NetworkPolicy简介

  • 咱们常常须要按租户进行网络隔离,k8s 提供了 networkpolicy 来定义网络策略,从而实现网络隔离以满足租户隔离及局部租户下业务隔离等。Network Policy 提供了基于策略的网络管制,用于隔离利用并缩小攻击面。它应用标签选择器模仿传统的分段网络,并通过策略管制它们之间的流量以及来自内部的流量。但这个 networkpolicy 须要有第三方外接网络插件的反对,如Calico、Romana、Weave Net和trireme等

资源标准

apiVersion: networking.k8s.io/v1 #资源附属的API群组及版本号kind: NetworkPolicy #资源类型的名称,名称空间级别资源metadata: #资源元数据   name <string> #资源名称标识  namespace <string>  #NetworkPolicy是名称空间级别的资源spec:#冀望的状态  podSelector <Object>  #以后规定失效的同一名称空间中的一组指标Pod对象,必选字段;                         #空值示意以后名称空间中的所有Pod资源  policyTypes<[]string> #Ingress示意失效ingress字段;Egress示意失效                        # egress字段,同时提供示意二者均无效  ingress <[]0bject>#入站流量源端点对象列表,白名单,空值示意“所有”  - from <[jobject> #具体的端点对象列表,空值示意所有非法端点    - ipBlock <0bject> # IP地址块范畴内的端点,不能与另外两个字段同时应用    - namespaceSelector <0bject>#匹配的名称空间内的端点      podSelector <Object># 由Pod标签选择器匹配到的端点,空值示意<none>    ports <[ ]0bject>#具体的端口对象列表,空值示意所有非法端口  engress,<[jobject> #出站流量指标端点对象列表,白名单,空值示意“所有”  - to <[]0bject> #具体的端点对象列表,空值示意所有非法端点,格局同ingres.from;    ports <[j0bject> #具体的端口对象列表,空值示意所有非法端口

策略匹配规定为

1.不辨别规定前后秩序与权重
2.以最大容许权限为最优匹配

#测试在default名称空间下拜访dev名称空间[root@k8s-master Network]# kubectl get pod -o wideNAME                              READY   STATUS    RESTARTS   AGE   IP             NODE        NOMINATED NODE   READINESS GATESdeployment-demo-fb544c5d8-r7pc8   1/1     Running   0          28h   192.168.51.1   k8s-node3   <none>           <none>deployment-demo-fb544c5d8-splfr   1/1     Running   0          28h   192.168.12.1   k8s-node2   <none>           <none>[root@k8s-master ~]# kubectl get pod -o wide -n devNAME                               READY   STATUS    RESTARTS   AGE    IP             NODE        NOMINATED NODE   READINESS GATESdeployment-demo-867c7d9d55-kzctj   1/1     Running   0          134m   192.168.51.4   k8s-node3   <none>           <none>deployment-demo-867c7d9d55-l88qg   1/1     Running   0          134m   192.168.12.2   k8s-node2   <none>           <none>#default名称空间拜访 dev名称空间pod 默认是能够互相通信的[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it  -- /bin/sh[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2![root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
  • 为所有名称空间打上标签
[root@k8s-master Network]# kubectl label ns default name=defaultnamespace/default labeled[root@k8s-master Network]# kubectl label ns kube-system  name=kube-systemnamespace/default kube-system[root@k8s-master Network]# kubectl get ns --show-labelsNAME              STATUS   AGE    LABELSdefault           Active   3d9h   name=defaultdev               Active   45h    name=devkube-node-lease   Active   3d9h   name=kube-node-leasekube-public       Active   3d9h   name=kube-publickube-system       Active   3d9h   name=kube-systemtest              Active   38h    name=test......

