乐趣区

关于kubernetes:17kubernetes笔记-CNI网络插件三-Calico-NetworkPolicy流量管理

NetworkPolicy 简介

  • 咱们常常须要按租户进行网络隔离,k8s 提供了 networkpolicy 来定义网络策略,从而实现网络隔离以满足租户隔离及局部租户下业务隔离等。Network Policy 提供了基于策略的网络管制,用于隔离利用并缩小攻击面。它应用标签选择器模仿传统的分段网络,并通过策略管制它们之间的流量以及来自内部的流量。但这个 networkpolicy 须要有第三方外接网络插件的反对,如 Calico、Romana、Weave Net 和 trireme 等

资源标准

apiVersion: networking.k8s.io/v1 #资源附属的 API 群组及版本号
kind: NetworkPolicy #资源类型的名称, 名称空间级别资源
metadata: #资源元数据 
  name <string> #资源名称标识
  namespace <string>  #NetworkPolicy 是名称空间级别的资源
spec:# 冀望的状态
  podSelector <Object>  #以后规定失效的同一名称空间中的一组指标 Pod 对象,必选字段;
                         #空值示意以后名称空间中的所有 Pod 资源
  policyTypes<[]string> #Ingress 示意失效 ingress 字段;Egress 示意失效
                        # egress 字段, 同时提供示意二者均无效
  ingress <[]0bject># 入站流量源端点对象列表,白名单,空值示意“所有”- from <[jobject> #具体的端点对象列表,空值示意所有非法端点
    - ipBlock <0bject> # IP 地址块范畴内的端点,不能与另外两个字段同时应用
    - namespaceSelector <0bject># 匹配的名称空间内的端点
      podSelector <Object># 由 Pod 标签选择器匹配到的端点,空值示意 <none>
    ports <[ ]0bject># 具体的端口对象列表, 空值示意所有非法端口
  engress,<[jobject> #出站流量指标端点对象列表,白名单, 空值示意“所有”- to <[]0bject> #具体的端点对象列表,空值示意所有非法端点,格局同 ingres.from;
    ports <[j0bject> #具体的端口对象列表,空值示意所有非法端口 

策略匹配规定为

1. 不辨别规定前后秩序与权重
2. 以最大容许权限为最优匹配

# 测试在 default 名称空间下拜访 dev 名称空间
[root@k8s-master Network]# kubectl get pod -o wide
NAME                              READY   STATUS    RESTARTS   AGE   IP             NODE        NOMINATED NODE   READINESS GATES
deployment-demo-fb544c5d8-r7pc8   1/1     Running   0          28h   192.168.51.1   k8s-node3   <none>           <none>
deployment-demo-fb544c5d8-splfr   1/1     Running   0          28h   192.168.12.1   k8s-node2   <none>           <none>

[root@k8s-master ~]# kubectl get pod -o wide -n dev
NAME                               READY   STATUS    RESTARTS   AGE    IP             NODE        NOMINATED NODE   READINESS GATES
deployment-demo-867c7d9d55-kzctj   1/1     Running   0          134m   192.168.51.4   k8s-node3   <none>           <none>
deployment-demo-867c7d9d55-l88qg   1/1     Running   0          134m   192.168.12.2   k8s-node2   <none>           <none>

#default 名称空间拜访 dev 名称空间 pod 默认是能够互相通信的

[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it  -- /bin/sh
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
  • 为所有名称空间打上标签
[root@k8s-master Network]# kubectl label ns default name=default
namespace/default labeled
[root@k8s-master Network]# kubectl label ns kube-system  name=kube-system
namespace/default kube-system

[root@k8s-master Network]# kubectl get ns --show-labels
NAME              STATUS   AGE    LABELS
default           Active   3d9h   name=default
dev               Active   45h    name=dev
kube-node-lease   Active   3d9h   name=kube-node-lease
kube-public       Active   3d9h   name=kube-public
kube-system       Active   3d9h   name=kube-system
test              Active   38h    name=test
......

