规则条目,curl 匹配到了规则2 只要非logs名称空间的都可以访问80端口
示例3:出站流量规则
[root@k8s-master Network]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
demoapp-egress app=demoapp 104s
deny-all-ingress <none> 2d11h
#查看dev NetworkPolicy
[root@k8s-master Network]# kubectl describe netpol deny-all-ingress -n dev
Name: deny-all-ingress
Namespace: dev
Created on: 2021-09-01 23:34:49 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
PodSelector: <none>
Allowing egress traffic:
To Port: <any> (traffic allowed to all ports)
To:
PodSelector: <none>
Policy Types: Ingress, Egress
[root@k8s-master Network]# kubectl get pod -n dev
NAME READY STATUS RESTARTS AGE
deployment-demo-867c7d9d55-kzctj 1/1 Running 0 3d21h
deployment-demo-867c7d9d55-l88qg 1/1 Running 0 3d21h
[root@k8s-master ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deployment-demo-fb544c5d8-r7pc8 1/1 Running 0 4d23h 192.168.51.1 k8s-node3 <none> <none>
deployment-demo-fb544c5d8-splfr 1/1 Running 0 4d23h 192.168.12.1 k8s-node2 <none
- 在dev名称空间下访问default名称空间
[root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1
^C
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1
^C
[root@deployment-demo-867c7d9d55-l88qg /]# ping 192.168.51.1
PING 192.168.51.1 (192.168.51.1): 56 data bytes
^C
--- 192.168.51.1 ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss
[root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
^C
- 所有出站流量都失败
- 新建出站策略
[root@k8s-master Network]# cat netpol-dev-demoapp-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: demoapp-egress
namespace: dev
spec:
podSelector:
matchLabels:
app: demoapp
policyTypes: ["Egress"] #出站流量
egress:
- to:
ports:
- protocol: UDP
port: 53
- to: #to模块之间是或逻辑 to内部是与逻辑
- podSelector:
matchLabels:
app: redis #被访问站点标签
ports:
- protocol: TCP #匹配标签为redis 端口为6379
port: 6379
- to: #出站80端口
# - podSelector: #标签实测中有问题 打开访问不了
# matchLabels:
# app: demoapp
ports:
- protocol: TCP
port: 80
[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-egress.yaml
networkpolicy.networking.k8s.io/demoapp-egress created
[root@k8s-master Network]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
demoapp-egress app=demoapp 20m
deny-all-ingress <none> 2d12h
[root@k8s-master Network]# kubectl describe netpol demoapp-egress -n dev
Name: demoapp-egress
Namespace: dev
Created on: 2021-09-04 12:35:07 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=demoapp
Not affecting ingress traffic
Allowing egress traffic:
To Port: 53/UDP
To: <any> (traffic not restricted by source)
----------
To Port: 6379/TCP
To:
PodSelector: app=redis
----------
To Port: 80/TCP
To: <any> (traffic not restricted by source)
Policy Types: Egress
- 再次测试出站访问 在dev名称空间下访问default名称空间
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
[root@deployment-demo-867c7d9d55-l88qg /]# ping 192.168.51.1 #ping并没有放行 所以失败
PING 192.168.51.1 (192.168.51.1): 56 data bytes
^C
--- 192.168.51.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
Server: 10.96.0.10
Address: 10.96.0.10#53
示例4:合并出入站流量控制
[root@k8s-master Network]# cat netpol-stage-default.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default
namespace: dev
spec:
podSelector: {}
policyTypes: ["Ingress" , "Egress"] #出入站流量策略
ingress:
- from:
- namespaceSelector:
matchExpressions:
- key : name
operator: In
values: [stage,kube-system,logs ,monitoring,kubernetes-dashboard] #不包含default名称空间
egress:
- to:
ports:
- protocol: UDP
port: 53
- to:
- namespaceSelector:
matchLabels:
name: kube-system
podSelector:
matchLabels:
component: kube-apiserver
ports:
- protocol: TCP
port: 80
- to:
- namespaceSelector:
matchLabels:
name: default #允许default所有出站流量
[root@k8s-master Network]# kubectl apply -f netpol-stage-default.yaml
[root@k8s-master Network]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
default <none> 7m13s
deny-all-ingress <none> 2d14h
[root@k8s-master Network]# kubectl describe netpol default -n dev
Name: default
Namespace: dev
Created on: 2021-09-04 13:32:21 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: name in (kube-system,kubernetes-dashboard,logs,monitoring,stage)
Allowing egress traffic:
To Port: 53/UDP
To: <any> (traffic not restricted by source)
----------
To Port: 80/TCP
To:
NamespaceSelector: name=kube-system
PodSelector: component=kube-apiserver
----------
To Port: <any> (traffic allowed to all ports)
To:
NamespaceSelector: name=default
Policy Types: Ingress, Egress
- 测试出站访问 在dev名称空间下访问default名称空间
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
[root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
Server: 10.96.0.10
Address: 10.96.0.10#53
Name: kube-dns.kube-system.svc.cluster.local
Address: 10.96.0.10