示例1:禁止所有入站流量规定

  • 创立NetworkPolicy 为K8S规范资源 为了阐明 策略会以最大容许权限为最优匹配,增加一条默认回绝所有流量的策略
[root@k8s-master Network]# cat netpol-dev-denyall.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: deny-all-ingress  namespace: devspec:  podSelector: {}  #空值匹配所有  policyTypes: ["Ingress", "Egress"]  #回绝所有出站入站流量  egress:  - to:    - podSelector: {} #空值为none  ingress:  - from:    - podSelector: {} #空值为none    [root@k8s-master Network]# kubectl  apply -f netpol-dev-denyall.yaml #测试在default、dev名称空间下互相联通性[root@deployment-demo-fb544c5d8-r7pc8 /]# curl  192.168.12.2^C[root@deployment-demo-fb544c5d8-r7pc8 /]# curl  192.168.12.2^C[root@deployment-demo-fb544c5d8-r7pc8 /]# ping  192.168.12.2PING 192.168.12.2 (192.168.12.2): 56 data bytes^C--- 192.168.12.2 ping statistics ---3 packets transmitted, 0 packets received, 100% packet loss#所有流量拜访失败

示例2: 创立NetworkPolicy2 放行dev名称空间

  • 规定1:标签匹配的名称空间所有流量都能拜访dev下所有Pod;
  • 规定2:除了default名额空间,其它所有名称空间都能够拜访dev下的 80端口
  • 组合应用,会以最大容许权限为最优匹配权限
[root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: demoapp-ingress  namespace: devspec:  podSelector:    matchLabels :      app: demoapp   #dev名称空间下 领有这个标签的Pod失效  policyTypes: ["Ingress"]  #入站流量  ingress:   - from:  #规定1    - namespaceSelector:    #名称空间标签匹配        matchExpressions:        - key: name          operator: In          values: [dev,kube-system,logs,monitoring,kubernetes-dashboard] # 匹配名称空间蕴含这些标签 如:name=dev、name=kube-system 这里不蕴含default#    - ipBlock:           #网段匹配 以下网段的pod也被容许拜访#        cidr: 192.168.0.0/16  - from: #规定2 只是非default名称空间流量拜访80端口都容许    - namespaceSelector:        matchExpressions:        - {key: name,operator: NotIn, values: ["default"]} #回绝defaultq名称空间流量拜访80端口都容许    ports:    - protocol: TCP      port: 80[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured[root@k8s-master Network]# kubectl get netpol -n devNAME               POD-SELECTOR   AGEdemoapp-ingress    app=demoapp    38hdeny-all-ingress   <none>         8h[root@k8s-master Network]# kubectl describe netpol demoapp-ingress -n devName:         demoapp-ingressNamespace:    devCreated on:   2021-08-31 17:31:59 +0800 CSTLabels:       <none>Annotations:  <none>Spec:  PodSelector:     app=demoapp  Allowing ingress traffic:    To Port: <any> (traffic allowed to all ports)    From:      NamespaceSelector: name in (dev,kube-system,kubernetes-dashboard,logs,monitoring)    ----------    To Port: 80/TCP    From:      NamespaceSelector: name notin (default)  Not affecting egress traffic  Policy Types: Ingress
  • 在default名称空间下拜访dev名称空间
  • 80端口测试 仍然无法访问 没有匹配到合乎规定的条目

    [root@k8s-master ~]# kubectl exec deployment-demo-fb544c5d8-splfr -it -- /bin/sh[root@deployment-demo-fb544c5d8-splfr /]# curl 192.168.12.2#失败#ping测试失败 没有合乎规定的条目[root@deployment-demo-fb544c5d8-splfr /]# ping  192.168.12.2PING 192.168.12.2 (192.168.12.2): 56 data bytes
  • 规定1中增加default名称空间拜访权限