示例 1:禁止所有入站流量规定

  • 创立 NetworkPolicy 为 K8S 规范资源 为了阐明 策略会以最大容许权限为最优匹配,增加一条默认回绝所有流量的策略
[root@k8s-master Network]# cat netpol-dev-denyall.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: dev
spec:
  podSelector: {}  #空值匹配所有
  policyTypes: ["Ingress", "Egress"]  #回绝所有出站入站流量
  egress:
  - to:
    - podSelector: {} #空值为 none
  ingress:
  - from:
    - podSelector: {} #空值为 none
    
[root@k8s-master Network]# kubectl  apply -f netpol-dev-denyall.yaml 

#测试在 default、dev 名称空间下互相联通性

[root@deployment-demo-fb544c5d8-r7pc8 /]# curl  192.168.12.2
^C
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl  192.168.12.2
^C
[root@deployment-demo-fb544c5d8-r7pc8 /]# ping  192.168.12.2
PING 192.168.12.2 (192.168.12.2): 56 data bytes
^C
--- 192.168.12.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

#所有流量拜访失败 

示例 2: 创立 NetworkPolicy2 放行 dev 名称空间

  • 规定 1: 标签匹配的名称空间所有流量都能拜访 dev 下所有 Pod;
  • 规定 2: 除了 default 名额空间, 其它所有名称空间都能够拜访 dev 下的 80 端口
  • 组合应用,会以最大容许权限为最优匹配权限
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: demoapp-ingress
  namespace: dev
spec:
  podSelector:
    matchLabels :
      app: demoapp   #dev 名称空间下 领有这个标签的 Pod 失效
  policyTypes: ["Ingress"]  #入站流量
  ingress: 
  - from:  #规定 1
    - namespaceSelector:    #名称空间标签匹配
        matchExpressions:
        - key: name
          operator: In
          values: [dev,kube-system,logs,monitoring,kubernetes-dashboard] 
# 匹配名称空间蕴含这些标签 如:name=dev、name=kube-system 这里不蕴含 default
#    - ipBlock:           #网段匹配 以下网段的 pod 也被容许拜访
#        cidr: 192.168.0.0/16
  - from: #规定 2 只是非 default 名称空间流量拜访 80 端口都容许
    - namespaceSelector:
        matchExpressions:
        - {key: name,operator: NotIn, values: ["default"]} #回绝 defaultq 名称空间流量拜访 80 端口都容许
    ports:
    - protocol: TCP
      port: 80

[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml 
networkpolicy.networking.k8s.io/demoapp-ingress configured

[root@k8s-master Network]# kubectl get netpol -n dev
NAME               POD-SELECTOR   AGE
demoapp-ingress    app=demoapp    38h
deny-all-ingress   <none>         8h
[root@k8s-master Network]# kubectl describe netpol demoapp-ingress -n dev
Name:         demoapp-ingress
Namespace:    dev
Created on:   2021-08-31 17:31:59 +0800 CST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     app=demoapp
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: name in (dev,kube-system,kubernetes-dashboard,logs,monitoring)
    ----------
    To Port: 80/TCP
    From:
      NamespaceSelector: name notin (default)
  Not affecting egress traffic
  Policy Types: Ingress
  • 在 default 名称空间下拜访 dev 名称空间
  • 80 端口测试 仍然无法访问 没有匹配到合乎规定的条目

    [root@k8s-master ~]# kubectl exec deployment-demo-fb544c5d8-splfr -it -- /bin/sh
    
    [root@deployment-demo-fb544c5d8-splfr /]# curl 192.168.12.2
    #失败
    
    #ping 测试失败 没有合乎规定的条目
    [root@deployment-demo-fb544c5d8-splfr /]# ping  192.168.12.2
    PING 192.168.12.2 (192.168.12.2): 56 data bytes
  • 规定 1 中增加 default 名称空间拜访权限

