NetworkPolicy 简介
- 咱们常常须要按租户进行网络隔离,k8s 提供了 networkpolicy 来定义网络策略,从而实现网络隔离以满足租户隔离及局部租户下业务隔离等。Network Policy 提供了基于策略的网络管制,用于隔离利用并缩小攻击面。它应用标签选择器模仿传统的分段网络,并通过策略管制它们之间的流量以及来自内部的流量。但这个 networkpolicy 须要有第三方外接网络插件的反对,如 Calico、Romana、Weave Net 和 trireme 等
资源标准
apiVersion: networking.k8s.io/v1 #资源附属的 API 群组及版本号
kind: NetworkPolicy #资源类型的名称, 名称空间级别资源
metadata: #资源元数据
name <string> #资源名称标识
namespace <string> #NetworkPolicy 是名称空间级别的资源
spec:# 冀望的状态
podSelector <Object> #以后规定失效的同一名称空间中的一组指标 Pod 对象,必选字段;
#空值示意以后名称空间中的所有 Pod 资源
policyTypes<[]string> #Ingress 示意失效 ingress 字段;Egress 示意失效
# egress 字段, 同时提供示意二者均无效
ingress <[]0bject># 入站流量源端点对象列表,白名单,空值示意“所有”- from <[jobject> #具体的端点对象列表,空值示意所有非法端点
- ipBlock <0bject> # IP 地址块范畴内的端点,不能与另外两个字段同时应用
- namespaceSelector <0bject># 匹配的名称空间内的端点
podSelector <Object># 由 Pod 标签选择器匹配到的端点,空值示意 <none>
ports <[ ]0bject># 具体的端口对象列表, 空值示意所有非法端口
engress,<[jobject> #出站流量指标端点对象列表,白名单, 空值示意“所有”- to <[]0bject> #具体的端点对象列表,空值示意所有非法端点,格局同 ingres.from;
ports <[j0bject> #具体的端口对象列表,空值示意所有非法端口
策略匹配规定为
1. 不辨别规定前后秩序与权重
2. 以最大容许权限为最优匹配
# 测试在 default 名称空间下拜访 dev 名称空间
[root@k8s-master Network]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deployment-demo-fb544c5d8-r7pc8 1/1 Running 0 28h 192.168.51.1 k8s-node3 <none> <none>
deployment-demo-fb544c5d8-splfr 1/1 Running 0 28h 192.168.12.1 k8s-node2 <none> <none>
[root@k8s-master ~]# kubectl get pod -o wide -n dev
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deployment-demo-867c7d9d55-kzctj 1/1 Running 0 134m 192.168.51.4 k8s-node3 <none> <none>
deployment-demo-867c7d9d55-l88qg 1/1 Running 0 134m 192.168.12.2 k8s-node2 <none> <none>
#default 名称空间拜访 dev 名称空间 pod 默认是能够互相通信的
[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it -- /bin/sh
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
- 为所有名称空间打上标签
[root@k8s-master Network]# kubectl label ns default name=default
namespace/default labeled
[root@k8s-master Network]# kubectl label ns kube-system name=kube-system
namespace/default kube-system
[root@k8s-master Network]# kubectl get ns --show-labels
NAME STATUS AGE LABELS
default Active 3d9h name=default
dev Active 45h name=dev
kube-node-lease Active 3d9h name=kube-node-lease
kube-public Active 3d9h name=kube-public
kube-system Active 3d9h name=kube-system
test Active 38h name=test
......