    [root@k8s-master Network]# cat netpol-dev-demoapp-ingress.yaml  apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: demoapp-ingressnamespace: devspec:podSelector:  matchLabels :    app: demoapp   #dev名称空间下 领有这个标签的Pod失效policyTypes: ["Ingress"]  #入站流量ingress: - from:  #规定1  - namespaceSelector:    #名称空间标签匹配      matchExpressions:      - key: name        operator: In        values: [dev,kube-system,logs,monitoring,kubernetes-dashboard,default]  #新增defualt名称空间#    - ipBlock:           #网段匹配 以下网段的pod也被容许拜访#        cidr: 192.168.0.0/16- from: #规定2 只是是非defaultq名称空间流量拜访80端口都容许  - namespaceSelector:      matchExpressions:      - {key: name,operator: NotIn, values: ["default"]} #回绝defaultq名称空间流量拜访80端口都容许  ports:  - protocol: TCP    port: 80[root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured#测试在default名称空间下拜访dev名称空间[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2![root@deployment-demo-fb544c5d8-r7pc8 /]# ping  192.168.12.2
  • bytes from 192.168.12.2: seq=0 ttl=62 time=2.563 ms
  • bytes from 192.168.12.2: seq=1 ttl=62 time=0.758 ms
  • bytes from 192.168.12.2: seq=2 ttl=62 time=0.726 ms
  • bytes from 192.168.12.2: seq=3 ttl=62 time=0.457 ms

  • 以上规定1匹配到的最大权限为优匹配权限 领有dev下所有流量拜访
  • 规定1中删除default名称空间 规定2中default名称空间更改为logs
[root@k8s-master Network]# cat  netpol-dev-demoapp-ingress.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: demoapp-ingress  namespace: devspec:  podSelector:    matchLabels :      app: demoapp   #dev名称空间下 领有这个标签的Pod失效  policyTypes: ["Ingress"]  #入站流量  ingress:   - from:  #规定1    - namespaceSelector:    #名称空间标签匹配        matchExpressions:        - key: name          operator: In          values: [dev,kube-system,logs,monitoring,kubernetes-dashboard]  #匹配名称空间蕴含这些标签 如:name=dev、name=kube-system#    - ipBlock:           #网段匹配 以下网段的pod也被容许拜访#        cidr: 192.168.0.0/16  - from: #规定2 只是是非defaultq名称空间流量拜访80端口都容许    - namespaceSelector:        matchExpressions:        - {key: name,operator: NotIn, values: ["logs"]} #回绝defaultq名称空间流量拜访80端口都容许    ports:    - protocol: TCP      port: 80
  • 测试在default名称空间下拜访dev名称空间

    [root@k8s-master Network]# kubectl apply -f netpol-dev-demoapp-ingress.yaml networkpolicy.networking.k8s.io/demoapp-ingress configured[root@deployment-demo-fb544c5d8-r7pc8 /]# ping  192.168.12.2PING 192.168.12.2 (192.168.12.2): 56 data bytes^C
  • packets transmitted, 0 packets received, 100% packet loss
    [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
    iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!
    [root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.12.2
    iKubernetes demoapp v1.1 !! ClientIP: 192.168.51.1, ServerName: deployment-demo-867c7d9d55-l88qg, ServerIP: 192.168.12.2!

  • ping 失败因为没有匹配的规定条目,curl 匹配到了规定2 只有非logs名称空间的都能够拜访80端口

示例3:出站流量规定

[root@k8s-master Network]# kubectl get netpol -n dev NAME               POD-SELECTOR   AGEdemoapp-egress     app=demoapp    104sdeny-all-ingress   <none>         2d11h#查看dev NetworkPolicy[root@k8s-master Network]# kubectl describe netpol deny-all-ingress -n dev  Name:         deny-all-ingressNamespace:    devCreated on:   2021-09-01 23:34:49 +0800 CSTLabels:       <none>Annotations:  <none>Spec:  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)  Allowing ingress traffic:    To Port: <any> (traffic allowed to all ports)    From:      PodSelector: <none>  Allowing egress traffic:    To Port: <any> (traffic allowed to all ports)    To:      PodSelector: <none>  Policy Types: Ingress, Egress[root@k8s-master Network]# kubectl get pod -n devNAME                               READY   STATUS    RESTARTS   AGEdeployment-demo-867c7d9d55-kzctj   1/1     Running   0          3d21hdeployment-demo-867c7d9d55-l88qg   1/1     Running   0          3d21h[root@k8s-master ~]# kubectl get pod -o wideNAME                              READY   STATUS    RESTARTS   AGE     IP             NODE        NOMINATED NODE   READINESS GATESdeployment-demo-fb544c5d8-r7pc8   1/1     Running   0          4d23h   192.168.51.1   k8s-node3   <none>           <none>deployment-demo-fb544c5d8-splfr   1/1     Running   0          4d23h   192.168.12.1   k8s-node2   <none
  • 在dev名称空间下拜访default名称空间