    [root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml  
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: demoapp-ingress
    namespace: dev
    spec:
    podSelector:
      matchLabels :
        app: demoapp   #dev 名称空间下 领有这个标签的 Pod 失效
    policyTypes: ["Ingress"]  #入站流量
    ingress: 
    - from:  #规定 1
      - namespaceSelector:    #名称空间标签匹配
          matchExpressions:
          - key: name
            operator: In
            values: [dev,kube-system,logs,monitoring,kubernetes-dashboard,default]  #新增 defualt 名称空间
    #    - ipBlock:           #网段匹配 以下网段的 pod 也被容许拜访
    #        cidr: 192.168.0.0/16
    - from: #规定 2 只是是非 defaultq 名称空间流量拜访 80 端口都容许
      - namespaceSelector:
          matchExpressions:
          - {key: name,operator: NotIn, values: ["default"]} #回绝 defaultq 名称空间流量拜访 80 端口都容许
      ports:
      - protocol: TCP
        port: 80
    
    [root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml 
    networkpolicy.networking.k8s.io/demoapp-ingress configured
    
    
    
    #测试在 default 名称空间下拜访 dev 名称空间
    
    [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
    iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
    [root@deployment-demo-fb544c5d8-r7pc8 /]# ping  192.168.12.2
  • bytes from 192.168.12.2: seq=0 ttl=62 time=2.563 ms
  • bytes from 192.168.12.2: seq=1 ttl=62 time=0.758 ms
  • bytes from 192.168.12.2: seq=2 ttl=62 time=0.726 ms
  • bytes from 192.168.12.2: seq=3 ttl=62 time=0.457 ms

  • 以上规定 1 匹配到的最大权限为优匹配权限 领有 dev 下所有流量拜访
  • 规定 1 中删除 default 名称空间 规定 2 中 default 名称空间更改为 logs
[root@k8s-master Network]# cat  netpol-dev-demoapp-ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: demoapp-ingress
  namespace: dev
spec:
  podSelector:
    matchLabels :
      app: demoapp   #dev 名称空间下 领有这个标签的 Pod 失效
  policyTypes: ["Ingress"]  #入站流量
  ingress: 
  - from:  #规定 1
    - namespaceSelector:    #名称空间标签匹配
        matchExpressions:
        - key: name
          operator: In
          values: [dev,kube-system,logs,monitoring,kubernetes-dashboard]  #匹配名称空间蕴含这些标签 如:name=dev、name=kube-system
#    - ipBlock:           #网段匹配 以下网段的 pod 也被容许拜访
#        cidr: 192.168.0.0/16
  - from: #规定 2 只是是非 defaultq 名称空间流量拜访 80 端口都容许
    - namespaceSelector:
        matchExpressions:
        - {key: name,operator: NotIn, values: ["logs"]} #回绝 defaultq 名称空间流量拜访 80 端口都容许
    ports:
    - protocol: TCP
      port: 80
  • 测试在 default 名称空间下拜访 dev 名称空间

    [root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml 
    networkpolicy.networking.k8s.io/demoapp-ingress configured
    
    [root@deployment-demo-fb544c5d8-r7pc8 /]# ping  192.168.12.2
    PING 192.168.12.2 (192.168.12.2): 56 data bytes
    ^C
  • packets transmitted, 0 packets received, 100% packet loss
    [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
    iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
    [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
    iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!

  • ping 失败因为没有匹配的规定条目,curl 匹配到了规定 2 只有非 logs 名称空间的都能够拜访 80 端口

示例 3:出站流量规定

[root@k8s-master Network]# kubectl get netpol -n dev 
NAME               POD-SELECTOR   AGE
demoapp-egress     app=demoapp    104s
deny-all-ingress   <none>         2d11h