# 测试入站访问 在defaule名称空间下访问dev名称空间
[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it -- /bin/sh
^C
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4
^C
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4
GlobalNetworkPolicy全局访问策略
calico自定义资源类型
尽管功能上日渐丰富,但k8s自己的NetworkPolicy资源仍然具有相当的局限性,例如它没有明确的拒绝规则、缺乏对选泽器高级表达式的支持、不支持应用层规,以及没有集群范围的网络策略等,为了解决这些限制,Calico等提供了自有的策略CRD,包括NetworkPolicy和GlobalNetworkPolicy等,其中的NetworkPolicy CRD比tKubernetes NetworkPolicy
API提供了更大的功能集,包括支持拒绝规则、规则解析级别以及应用层规则等,但相关的规则需要由Calicoctl创建。
GlobalNetworkPolicy支持使用selector、serviceAccountSelector或namespaceSelector来选定网络策略的生效范围,默认为all(),且集群的所有端点。下面的配置清单示例(globalnetworkpolicy-demo.yaml)为非系统类名称空间(本示例假没有kube-system、kubernetes-dashboard、logs和monitoring这4个)定义了一个通用的网络策略。
资源规范:
apiversion: projectcalico.org/v3
kind: GlobalietworkPolicy
metadata:
name: namespaces-default
spec:
order: 0.0 #策略叠加时的应用次序,数字越小越先应用,冲突时,后者会覆盖前者#策略应用目标为非指定名称空间中的所有端点
namespaceSelector: name not in { "kube-system" , " kubernetes-dashboard" , " logs" , "monitoring"}
types:["Ingress", "Egress"]
ingress: #入站流量规则
- action: Allow #白名单
source: #策略生效目标中的端点可由下面系统名称空间中每个源端点访问任意端口
namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring"}
egress: #出站流量规则
-action: Aliow #允许所有
[root@k8s-master Network]# kubectl api-resources #查看资源类型
NAME SHORTNAMES APIGROUP NAMESPACED KIND
......
bgpconfigurations crd.projectcalico.org false BGPConfiguration
bgppeers crd.projectcalico.org false BGPPeer
blockaffinities crd.projectcalico.org false BlockAffinity
clusterinformations crd.projectcalico.org false ClusterInformation
felixconfigurations crd.projectcalico.org false FelixConfiguration
globalnetworkpolicies crd.projectcalico.org false GlobalNetworkPolicy
globalnetworksets crd.projectcalico.org false GlobalNetworkSet
hostendpoints crd.projectcalico.org false HostEndpoint
ipamblocks crd.projectcalico.org false IPAMBlock
ipamconfigs crd.projectcalico.org false IPAMConfig
ipamhandles crd.projectcalico.org false IPAMHandle
ippools crd.projectcalico.org false IPPool
kubecontrollersconfigurations crd.projectcalico.org false KubeControllersConfiguration
networkpolicies crd.projectcalico.org true NetworkPolicy
networksets crd.projectcalico.org true NetworkSet
示例5: 创建 GlobalNetworkPolicy Ingress、Egress
[root@k8s-master Network]# kubectl get netpol -n dev #-记得清空之前的NetworkPolicy全部删除
No resources found in dev namespace.
[root@k8s-master Network]# cat globalnetworkpolicy-demo.yaml
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy #calico资源 全局不属于任何名称空间
metadata:
name: namespaces-default
spec:
order: 0.0 #优先级
namespaceSelector: name not in { "kube-system","kubernetes-dashboard","logs","monitoring","dev"} #生效的名称空间
types: ["Ingress","Egress"]
ingress:
- action: Allow #允许 NetworkPolicy没有拒绝策略
source:
namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"} #默认来自这些名称空间的流量都是允许的
egress :
- action: Allow #默认可以访问所有出站流量
[root@k8s-master Network]# calicoctl apply -f globalnetworkpolicy-demo.yaml
Successfully applied 1 'GlobalNetworkPolicy' resource(s)
[root@k8s-master Network]# calicoctl get GlobalNetworkPolicy
NAME
namespaces-default
[root@k8s-master Network]# calicoctl get GlobalNetworkPolicy -o yaml
apiVersion: projectcalico.org/v3
items:
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
creationTimestamp: "2021-09-04T06:06:50Z"
name: namespaces-default
resourceVersion: "1214207"
uid: 94d3fa70-c7c3-4333-a926-2656ada9d8e7
spec:
egress:
- action: Allow
destination: {}
source: {}
ingress:
- action: Allow
destination: {}
source:
namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}
namespaceSelector: name not in { "kube-system","kubernetes-dashboard","logs","monitoring","dev"}
order: 0
types:
- Ingress
- Egress
kind: GlobalNetworkPolicyList
metadata:
resourceVersion: "1216067"
- 测试test名称空间访问default名称空间
[root@k8s-master Network]# kubectl get pod -n test
NAME READY STATUS RESTARTS AGE
deployment-demo-867c7d9d55-72p8r 1/1 Running 0 2d16h
deployment-demo-867c7d9d55-8pf7z 1/1 Running 0 2d16h
[root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-72p8r -n test -it -- /bin/sh
[root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1
^C
[root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1
^C
- 策略没有包含test名称空间 访问失败
- 测试dev名称空间访问default名称空间
[root@k8s-master ~]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
- 删除globalNetworkPolicy不然会影响后续测试
[root@k8s-master Ingress]# kubectl get globalNetworkPolicy
NAME AGE
default.namespaces-default 7d22h
[root@k8s-master Ingress]# kubectl delete globalNetworkPolicy default.namespaces-default
globalnetworkpolicy.crd.projectcalico.org "default.namespaces-default" deleted
网友评论