    [root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1^C[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.12.1^C[root@deployment-demo-867c7d9d55-l88qg /]# ping  192.168.51.1PING 192.168.51.1 (192.168.51.1): 56 data bytes^C
  • packets transmitted, 0 packets received, 100% packet loss
    [root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system

    ^C

  • 所有出站流量都失败
  • 新建出站策略

    [root@k8s-master Network]# cat netpol-dev-demoapp-egress.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: demoapp-egressnamespace: devspec:podSelector:  matchLabels:    app: demoapppolicyTypes: ["Egress"] #出站流量egress:- to:  ports:  - protocol: UDP    port: 53- to:                #to模块之间是或逻辑 to外部是与逻辑  - podSelector:      matchLabels:        app: redis   #被拜访站点标签  ports:  - protocol: TCP   #匹配标签为redis  端口为6379    port: 6379- to:             #出站80端口#    - podSelector:   #标签实测中有问题 关上拜访不了#        matchLabels:#          app: demoapp  ports:  - protocol: TCP    port: 80[root@k8s-master Network]# kubectl apply -f  netpol-dev-demoapp-egress.yaml networkpolicy.networking.k8s.io/demoapp-egress created[root@k8s-master Network]# kubectl get netpol -n devNAME               POD-SELECTOR   AGEdemoapp-egress     app=demoapp    20mdeny-all-ingress   <none>         2d12h[root@k8s-master Network]# kubectl describe netpol demoapp-egress -n devName:         demoapp-egressNamespace:    devCreated on:   2021-09-04 12:35:07 +0800 CSTLabels:       <none>Annotations:  <none>Spec:PodSelector:     app=demoappNot affecting ingress trafficAllowing egress traffic:  To Port: 53/UDP  To: <any> (traffic not restricted by source)  ----------  To Port: 6379/TCP  To:    PodSelector: app=redis  ----------  To Port: 80/TCP  To: <any> (traffic not restricted by source)Policy Types: Egress
  • 再次测试出站拜访 在dev名称空间下拜访default名称空间

    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# ping 192.168.51.1   #ping并没有放行 所以失败PING 192.168.51.1 (192.168.51.1): 56 data bytes^C
  • packets transmitted, 0 packets received, 100% packet loss
    [root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-system
    Server: 10.96.0.10
    Address: 10.96.0.10#53

示例4:合并出入站流量管制

[root@k8s-master Network]# cat netpol-stage-default.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: default  namespace: devspec:  podSelector: {}  policyTypes: ["Ingress" , "Egress"]   #出入站流量策略  ingress:  - from:    - namespaceSelector:        matchExpressions:        - key : name          operator: In          values: [stage,kube-system,logs ,monitoring,kubernetes-dashboard]  #不蕴含default名称空间  egress:  - to:    ports:    - protocol: UDP      port: 53  - to:    - namespaceSelector:        matchLabels:          name: kube-system      podSelector:        matchLabels:          component: kube-apiserver    ports:    - protocol: TCP      port: 80  - to:    - namespaceSelector:        matchLabels:          name: default   #容许default所有出站流量[root@k8s-master Network]# kubectl apply -f  netpol-stage-default.yaml[root@k8s-master Network]# kubectl get netpol -n devNAME               POD-SELECTOR   AGEdefault            <none>         7m13sdeny-all-ingress   <none>         2d14h[root@k8s-master Network]# kubectl describe netpol default -n devName:         defaultNamespace:    devCreated on:   2021-09-04 13:32:21 +0800 CSTLabels:       <none>Annotations:  <none>Spec:  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)  Allowing ingress traffic:    To Port: <any> (traffic allowed to all ports)    From:      NamespaceSelector: name in (kube-system,kubernetes-dashboard,logs,monitoring,stage)  Allowing egress traffic:    To Port: 53/UDP    To: <any> (traffic not restricted by source)    ----------    To Port: 80/TCP    To:      NamespaceSelector: name=kube-system      PodSelector: component=kube-apiserver    ----------    To Port: <any> (traffic allowed to all ports)    To:      NamespaceSelector: name=default  Policy Types: Ingress, Egress
  • 测试出站拜访 在dev名称空间下拜访default名称空间