#查看 dev NetworkPolicy
[root@k8s-master Network]# kubectl describe netpol deny-all-ingress -n dev  
Name:         deny-all-ingress
Namespace:    dev
Created on:   2021-09-01 23:34:49 +0800 CST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      PodSelector: <none>
  Allowing egress traffic:
    To Port: <any> (traffic allowed to all ports)
    To:
      PodSelector: <none>
  Policy Types: Ingress, Egress
[root@k8s-master Network]# kubectl get pod -n dev
NAME                               READY   STATUS    RESTARTS   AGE
deployment-demo-867c7d9d55-kzctj   1/1     Running   0          3d21h
deployment-demo-867c7d9d55-l88qg   1/1     Running   0          3d21h

[root@k8s-master ~]# kubectl get pod -o wide
NAME                              READY   STATUS    RESTARTS   AGE     IP             NODE        NOMINATED NODE   READINESS GATES
deployment-demo-fb544c5d8-r7pc8   1/1     Running   0          4d23h   192.168.51.1   k8s-node3   <none>           <none>
deployment-demo-fb544c5d8-splfr   1/1     Running   0          4d23h   192.168.12.1   k8s-node2   <none
  • 在 dev 名称空间下拜访 default 名称空间

    [root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh
    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1
    ^C
    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1
    ^C
    [root@deployment-demo-867c7d9d55-l88qg /]# ping  192.168.51.1
    PING 192.168.51.1 (192.168.51.1): 56 data bytes
    ^C
  • packets transmitted, 0 packets received, 100% packet loss
    [root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system

    ^C

  • 所有出站流量都失败
  • 新建出站策略

    [root@k8s-master Network]# cat netpol-dev-demoapp-egress.yaml 
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: demoapp-egress
    namespace: dev
    spec:
    podSelector:
      matchLabels:
        app: demoapp
    policyTypes: ["Egress"] #出站流量
    egress:
    - to:
      ports:
      - protocol: UDP
        port: 53
    - to:                #to 模块之间是或逻辑 to 外部是与逻辑
      - podSelector:
          matchLabels:
            app: redis   #被拜访站点标签
      ports:
      - protocol: TCP   #匹配标签为 redis  端口为 6379
        port: 6379
    - to:             #出站 80 端口
    #    - podSelector:   #标签实测中有问题 关上拜访不了
    #        matchLabels:
    #          app: demoapp
      ports:
      - protocol: TCP
        port: 80
    
    [root@k8s-master Network]# kubectl apply -f  netpol-dev-demoapp-egress.yaml 
    networkpolicy.networking.k8s.io/demoapp-egress created
    
    [root@k8s-master Network]# kubectl get netpol -n dev
    NAME               POD-SELECTOR   AGE
    demoapp-egress     app=demoapp    20m
    deny-all-ingress   <none>         2d12h
    
    [root@k8s-master Network]# kubectl describe netpol demoapp-egress -n dev
    Name:         demoapp-egress
    Namespace:    dev
    Created on:   2021-09-04 12:35:07 +0800 CST
    Labels:       <none>
    Annotations:  <none>
    Spec:
    PodSelector:     app=demoapp
    Not affecting ingress traffic
    Allowing egress traffic:
      To Port: 53/UDP
      To: <any> (traffic not restricted by source)
      ----------
      To Port: 6379/TCP
      To:
        PodSelector: app=redis
      ----------
      To Port: 80/TCP
      To: <any> (traffic not restricted by source)
    Policy Types: Egress
  • 再次测试出站拜访 在 dev 名称空间下拜访 default 名称空间

    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
    iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
    iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
    [root@deployment-demo-867c7d9d55-l88qg /]# ping 192.168.51.1   #ping 并没有放行 所以失败
    PING 192.168.51.1 (192.168.51.1): 56 data bytes
    ^C
  • packets transmitted, 0 packets received, 100% packet loss
    [root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
    Server: 10.96.0.10
    Address: 10.96.0.10#53