示例 1:禁止所有入站流量规定
- 创立 NetworkPolicy 为 K8S 规范资源 为了阐明 策略会以最大容许权限为最优匹配,增加一条默认回绝所有流量的策略
[root@k8s-master Network]# cat netpol-dev-denyall.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {} #空值匹配所有
policyTypes: ["Ingress", "Egress"] #回绝所有出站入站流量
egress:
- to:
- podSelector: {} #空值为 none
ingress:
- from:
- podSelector: {} #空值为 none
[root@k8s-master Network]# kubectl apply -f netpol-dev-denyall.yaml
#测试在 default、dev 名称空间下互相联通性
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
^C
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
^C
[root@deployment-demo-fb544c5d8-r7pc8 /]# ping 192.168.12.2
PING 192.168.12.2 (192.168.12.2): 56 data bytes
^C
--- 192.168.12.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
#所有流量拜访失败
示例 2: 创立 NetworkPolicy2 放行 dev 名称空间
- 规定 1: 标签匹配的名称空间所有流量都能拜访 dev 下所有 Pod;
- 规定 2: 除了 default 名额空间, 其它所有名称空间都能够拜访 dev 下的 80 端口
- 组合应用,会以最大容许权限为最优匹配权限
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: demoapp-ingress
namespace: dev
spec:
podSelector:
matchLabels :
app: demoapp #dev 名称空间下 领有这个标签的 Pod 失效
policyTypes: ["Ingress"] #入站流量
ingress:
- from: #规定 1
- namespaceSelector: #名称空间标签匹配
matchExpressions:
- key: name
operator: In
values: [dev,kube-system,logs,monitoring,kubernetes-dashboard]
# 匹配名称空间蕴含这些标签 如:name=dev、name=kube-system 这里不蕴含 default
# - ipBlock: #网段匹配 以下网段的 pod 也被容许拜访
# cidr: 192.168.0.0/16
- from: #规定 2 只是非 default 名称空间流量拜访 80 端口都容许
- namespaceSelector:
matchExpressions:
- {key: name,operator: NotIn, values: ["default"]} #回绝 defaultq 名称空间流量拜访 80 端口都容许
ports:
- protocol: TCP
port: 80
[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml
networkpolicy.networking.k8s.io/demoapp-ingress configured
[root@k8s-master Network]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
demoapp-ingress app=demoapp 38h
deny-all-ingress <none> 8h
[root@k8s-master Network]# kubectl describe netpol demoapp-ingress -n dev
Name: demoapp-ingress
Namespace: dev
Created on: 2021-08-31 17:31:59 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=demoapp
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: name in (dev,kube-system,kubernetes-dashboard,logs,monitoring)
----------
To Port: 80/TCP
From:
NamespaceSelector: name notin (default)
Not affecting egress traffic
Policy Types: Ingress
- 在 default 名称空间下拜访 dev 名称空间
-
80 端口测试 仍然无法访问 没有匹配到合乎规定的条目
[root@k8s-master ~]# kubectl exec deployment-demo-fb544c5d8-splfr -it -- /bin/sh [root@deployment-demo-fb544c5d8-splfr /]# curl 192.168.12.2 #失败 #ping 测试失败 没有合乎规定的条目 [root@deployment-demo-fb544c5d8-splfr /]# ping 192.168.12.2 PING 192.168.12.2 (192.168.12.2): 56 data bytes
-
规定 1 中增加 default 名称空间拜访权限
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: demoapp-ingress namespace: dev spec: podSelector: matchLabels : app: demoapp #dev 名称空间下 领有这个标签的 Pod 失效 policyTypes: ["Ingress"] #入站流量 ingress: - from: #规定 1 - namespaceSelector: #名称空间标签匹配 matchExpressions: - key: name operator: In values: [dev,kube-system,logs,monitoring,kubernetes-dashboard,default] #新增 defualt 名称空间 # - ipBlock: #网段匹配 以下网段的 pod 也被容许拜访 # cidr: 192.168.0.0/16 - from: #规定 2 只是是非 defaultq 名称空间流量拜访 80 端口都容许 - namespaceSelector: matchExpressions: - {key: name,operator: NotIn, values: ["default"]} #回绝 defaultq 名称空间流量拜访 80 端口都容许 ports: - protocol: TCP port: 80 [root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured #测试在 default 名称空间下拜访 dev 名称空间 [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2 iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2! [root@deployment-demo-fb544c5d8-r7pc8 /]# ping 192.168.12.2
- bytes from 192.168.12.2: seq=0 ttl=62 time=2.563 ms
- bytes from 192.168.12.2: seq=1 ttl=62 time=0.758 ms
- bytes from 192.168.12.2: seq=2 ttl=62 time=0.726 ms
-