    [root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# nslookup kube-dns.kube-systemServer:        10.96.0.10Address:    10.96.0.10#53Name:    kube-dns.kube-system.svc.cluster.localAddress: 10.96.0.10# 测试入站拜访 在defaule名称空间下拜访dev名称空间[root@k8s-master Network]# kubectl exec deployment-demo-fb544c5d8-r7pc8 -it -- /bin/sh^C[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4^C[root@deployment-demo-fb544c5d8-r7pc8 /]# curl 192.168.51.4

    GlobalNetworkPolicy全局拜访策略

    calico自定义资源类型

只管性能上日渐丰盛,但k8s本人的NetworkPolicy资源依然具备相当的局限性,例如它没有明确的回绝规定、不足对选泽器高级表达式的反对、不反对应用层规,以及没有集群范畴的网络策略等,为了解决这些限度,Calico等提供了自有的策略CRD,包含NetworkPolicy和GlobalNetworkPolicy等,其中的NetworkPolicy CRD比tKubernetes NetworkPolicy
API提供了更大的功能集,包含反对回绝规定、规定解析级别以及应用层规定等,但相干的规定须要由Calicoctl创立。

GlobalNetworkPolicy反对应用selector、serviceAccountSelector或namespaceSelector来选定网络策略的失效范畴,默认为all(),且集群的所有端点。上面的配置清单示例(globalnetworkpolicy-demo.yaml)为非零碎类名称空间(本示例假没有kube-system、kubernetes-dashboard、logs和monitoring这4个)定义了一个通用的网络策略。

资源标准:

apiversion: projectcalico.org/v3kind: GlobalietworkPolicymetadata:  name: namespaces-defaultspec:   order: 0.0 #策略叠加时的利用秩序,数字越小越先利用,抵触时,后者会笼罩前者#策略利用指标为非指定名称空间中的所有端点namespaceSelector: name not in { "kube-system" , " kubernetes-dashboard" , " logs" , "monitoring"}  types:["Ingress", "Egress"]    ingress:  #入站流量规定  - action: Allow  #白名单    source: #策略失效指标中的端点可由上面零碎名称空间中每个源端点拜访任意端口      namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring"}  egress:  #出站流量规定  -action: Aliow  #容许所有
[root@k8s-master Network]# kubectl api-resources  #查看资源类型NAME                              SHORTNAMES   APIGROUP                       NAMESPACED   KIND......bgpconfigurations                              crd.projectcalico.org          false        BGPConfigurationbgppeers                                       crd.projectcalico.org          false        BGPPeerblockaffinities                                crd.projectcalico.org          false        BlockAffinityclusterinformations                            crd.projectcalico.org          false        ClusterInformationfelixconfigurations                            crd.projectcalico.org          false        FelixConfigurationglobalnetworkpolicies                          crd.projectcalico.org          false        GlobalNetworkPolicyglobalnetworksets                              crd.projectcalico.org          false        GlobalNetworkSethostendpoints                                  crd.projectcalico.org          false        HostEndpointipamblocks                                     crd.projectcalico.org          false        IPAMBlockipamconfigs                                    crd.projectcalico.org          false        IPAMConfigipamhandles                                    crd.projectcalico.org          false        IPAMHandleippools                                        crd.projectcalico.org          false        IPPoolkubecontrollersconfigurations                  crd.projectcalico.org          false        KubeControllersConfigurationnetworkpolicies                                crd.projectcalico.org          true         NetworkPolicynetworksets                                    crd.projectcalico.org          true         NetworkSet