示例 4:合并出入站流量管制

[root@k8s-master Network]# cat netpol-stage-default.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default
  namespace: dev
spec:
  podSelector: {}
  policyTypes: ["Ingress" , "Egress"]   #出入站流量策略
  ingress:
  - from:
    - namespaceSelector:
        matchExpressions:
        - key : name
          operator: In
          values: [stage,kube-system,logs ,monitoring,kubernetes-dashboard]  #不蕴含 default 名称空间
  egress:
  - to:
    ports:
    - protocol: UDP
      port: 53
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
      podSelector:
        matchLabels:
          component: kube-apiserver
    ports:
    - protocol: TCP
      port: 80
  - to:
    - namespaceSelector:
        matchLabels:
          name: default   #容许 default 所有出站流量

[root@k8s-master Network]# kubectl apply -f  netpol-stage-default.yaml

[root@k8s-master Network]# kubectl get netpol -n dev
NAME               POD-SELECTOR   AGE
default            <none>         7m13s
deny-all-ingress   <none>         2d14h
[root@k8s-master Network]# kubectl describe netpol default -n dev
Name:         default
Namespace:    dev
Created on:   2021-09-04 13:32:21 +0800 CST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: name in (kube-system,kubernetes-dashboard,logs,monitoring,stage)
  Allowing egress traffic:
    To Port: 53/UDP
    To: <any> (traffic not restricted by source)
    ----------
    To Port: 80/TCP
    To:
      NamespaceSelector: name=kube-system
      PodSelector: component=kube-apiserver
    ----------
    To Port: <any> (traffic allowed to all ports)
    To:
      NamespaceSelector: name=default
  Policy Types: Ingress, Egress
  • 测试出站拜访 在 dev 名称空间下拜访 default 名称空间

    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
    iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
    iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
    [root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
    Server:        10.96.0.10
    Address:    10.96.0.10#53
    
    Name:    kube-dns.kube-system.svc.cluster.local
    Address: 10.96.0.10
    
    # 测试入站拜访 在 defaule 名称空间下拜访 dev 名称空间
    
    [root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it -- /bin/sh
    ^C
    [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4
    ^C
    [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4

    GlobalNetworkPolicy 全局拜访策略

    calico 自定义资源类型

只管性能上日渐丰盛,但 k8s 本人的 NetworkPolicy 资源依然具备相当的局限性,例如它没有明确的回绝规定、不足对选泽器高级表达式的反对、不反对应用层规,以及没有集群范畴的网络策略等,为了解决这些限度,Calico 等提供了自有的策略 CRD,包含 NetworkPolicy 和 GlobalNetworkPolicy 等,其中的 NetworkPolicy CRD 比 tKubernetes NetworkPolicy
API 提供了更大的功能集,包含反对回绝规定、规定解析级别以及应用层规定等,但相干的规定须要由 Calicoctl 创立。

GlobalNetworkPolicy 反对应用 selector、serviceAccountSelector 或 namespaceSelector 来选定网络策略的失效范畴, 默认为 all(), 且集群的所有端点。上面的配置清单示例(globalnetworkpolicy-demo.yaml) 为非零碎类名称空间 (本示例假没有 kube-system、kubernetes-dashboard、logs 和 monitoring 这 4 个)定义了一个通用的网络策略。

资源标准:

apiversion: projectcalico.org/v3
kind: GlobalietworkPolicy
metadata:
  name: namespaces-default
spec:
   order: 0.0 #策略叠加时的利用秩序,数字越小越先利用,抵触时,后者会笼罩前者 #策略利用指标为非指定名称空间中的所有端点
namespaceSelector: name not in {"kube-system" , "kubernetes-dashboard" , "logs" , "monitoring"}
  types:["Ingress", "Egress"]
  
