-
K8s复习笔记12--Ingress/Egress实验9则
- linux ns部署nginx和tomcat,并让nginx可以将来自于/app的请求转发至当前ns的tomcat pod
- python ns部署nginx和tomcat,并让nginx可以将来自于/app的请求转发至当前ns的tomcat pod
- 测试容器(创建多个pod用于后期不同节点进行测试)
1. 环境准备
1.1 创建ns并加label
root@k8s-master-01:~# kubectl create ns linux namespace/linux created root@k8s-master-01:~# kubectl create ns python namespace/python created root@k8s-master-01:~# kubectl label ns linux nsname=linux namespace/linux labeled root@k8s-master-01:~# kubectl label ns python nsname=python namespace/python labeled- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
创建3个pod,ns分别是default,go,python
root@k8s-master-01:~# kubectl run test-centos-pod --image=harbor.intra.com/baseimages/centos-base:7.9.2009 sleep 100000000 -n linux pod/test-centos-pod created root@k8s-master-01:~# kubectl run test-centos-pod --image=harbor.intra.com/baseimages/centos-base:7.9.2009 sleep 100000000 -n python pod/test-centos-pod created root@k8s-master-01:~# kubectl run test-centos-pod --image=harbor.intra.com/baseimages/centos-base:7.9.2009 sleep 100000000 pod/test-centos-pod created- 1
- 2
- 3
- 4
- 5
- 6
1.2 创建linux pods
创建linux 的nginx和tomcat pod
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/linux-ns1# kubectl apply -f . deployment.apps/linux-nginx-deployment created service/linux-nginx-service created deployment.apps/linux-tomcat-app1-deployment created service/linux-tomcat-app1-service created root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/linux-ns1# kubectl get pods -n linux NAME READY STATUS RESTARTS AGE linux-nginx-deployment-5cd9566d7f-rrd98 1/1 Running 0 89s linux-tomcat-app1-deployment-6f8864d5d9-trdh9 1/1 Running 0 89s test-centos-pod 1/1 Running 0 118s- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
配置tomcat
# kubectl exec -it linux-tomcat-app1-deployment-6f8864d5d9-trdh9 -n linux bash root@linux-tomcat-app1-deployment-6f8864d5d9-trdh9:/usr/local/tomcat# cd webapps root@linux-tomcat-app1-deployment-6f8864d5d9-trdh9:/usr/local/tomcat/webapps# mkdir app root@linux-tomcat-app1-deployment-6f8864d5d9-trdh9:/usr/local/tomcat/webapps# echo "linux app in tomcat" >> app/index.jsp ## 访问测试 root@k8s-master-01:~# curl http://192.168.31.113:30005/app/ linux app in tomcat- 1
- 2
- 3
- 4
- 5
- 6
- 7
配置nginx
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 -n linux sh ## ping通tomcat的svc / # ping linux-tomcat-app1-service.linux.svc.magedu.local -c 1 PING linux-tomcat-app1-service.linux.svc.magedu.local (10.200.60.176): 56 data bytes 64 bytes from 10.200.60.176: seq=0 ttl=64 time=0.031 ms --- linux-tomcat-app1-service.linux.svc.magedu.local ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.031/0.031/0.031 ms ## 修改nginx的配置文件 / # vi /etc/nginx/conf.d/default.conf ## 追加以下行 location /app { proxy_pass http://linux-tomcat-app1-service.linux.svc.magedu.local; } ## 重启nginx / # nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful / # nginx -s reload 2022/08/17 04:59:08 [notice] 55#55: signal process started ## 测试访问nginx root@k8s-master-01:~# curl 192.168.31.113:30004/app/ linux app in tomcat- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
1.3 创建python pods
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f nginx.yaml -f tomcat.yaml deployment.apps/python-nginx-deployment created service/python-nginx-service created deployment.apps/python-tomcat-app1-deployment created service/python-tomcat-app1-service created- 1
- 2
- 3
- 4
- 5
为了不让这两个ns在一个node上可以先给linux的node打上cordon,运行起来后再uncordon
``bash
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get pods -n python -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
python-nginx-deployment-7bbc6bf578-bntx4 1/1 Running 0 5m27s 172.100.76.175 192.168.31.113
python-tomcat-app1-deployment-6b795c66d5-bp55c 1/1 Running 0 5m26s 172.100.76.176 192.168.31.113
test-centos-pod 1/1 Running 0 2m50s 172.100.140.70 192.168.31.112
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get pods -n linux -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
linux-nginx-deployment-5cd9566d7f-rrd98 1/1 Running 0 91m 172.100.109.124 192.168.31.111
linux-tomcat-app1-deployment-6f8864d5d9-trdh9 1/1 Running 0 91m 172.100.109.125 192.168.31.111
test-centos-pod 1/1 Running 0 91m 172.100.109.123 192.168.31.111
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2#准备python的两个环境 ```bash root@k8s-master-01:~# kubectl exec -it python-tomcat-app1-deployment-6b795c66d5-bp55c -n python bash root@python-tomcat-app1-deployment-6b795c66d5-bp55c:/usr/local/tomcat/webapps# mkdir app root@python-tomcat-app1-deployment-6b795c66d5-bp55c:/usr/local/tomcat/webapps# echo "python app in tomcat" >> app/index.jsp ## 测试python的tomcat root@k8s-master-01:~# curl 192.168.31.113:30015/app/ python app in tomcat ## 修改nginx配置 / # vi /etc/nginx/conf.d/default.conf ## 追加以下内容 location /app { proxy_pass http://python-tomcat-app1-service.python.svc.magedu.local; } ## 重启服务 / # nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful / # nginx -s reload 2022/08/17 05:18:35 [notice] 44#44: signal process started ## 测试访问nginx root@k8s-master-01:~# curl 192.168.31.113:30014/app/ python app in tomcat- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
2. NetworkPolicy实现
默认情况下在ns linux下的nginx可以访问ns python的tomcat