示例5: 创立 GlobalNetworkPolicy Ingress、Egress

[root@k8s-master Network]# kubectl get netpol -n dev    #-记得清空之前的NetworkPolicy全副删除No resources found in dev namespace.[root@k8s-master Network]# cat globalnetworkpolicy-demo.yaml apiVersion: projectcalico.org/v3kind: GlobalNetworkPolicy  #calico资源  全局不属于任何名称空间metadata:  name: namespaces-defaultspec:  order: 0.0   #优先级  namespaceSelector: name not in { "kube-system","kubernetes-dashboard","logs","monitoring","dev"}  #失效的名称空间  types: ["Ingress","Egress"]  ingress:  - action: Allow  #容许 NetworkPolicy没有回绝策略    source:      namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}  #默认来自这些名称空间的流量都是容许的  egress :  - action: Allow   #默认能够拜访所有出站流量[root@k8s-master Network]# calicoctl  apply -f globalnetworkpolicy-demo.yaml Successfully applied 1 'GlobalNetworkPolicy' resource(s)[root@k8s-master Network]# calicoctl  get GlobalNetworkPolicyNAME                 namespaces-default [root@k8s-master Network]# calicoctl  get GlobalNetworkPolicy -o yamlapiVersion: projectcalico.org/v3items:- apiVersion: projectcalico.org/v3  kind: GlobalNetworkPolicy  metadata:    creationTimestamp: "2021-09-04T06:06:50Z"    name: namespaces-default    resourceVersion: "1214207"    uid: 94d3fa70-c7c3-4333-a926-2656ada9d8e7  spec:    egress:    - action: Allow      destination: {}      source: {}    ingress:    - action: Allow      destination: {}      source:        namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring","dev"}    namespaceSelector: name not in { "kube-system","kubernetes-dashboard","logs","monitoring","dev"}    order: 0    types:    - Ingress    - Egresskind: GlobalNetworkPolicyListmetadata:  resourceVersion: "1216067"
  • 测试test名称空间拜访default名称空间

    [root@k8s-master Network]# kubectl get pod -n testNAME                               READY   STATUS    RESTARTS   AGEdeployment-demo-867c7d9d55-72p8r   1/1     Running   0          2d16hdeployment-demo-867c7d9d55-8pf7z   1/1     Running   0          2d16h[root@k8s-master Network]# kubectl exec deployment-demo-867c7d9d55-72p8r -n test -it -- /bin/sh[root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1^C[root@deployment-demo-867c7d9d55-72p8r /]# curl 192.168.51.1^C
  • 策略没有蕴含test名称空间 拜访失败
  • 测试dev名称空间拜访default名称空间
[root@k8s-master ~]# kubectl exec deployment-demo-867c7d9d55-l88qg -n dev -it -- /bin/sh[root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1![root@deployment-demo-867c7d9d55-l88qg /]# curl 192.168.51.1iKubernetes demoapp v1.0 !! ClientIP: 192.168.12.2, ServerName: deployment-demo-fb544c5d8-r7pc8, ServerIP: 192.168.51.1!
  • 删除globalNetworkPolicy不然会影响后续测试

    [root@k8s-master Ingress]# kubectl get globalNetworkPolicyNAME                         AGEdefault.namespaces-default   7d22h[root@k8s-master Ingress]# kubectl delete   globalNetworkPolicy  default.namespaces-defaultglobalnetworkpolicy.crd.projectcalico.org "default.namespaces-default" deleted