  ingress:  #入站流量规定
  - action: Allow  #白名单
    source: #策略失效指标中的端点可由上面零碎名称空间中每个源端点拜访任意端口
      namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring"}
  egress:  #出站流量规定
  -action: Aliow  #容许所有 
[root@k8s-master Network]# kubectl api-resources  #查看资源类型
NAME                              SHORTNAMES   APIGROUP                       NAMESPACED   KIND
......
bgpconfigurations                              crd.projectcalico.org          false        BGPConfiguration
bgppeers                                       crd.projectcalico.org          false        BGPPeer
blockaffinities                                crd.projectcalico.org          false        BlockAffinity
clusterinformations                            crd.projectcalico.org          false        ClusterInformation
felixconfigurations                            crd.projectcalico.org          false        FelixConfiguration
globalnetworkpolicies                          crd.projectcalico.org          false        GlobalNetworkPolicy
globalnetworksets                              crd.projectcalico.org          false        GlobalNetworkSet
hostendpoints                                  crd.projectcalico.org          false        HostEndpoint
ipamblocks                                     crd.projectcalico.org          false        IPAMBlock
ipamconfigs                                    crd.projectcalico.org          false        IPAMConfig
ipamhandles                                    crd.projectcalico.org          false        IPAMHandle
ippools                                        crd.projectcalico.org          false        IPPool
kubecontrollersconfigurations                  crd.projectcalico.org          false        KubeControllersConfiguration
networkpolicies                                crd.projectcalico.org          true         NetworkPolicy
networksets                                    crd.projectcalico.org          true         NetworkSet

示例 5: 创立 GlobalNetworkPolicy Ingress、Egress

[root@k8s-master Network]# kubectl get netpol -n dev    #- 记得清空之前的 NetworkPolicy 全副删除
No resources found in dev namespace.
[root@k8s-master Network]# cat globalnetworkpolicy-demo.yaml 
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy  #calico 资源  全局不属于任何名称空间
metadata:
  name: namespaces-default
spec:
  order: 0.0   #优先级
  namespaceSelector: name not in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}  #失效的名称空间
  types: ["Ingress","Egress"]
  ingress:
  - action: Allow  #容许 NetworkPolicy 没有回绝策略
    source:
      namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}  #默认来自这些名称空间的流量都是容许的
  egress :
  - action: Allow   #默认能够拜访所有出站流量

[root@k8s-master Network]# calicoctl  apply -f globalnetworkpolicy-demo.yaml 
Successfully applied 1 'GlobalNetworkPolicy' resource(s)

[root@k8s-master Network]# calicoctl  get GlobalNetworkPolicy
NAME                 
namespaces-default 
[root@k8s-master Network]# calicoctl  get GlobalNetworkPolicy -o yaml
apiVersion: projectcalico.org/v3
items:
- apiVersion: projectcalico.org/v3
  kind: GlobalNetworkPolicy
  metadata:
    creationTimestamp: "2021-09-04T06:06:50Z"
    name: namespaces-default
    resourceVersion: "1214207"
    uid: 94d3fa70-c7c3-4333-a926-2656ada9d8e7
  spec:
    egress:
    - action: Allow
      destination: {}
      source: {}
    ingress:
    - action: Allow
      destination: {}
      source:
        namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}
    namespaceSelector: name not in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}
    order: 0
    types:
    - Ingress
    - Egress
kind: GlobalNetworkPolicyList
metadata:
  resourceVersion: "1216067"
  • 测试 test 名称空间拜访 default 名称空间

    [root@k8s-master Network]# kubectl get pod -n test
    NAME                               READY   STATUS    RESTARTS   AGE
    deployment-demo-867c7d9d55-72p8r   1/1     Running   0          2d16h
    deployment-demo-867c7d9d55-8pf7z   1/1     Running   0          2d16h
    
    [root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-72p8r -n test -it -- /bin/sh
    [root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1
    ^C
    [root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1
    
    ^C
  • 策略没有蕴含 test 名称空间 拜访失败
  • 测试 dev 名称空间拜访 default 名称空间
[root@k8s-master ~]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
  • 删除 globalNetworkPolicy 不然会影响后续测试

    [root@k8s-master Ingress]# kubectl get globalNetworkPolicy
    NAME                         AGE
    default.namespaces-default   7d22h
    [root@k8s-master Ingress]# kubectl delete   globalNetworkPolicy  default.namespaces-default
    globalnetworkpolicy.crd.projectcalico.org "default.namespaces-default" deleted
退出移动版