乐趣区

关于云计算:用Calico网络策略设置主机node防火墙规则

jiezi

Cloudpods 的服务运行在一个 Kubernetes 集群之上,该 Kubernets 集群的网络计划采纳了 Calico。因而运行 Cloudpods 服务的节点的 iptables 规定被 Calico 接管。这就导致咱们在 Cloudpods 服务节点上配置的防火墙规定会被 Calico 配置的 iptables 规定笼罩,导致防火墙规定不失效。本文介绍如何应用 Calico 的 HostEndpoint 和 GlobalNetworkPolicy 来设置主机节点的防火墙规定。
1、筹备 calicoctl 工具

下载二进制

curl -O -L https://github.com/projectcal…
chmod +x calicoctl

设置环境变量

export DATASTORE_TYPE=kubernetes
export KUBECONFIG=/etc/kubernetes/admin.conf

2、配置 HostEndpoint 规定

对每一台主机的每个须要管制防火墙规定接口,定义对应的 HostEndpoint 规定

  • apiVersion: projectcalico.org/v3
    kind: HostEndpoint
    metadata:
    name: <node_name>-<interface_name>
    labels:

    role: master
env: production

    spec:
    interfaceName: <interface_name>
    node: <node_name>
    expectedIPs: [“<interface_ip>”]

  • apiVersion: projectcalico.org/v3
    kind: HostEndpoint
    metadata:
    name: <node_name>-<interface_name>
    labels:

    role: master
env: production

    spec:
    interfaceName: <interface_name>
    node: <node_name>
    expectedIPs: [“<interface_ip>”]

利用该规定:

./calicoctl apply -f hep.yaml

3、定义网络规定

定义好 HostEndpoint 之后,采纳 Calico 的 GlobalNetworkPolicy 定义防火墙规定。

  • apiVersion: projectcalico.org/v3
    kind: GlobalNetworkPolicy
    metadata:
    name: <whitelist_gnp_name>
    spec:
    order: 10
    preDNAT: true
    applyOnForward: true
    ingress:

    - action: Allow
  protocol: TCP
  source:
    nets: [<src_net_block1>, <src_net_block2>]
  destination:
    ports: [<dst_port1>, <dst_port2>]

    selector: “role==\”master\””

  • apiVersion: projectcalico.org/v3
    kind: GlobalNetworkPolicy
    metadata:
    name: drop-other-ingress
    spec:
    order: 20
    preDNAT: true
    applyOnForward: true
    ingress:

    - action: Deny

    selector: “role==\”master\””

利用规定

./calicoctl apply -f gnp.yaml

  1. failSafe 机制

为避免用户谬误配置导致 node 无奈网络拜访的危险,calico 设计了 failSafe 机制,即在用户编写规定有误的状况下,局部端口也不会被封禁,导致节点性能生效。这里是 FailSafe 端口的信息:https://docs.projectcalico.or…

  1. 配置举例

举例:master 节点的外网端口只容许 80 和 443 端口,其余都禁止:
HostEndpoint 定义:

  • apiVersion: projectcalico.org/v3
    kind: HostEndpoint
    metadata:
    name: master1-em4
    labels:

    role: master
type: external

    spec:
    interfaceName: em4
    node: master1
    expectedIPs: [“120.133.60.219”]

  • apiVersion: projectcalico.org/v3
    kind: HostEndpoint
    metadata:
    name: master2-em4
    labels:

    role: master
type: external

    spec:
    interfaceName: em4
    node: master2
    expectedIPs: [“120.133.60.220”]

  • apiVersion: projectcalico.org/v3
    kind: HostEndpoint
    metadata:
    name: master3-em4
    labels:

    role: master
type: external

    spec:
    interfaceName: em4
    node: master3
    expectedIPs: [“120.133.60.221”]

GlobalNetworkPolicy 定义

  • apiVersion: projectcalico.org/v3
    kind: GlobalNetworkPolicy
    metadata:
    name: allow-http-https-traffic-only
    spec:
    order: 10
    preDNAT: true
    applyOnForward: true
    ingress:

    - action: Allow
  protocol: TCP
  destination:
    ports: [80,443]

    selector: “role==\”master\” && type==\”external\””

  • apiVersion: projectcalico.org/v3
    kind: GlobalNetworkPolicy
    metadata:
    name: drop-other-ingress
    spec:
    order: 20
    preDNAT: true
    applyOnForward: true
    ingress:

    - action: Deny
退出移动版