bytes from 192.168.12.2: seq=3 ttl=62 time=0.457 ms
- 以上规定 1 匹配到的最大权限为优匹配权限 领有 dev 下所有流量拜访
- 规定 1 中删除 default 名称空间 规定 2 中 default 名称空间更改为 logs
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: demoapp-ingress
namespace: dev
spec:
podSelector:
matchLabels :
app: demoapp #dev 名称空间下 领有这个标签的 Pod 失效
policyTypes: ["Ingress"] #入站流量
ingress:
- from: #规定 1
- namespaceSelector: #名称空间标签匹配
matchExpressions:
- key: name
operator: In
values: [dev,kube-system,logs,monitoring,kubernetes-dashboard] #匹配名称空间蕴含这些标签 如:name=dev、name=kube-system
# - ipBlock: #网段匹配 以下网段的 pod 也被容许拜访
# cidr: 192.168.0.0/16
- from: #规定 2 只是是非 defaultq 名称空间流量拜访 80 端口都容许
- namespaceSelector:
matchExpressions:
- {key: name,operator: NotIn, values: ["logs"]} #回绝 defaultq 名称空间流量拜访 80 端口都容许
ports:
- protocol: TCP
port: 80
-
测试在 default 名称空间下拜访 dev 名称空间
[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured [root@deployment-demo-fb544c5d8-r7pc8 /]# ping 192.168.12.2 PING 192.168.12.2 (192.168.12.2): 56 data bytes ^C
-
packets transmitted, 0 packets received, 100% packet loss
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2! - ping 失败因为没有匹配的规定条目,curl 匹配到了规定 2 只有非 logs 名称空间的都能够拜访 80 端口
示例 3:出站流量规定
[root@k8s-master Network]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
demoapp-egress app=demoapp 104s
deny-all-ingress <none> 2d11h
#查看 dev NetworkPolicy
[root@k8s-master Network]# kubectl describe netpol deny-all-ingress -n dev
Name: deny-all-ingress
Namespace: dev
Created on: 2021-09-01 23:34:49 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
PodSelector: <none>
Allowing egress traffic:
To Port: <any> (traffic allowed to all ports)
To:
PodSelector: <none>
Policy Types: Ingress, Egress
[root@k8s-master Network]# kubectl get pod -n dev
NAME READY STATUS RESTARTS AGE
deployment-demo-867c7d9d55-kzctj 1/1 Running 0 3d21h
deployment-demo-867c7d9d55-l88qg 1/1 Running 0 3d21h
[root@k8s-master ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deployment-demo-fb544c5d8-r7pc8 1/1 Running 0 4d23h 192.168.51.1 k8s-node3 <none> <none>
deployment-demo-fb544c5d8-splfr 1/1 Running 0 4d23h 192.168.12.1 k8s-node2 <none
-
在 dev 名称空间下拜访 default 名称空间
[root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1 ^C [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1 ^C [root@deployment-demo-867c7d9d55-l88qg /]# ping 192.168.51.1 PING 192.168.51.1 (192.168.51.1): 56 data bytes ^C
-
packets transmitted, 0 packets received, 100% packet loss
[root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system^C
- 所有出站流量都失败
-
新建出站策略
[root@k8s-master Network]# cat netpol-dev-demoapp-egress.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: demoapp-egress namespace: dev spec: podSelector: matchLabels: app: demoapp policyTypes: ["Egress"] #出站流量 egress: - to: ports: - protocol: UDP port: 53 - to: #to 模块之间是或逻辑 to 外部是与逻辑 - podSelector: matchLabels: app: redis #被拜访站点标签 ports: - protocol: TCP #匹配标签为 redis 端口为 6379 port: 6379 - to: #出站 80 端口 # - podSelector: #标签实测中有问题 关上拜访不了 # matchLabels: # app: demoapp ports: - protocol: TCP port: 80 [root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-egress.yaml networkpolicy.networking.k8s.io/demoapp-egress created [root@k8s-master Network]# kubectl get netpol -n dev NAME POD-SELECTOR AGE demoapp-egress app=demoapp 20m deny-all-ingress <none> 2d12h [root@k8s-master Network]# kubectl describe netpol demoapp-egress -n dev Name: demoapp-egress Namespace: dev Created on: 2021-09-04 12:35:07 +0800 CST Labels: <none> Annotations: <none> Spec: PodSelector: app=demoapp Not affecting ingress traffic Allowing egress traffic: To Port: 53/UDP To: <any> (traffic not restricted by source) ---------- To Port: 6379/TCP To: PodSelector: app=redis ---------- To Port: 80/TCP To: <any> (traffic not restricted by source) Policy Types: Egress
