canel的网络策略
资源:
https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/flannel
基于pod
Egress 是Pod作为客户端(需要定义目标端口和目标地址)
ingress 是pod作为服务端(需要定义目标地址和pod自己的端口)
canel工作的默认网段是192.168.0.0/16的网段
官网:https://docs.projectcalico.org/v3.2/introduction/
参考地址:
https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/flannel
分别运行:
kubectl apply -f \
https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
kubectl apply -f \
https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/canal/canal.yaml
监控: kubectl get pods -n kube-system -w [root@master ~]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE canal-98mcn 3/3 Running 0 3m canal-gnp5r 3/3 Running 0 3m coredns-78fcdf6894-27npt 1/1 Running 1 12d coredns-78fcdf6894-mbg8n 1/1 Running 1 12d etcd-master 1/1 Running 1 12d kube-apiserver-master 1/1 Running 1 12d kube-controller-manager-master 1/1 Running 1 12d kube-flannel-ds-amd64-6ws6q 1/1 Running 0 1h kube-flannel-ds-amd64-mg9sm 1/1 Running 0 1h kube-flannel-ds-amd64-sq9wj 1/1 Running 0 1h kube-proxy-g9n4d 1/1 Running 1 12d kube-proxy-wrqt8 1/1 Running 2 12d kube-proxy-x7vc2 1/1 Running 0 12d kube-scheduler-master 1/1 Running 1 12d kubernetes-dashboard-767dc7d4d-7rmp8 1/1 Running 0 2d 查看帮助: kubectl explain networkpolicy.spec
网络策略:
名称空间:
拒绝所有的出站,入站。
放行所有出站目标本名称空间内的所有Pod
ingress
创建名称空间 [root@master networkpolicy]# kubectl create namespace dev namespace/dev created [root@master networkpolicy]# kubectl create namespace prod namespace/prod created 创建yaml文件 [root@master networkpolicy]# cat ingres-def.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress #namespace: dev spec: podSelector: {} #空选择器代表名称空间所有的Pod policyTypes: - Ingress #如果不写Ingress的话,默认都可以访问 #如果写上Ingress的话,默认都不能访问 [root@master networkpolicy]# kubectl apply -f ingres-def.yaml -n dev networkpolicy.networking.k8s.io/deny-all-ingress created -n 是指定的名称空间dev [root@master networkpolicy]# kubectl get netpol -n dev NAME POD-SELECTOR AGE deny-all-ingress <none> 39s 创建一个web yaml [root@master networkpolicy]# vim pod-a.yaml [root@master networkpolicy]# kubectl apply -f pod-a.yaml -n dev pod/pod1 created [root@master networkpolicy]# cat pod-a.yaml apiVersion: v1 kind: Pod metadata: name: pod1 spec: containers: - name: myapp image: ikubernetes/myapp:v1 [root@master networkpolicy]# kubectl get pods No resources found. [root@master networkpolicy]# kubectl get pods -n dev NAME READY STATUS RESTARTS AGE pod1 1/1 Running 0 50s [root@master networkpolicy]# kubectl get pods -n dev -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod1 1/1 Running 0 1m 10.244.2.2 node2 <none> [root@master networkpolicy]# curl 10.244.2.2 发现是访问不了的 更换一下名称空间: [root@master networkpolicy]# kubectl apply -f pod-a.yaml -n prod pod/pod1 created [root@master networkpolicy]# kubectl get pods -n prod NAME READY STATUS RESTARTS AGE pod1 1/1 Running 0 8s [root@master networkpolicy]# kubectl get pods -n prod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod1 1/1 Running 0 13s 10.244.1.2 node1 <none> [root@master networkpolicy]# curl 10.244.1.2 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a> 发现是可以访问的 因为在dev中Ingress中定义了不能访问 [root@master networkpolicy]# kubectl get pods -n prod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod1 1/1 Running 0 3m 10.244.1.2 node1 <none> [root@master networkpolicy]# kubectl get pods -n dev -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod1 1/1 Running 0 7m 10.244.2.2 node2 <none> 可以看出,prod和dev不同的命名空间都有一个pods [root@master networkpolicy]# curl 10.244.1.2 #可以 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a> [root@master networkpolicy]# curl 10.244.2.2 #NO ^C 现在放行2.2 dev是默认拒绝一切规则的,他可以请求别人 [root@master networkpolicy]# vim ingres-def.yaml [root@master networkpolicy]# kubectl apply -f ingres-def.yaml -n dev networkpolicy.networking.k8s.io/deny-all-ingress configured [root@master networkpolicy]# cat ingres-def.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress #namespace: dev spec: podSelector: {} #空选择器代表命苦空间所有的Pod ingress: - {} #允许所有的入栈规则 policyTypes: - Ingress #如果不写Ingress的话,默认都可以访问 #如果写上Ingress的话,默认都不能访问 再次访问: [root@master networkpolicy]# curl 10.244.2.2 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a> 可以访问了 打一个标签,可以设置标签为myapp的特定访问 kubectl label pods pod1 app=myapp -n dev [root@master networkpolicy]# kubectl label pods pod1 app=myapp -n dev pod/pod1 labeled [root@master networkpolicy]# cat allow-netpol-demo.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-myapp-ingress spec: podSelector: matchLabels: app: myapp ingress: - from: - ipBlock: #ip 网段 cidr: 10.244.0.0/16 #允许的网段 except: - 10.244.1.2/32 #排除的网段 ports: - protocol: TCP port: 80 [root@master networkpolicy]# kubectl apply -f allow-netpol-demo.yaml -n dev networkpolicy.networking.k8s.io/allow-myapp-ingress created [root@master networkpolicy]# kubectl get netpol -n dev NAME POD-SELECTOR AGE allow-myapp-ingress app=myapp 2m deny-all-ingress <none> 36m [root@master networkpolicy]# curl 10.244.2.2 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a> 生效了 [root@master networkpolicy]# curl 10.244.2.2:443 会直接卡主,如果需要访问443,则在yaml文件中配置。
egress
#允许出战
[root@master networkpolicy]# vim egress-def.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
#拒绝出站
[root@master networkpolicy]# vim egress-def.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
spec:
podSelector: {}
policyTypes:
- Egress
