Kubernetes CKS 2021--网络策略networkpolicy

Kubernetes CKS 2021--网络策略networkpolicy

文章目录

​​1. 集群配置网络策略​​​​2. Practice - Frontend to Backend traffic​​​​3. Practice - Backend to Database traffic​​

k8s networkpolicy网络策略详解添加链接描述

关键词：NetworkPolicy、 Ingress、 Egress、 ipBlock、 namespaceSelector、 podSelector ports

1. 集群配置网络策略

2. Practice - Frontend to Backend traffic

root@master:~# k run frontend --image=nginxpod/frontend createdroot@master:~# k run backend --image=nginxpod/backend createdroot@master:~# k expose pod frontend --port 80service/frontend exposedroot@master:~# k expose pod backend --port 80service/backend exposedroot@master:~# k get pods,svcNAME READY STATUS RESTARTS AGEpod/backend 1/1 Running 0 49spod/frontend 1/1 Running 0 58sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEservice/backend ClusterIP 10.104.232.138 80/TCP 14sservice/frontend ClusterIP 10.111.199.32 80/TCP 23sservice/kubernetes ClusterIP 10.96.0.1 443/TCP 91droot@master:~# k exec frontend -- curl backend % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 612 100 612 0 0 11547 0 --:--:-- --:--:-- --:--:-- 11547Welcome to nginx!Welcome to nginx!If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.For online documentation and support please refer tonginx.org.Commercial support is available atnginx.com.Thank you for using nginx.root@master:~# k exec backend -- curl frontend % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 612 100 612 0 0 119k 0 --:--:-- --:--:-- --:--:-- 119kWelcome to nginx!Welcome to nginx!If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.For online documentation and support please refer tonginx.org.Commercial support is available atnginx.com.Thank you for using nginx.root@master:~# vim default-deny.yamlapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny namespace: defaultspec: podSelector: {} policyTypes: - Egress - Ingressroot@master:~# k create -f default-deny.yamlnetworkpolicy.networking.k8s.io/deny createdroot@master:~# vim frontend.yaml# allows frontend pods to communicate with backend podsapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: frontend namespace: defaultspec: podSelector: matchLabels: run: frontend policyTypes: - Egress egress: - to: - podSelector: matchLabels: run: backendroot@master:~# k -f frontend.yaml createnetworkpolicy.networking.k8s.io/frontend createdroot@master:~# k exec frontend -- curl backend % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0root@master:~# vim backend.yaml# allows backend pods to have incoming traffic from frontend podsapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: backend namespace: defaultspec: podSelector: matchLabels: run: backend policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: run: frontendroot@master:~# k -f backend.yaml createnetworkpolicy.networking.k8s.io/backend createdroot@master:~# k exec frontend -- curl backend % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0root@master:~# k get pods --show-labels -owideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELSbackend 1/1 Running 0 29m 192.168.104.27 node2 run=backendfrontend 1/1 Running 0 30m 192.168.166.179 node1 run=frontendroot@master:~# k exec frontend -- curl 192.168.104.27 % Total % Received % XWelcome to nginx!Welcome to nginx!If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.For online documentation and support please refer tonginx.org.Commercial support is available atnginx.com.Thank you for using nginx.ferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 612 100 612 0 0 18545 0 --:--:-- --:--:-- --:--:-- 19125root@master:~# k exec backend -- curl 192.168.166.179 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0Welcome to nginx!Welcome to nginx!If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.For online documentation and support please refer tonginx.org.Commercial support is available atnginx.com.Thank you for using nginx.100 612 100 612 0 0 298k 0 --:--:-- --:--:-- --:--:-- 298k

3. Practice - Backend to Database traffic

kubectl create ns cassandrakubectl edit ns cassandra

apiVersion: v1kind: Namespacemetadata: creationTimestamp: "2021-04-20T07:19:22Z" name: cassandra resourceVersion: "533198" uid: 766ae069-4dc9-4acd-a4db-ce852c293cc6 labels: #添加 ns: cassandra #添加spec: finalizers: - kubernetesstatus: phase: Active

root@master:~# k -n cassandra run cassandra --image=nginxpod/cassandra createdroot@master:~# k -n cassandra get pod -owideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATEScassandra 1/1 Running 0 73m 192.168.104.26 node2 root@master:~# k exec backend -- curl 192.168.104.26 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 612 100 612 0 0 597k 0 --:--:-- --:--:-- --:--:-- 0

vim backend.yaml

# allows backend pods to have incoming traffic from frontend pods and to cassandra namespaceapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: backend namespace: defaultspec: podSelector: matchLabels: run: backend policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: run: frontend egress: - to: - namespaceSelector: matchLabels: ns: cassandraroot@master:~# k apply -f backend.yamlWarning: resource networkpolicies/backend is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.networkpolicy.networking.k8s.io/backend configuredroot@master:~# k exec backend -- curl 192.168.104.26 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 612 100 612 0 0 597k 0 --:--:-- --:--:-- --:--:-- 597kWelcome to nginx!Welcome to nginx!If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.For online documentation and support please refer tohref="support is available athref="you for using nginx.root@master:~# cat cassandra-deny.yaml# deny all incoming and outgoing traffic from all pods in namespace cassandraapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: cassandra-deny namespace: cassandraspec: podSelector: {} policyTypes: - Ingress - Egressroot@master:~# k create -f cassandra-deny.yaml networkpolicy.networking.k8s.io/cassandra-deny createdroot@master:~# k exec backend -- curl 192.168.104.26 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0^C# allows cassandra pods having incoming connection from backend namespaceapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: cassandra namespace: cassandraspec: podSelector: matchLabels: run: cassandra policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: ns: defaultroot@master:~# k create -f cassandra.yaml networkpolicy.networking.k8s.io/cassandra createdroot@master:~# k edit ns defaultapiVersion: v1kind: Namespacemetadata: creationTimestamp: "2021-01-19T03:27:58Z" labels: #添加 ns: default #添加 name: default resourceVersion: "541475" uid: 2d566715-f0a4-49b3-b590-dfa7df30d0baspec: finalizers: - kubernetesstatus: phase: Activeroot@master:~# k exec backend -- curl 192.168.104.26 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 612 100 612 0 0 298k 0 --:--:-- --:--:-- --:--:-- 597kWelcome to nginx!Welcome to nginx!If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.For online documentation and support please refer tohref="support is available athref="you for using nginx.

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。