-
再次测试出站拜访 在 dev 名称空间下拜访 default 名称空间
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1! [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1! [root@deployment-demo-867c7d9d55-l88qg /]# ping 192.168.51.1 #ping 并没有放行 所以失败 PING 192.168.51.1 (192.168.51.1): 56 data bytes ^C
-
packets transmitted, 0 packets received, 100% packet loss
[root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
Server: 10.96.0.10
Address: 10.96.0.10#53
示例 4:合并出入站流量管制
[root@k8s-master Network]# cat netpol-stage-default.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default
namespace: dev
spec:
podSelector: {}
policyTypes: ["Ingress" , "Egress"] #出入站流量策略
ingress:
- from:
- namespaceSelector:
matchExpressions:
- key : name
operator: In
values: [stage,kube-system,logs ,monitoring,kubernetes-dashboard] #不蕴含 default 名称空间
egress:
- to:
ports:
- protocol: UDP
port: 53
- to:
- namespaceSelector:
matchLabels:
name: kube-system
podSelector:
matchLabels:
component: kube-apiserver
ports:
- protocol: TCP
port: 80
- to:
- namespaceSelector:
matchLabels:
name: default #容许 default 所有出站流量
[root@k8s-master Network]# kubectl apply -f netpol-stage-default.yaml
[root@k8s-master Network]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
default <none> 7m13s
deny-all-ingress <none> 2d14h
[root@k8s-master Network]# kubectl describe netpol default -n dev
Name: default
Namespace: dev
Created on: 2021-09-04 13:32:21 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: name in (kube-system,kubernetes-dashboard,logs,monitoring,stage)
Allowing egress traffic:
To Port: 53/UDP
To: <any> (traffic not restricted by source)
----------
To Port: 80/TCP
To:
NamespaceSelector: name=kube-system
PodSelector: component=kube-apiserver
----------
To Port: <any> (traffic allowed to all ports)
To:
NamespaceSelector: name=default
Policy Types: Ingress, Egress
-
测试出站拜访 在 dev 名称空间下拜访 default 名称空间
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1! [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1 iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1! [root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system Server: 10.96.0.10 Address: 10.96.0.10#53 Name: kube-dns.kube-system.svc.cluster.local Address: 10.96.0.10 # 测试入站拜访 在 defaule 名称空间下拜访 dev 名称空间 [root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it -- /bin/sh ^C [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4 ^C [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4
GlobalNetworkPolicy 全局拜访策略
calico 自定义资源类型
只管性能上日渐丰盛,但 k8s 本人的 NetworkPolicy 资源依然具备相当的局限性,例如它没有明确的回绝规定、不足对选泽器高级表达式的反对、不反对应用层规,以及没有集群范畴的网络策略等,为了解决这些限度,Calico 等提供了自有的策略 CRD,包含 NetworkPolicy 和 GlobalNetworkPolicy 等,其中的 NetworkPolicy CRD 比 tKubernetes NetworkPolicy
API 提供了更大的功能集,包含反对回绝规定、规定解析级别以及应用层规定等,但相干的规定须要由 Calicoctl 创立。
GlobalNetworkPolicy 反对应用 selector、serviceAccountSelector 或 namespaceSelector 来选定网络策略的失效范畴, 默认为 all(), 且集群的所有端点。上面的配置清单示例(globalnetworkpolicy-demo.yaml) 为非零碎类名称空间 (本示例假没有 kube-system、kubernetes-dashboard、logs 和 monitoring 这 4 个)定义了一个通用的网络策略。
资源标准:
apiversion: projectcalico.org/v3
kind: GlobalietworkPolicy
metadata:
name: namespaces-default
spec:
order: 0.0 #策略叠加时的利用秩序,数字越小越先利用,抵触时,后者会笼罩前者 #策略利用指标为非指定名称空间中的所有端点
namespaceSelector: name not in {"kube-system" , "kubernetes-dashboard" , "logs" , "monitoring"}
types:["Ingress", "Egress"]
ingress: #入站流量规定
- action: Allow #白名单
source: #策略失效指标中的端点可由上面零碎名称空间中每个源端点拜访任意端口
namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring"}
egress: #出站流量规定
-action: Aliow #容许所有
[root@k8s-master Network]# kubectl api-resources #查看资源类型
NAME SHORTNAMES APIGROUP NAMESPACED KIND
......
bgpconfigurations crd.projectcalico.org false BGPConfiguration
bgppeers crd.projectcalico.org false BGPPeer
blockaffinities crd.projectcalico.org false BlockAffinity
clusterinformations crd.projectcalico.org false ClusterInformation
felixconfigurations crd.projectcalico.org false FelixConfiguration
globalnetworkpolicies crd.projectcalico.org false GlobalNetworkPolicy
globalnetworksets crd.projectcalico.org false GlobalNetworkSet
hostendpoints crd.projectcalico.org false HostEndpoint
ipamblocks crd.projectcalico.org false IPAMBlock
ipamconfigs crd.projectcalico.org false IPAMConfig
ipamhandles crd.projectcalico.org false IPAMHandle
ippools crd.projectcalico.org false IPPool
kubecontrollersconfigurations crd.projectcalico.org false KubeControllersConfiguration
networkpolicies crd.projectcalico.org true NetworkPolicy
networksets crd.projectcalico.org true NetworkSet
示例 5: 创立 GlobalNetworkPolicy Ingress、Egress
[root@k8s-master Network]# kubectl get netpol -n dev #- 记得清空之前的 NetworkPolicy 全副删除
No resources found in dev namespace.
[root@k8s-master Network]# cat globalnetworkpolicy-demo.yaml
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy #calico 资源 全局不属于任何名称空间
metadata:
name: namespaces-default
spec:
order: 0.0 #优先级
namespaceSelector: name not in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"} #失效的名称空间
types: ["Ingress","Egress"]
ingress:
- action: Allow #容许 NetworkPolicy 没有回绝策略
source:
namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"} #默认来自这些名称空间的流量都是容许的
egress :
- action: Allow #默认能够拜访所有出站流量
[root@k8s-master Network]# calicoctl apply -f globalnetworkpolicy-demo.yaml
Successfully applied 1 'GlobalNetworkPolicy' resource(s)
[root@k8s-master Network]# calicoctl get GlobalNetworkPolicy
NAME
namespaces-default
[root@k8s-master Network]# calicoctl get GlobalNetworkPolicy -o yaml
apiVersion: projectcalico.org/v3
items:
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
creationTimestamp: "2021-09-04T06:06:50Z"
name: namespaces-default
resourceVersion: "1214207"
uid: 94d3fa70-c7c3-4333-a926-2656ada9d8e7
spec:
egress:
- action: Allow
destination: {}
source: {}
ingress:
- action: Allow
destination: {}
source:
namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}
namespaceSelector: name not in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}
order: 0
types:
- Ingress
- Egress
kind: GlobalNetworkPolicyList
metadata:
resourceVersion: "1216067"
-
测试 test 名称空间拜访 default 名称空间
[root@k8s-master Network]# kubectl get pod -n test NAME READY STATUS RESTARTS AGE deployment-demo-867c7d9d55-72p8r 1/1 Running 0 2d16h deployment-demo-867c7d9d55-8pf7z 1/1 Running 0 2d16h [root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-72p8r -n test -it -- /bin/sh [root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1 ^C [root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1 ^C
- 策略没有蕴含 test 名称空间 拜访失败
- 测试 dev 名称空间拜访 default 名称空间
[root@k8s-master ~]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1
iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
-
删除 globalNetworkPolicy 不然会影响后续测试
[root@k8s-master Ingress]# kubectl get globalNetworkPolicy NAME AGE default.namespaces-default 7d22h [root@k8s-master Ingress]# kubectl delete globalNetworkPolicy default.namespaces-default globalnetworkpolicy.crd.projectcalico.org "default.namespaces-default" deleted