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 -n linux sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. ## 全称 / # curl python-tomcat-app1-service.python.svc.magedu.local/app/index.jsp python app in tomcat ## 缩写 / # curl python-tomcat-app1-service.python/app/index.jsp python app in tomcat- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
2.1 case1 Ingress 以pod为单位,只允许通ns下特定pod访问
- 不允许其他namespace访问tomcat pod
- 如果明确允许的pod,即使在同一个ns也访问不了
- 不允许从宿主机访问pod
- 只允许同ns拥有特定标签的pod访问目标
值允许namespace为python,标签为 python-nginx-selector的pod访问标签为python-tomcat-app1-selector 的pod
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tomcat-access--networkpolicy namespace: python spec: policyTypes: - Ingress podSelector: matchLabels: app: python-tomcat-app1-selector #对匹配到的目的Pod应用以下规则 ingress: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP - from: - podSelector: matchLabels: app: python-nginx-selector #project: "python"- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
效果:
创建完后会在ns下生成一个networkpolicyroot@k8s-master-01:~# kubectl get networkpolicies.networking.k8s.io -n python NAME POD-SELECTOR AGE tomcat-access--networkpolicy app=python-tomcat-app1-selector 6m14s root@k8s-master-01:~# kubectl describe networkpolicies.networking.k8s.io tomcat-access--networkpolicy -n python Name: tomcat-access--networkpolicy Namespace: python Created on: 2022-08-17 13:40:48 +0800 CST Labels: <none> Annotations: <none> Spec: PodSelector: app=python-tomcat-app1-selector Allowing ingress traffic: To Port: <any> (traffic allowed to all ports) From: PodSelector: app=python-nginx-selector Not affecting egress traffic Policy Types: Ingress- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
同namespace的nginx访问允许
root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # ping python-tomcat-app1-service.python.svc.magedu.local PING python-tomcat-app1-service.python.svc.magedu.local (10.200.232.133): 56 data bytes 64 bytes from 10.200.232.133: seq=0 ttl=64 time=0.282 ms- 1
- 2
- 3
- 4
- 5
同namespace无标签的centos访问被拒绝
root@k8s-master-01:~# kubectl exec -it test-centos-pod -n python error: you must specify at least one command for the container root@k8s-master-01:~# ping python-tomcat-app1-service.python.svc.magedu.local -c 1 ping: python-tomcat-app1-service.python.svc.magedu.local: Temporary failure in name resolution root@k8s-master-01:~#- 1
- 2
- 3
- 4
- 5
不同ns的nginx访问被拒绝
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-7bbc6bf578-bntx4 -n linux sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. Error from server (NotFound): pods "linux-nginx-deployment-7bbc6bf578-bntx4" not found root@k8s-master-01:~# ping python-tomcat-app1-service.python.svc.magedu.local ping: python-tomcat-app1-service.python.svc.magedu.local: Temporary failure in name- 1
- 2
- 3
- 4
- 5
通过主机访问被拒绝
root@k8s-master-01:~# curl 192.168.31.113:30015/app/ curl: (7) Failed to connect to 192.168.31.113 port 30015: Connection timed out- 1
- 2
通过nginx跳转tomcat访问允许
root@k8s-master-01:~# curl 192.168.31.113:30014/app/ python app in tomcat- 1
- 2
删除规则以免后续互相影响
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl delete -f case1-ingress-podSelector.yaml networkpolicy.networking.k8s.io "tomcat-access--networkpolicy" deleted- 1
- 2
2.2 case2 Ingress 以pod为单位,只允许通ns下特定pod访问的特定端口
相对上一题,多了个端口限制
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tomcat-access--networkpolicy namespace: python spec: policyTypes: - Ingress podSelector: matchLabels: app: python-tomcat-app1-selector ingress: - from: - podSelector: matchLabels: app: python-nginx-selector #project: "python" ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP - protocol: TCP port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
生效并查看networkpolicy规则
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case2-ingress-podSelector-ns-SinglePort.yaml networkpolicy.networking.k8s.io/tomcat-access--networkpolicy created root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python NAME POD-SELECTOR AGE tomcat-access--networkpolicy app=python-tomcat-app1-selector 10s root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python Name: tomcat-access--networkpolicy Namespace: python Created on: 2022-08-17 14:06:11 +0800 CST Labels: <none> Annotations: <none> Spec: PodSelector: app=python-tomcat-app1-selector Allowing ingress traffic: To Port: 8080/TCP From: PodSelector: app=python-nginx-selector Not affecting egress traffic Policy Types: Ingress- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
ns python,pod nginx访问允许
root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.76.176:8080/app/ python app in tomcat- 1
- 2
- 3
- 4
ns python,pod centos访问拒绝
root@k8s-master-01:~# kubectl exec -it test-centos-pod -n python bash kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. [root@test-centos-pod /]# curl 172.100.76.176:8080/app/ curl: (7) Failed connect to 172.100.76.176:8080; Connection timed out- 1
- 2
- 3
- 4
ns linux,pod nginx访问拒绝
root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 sh -n linux kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.76.176:8080/app/ curl: (28) Failed to connect to 172.100.76.176 port 8080 after 129941 ms: Operation timed out- 1
- 2
- 3
- 4
直接从node访问被拒绝
[root@test-centos-pod /]# curl 172.100.76.176:8080/app/ curl: (7) Failed connect to 172.100.76.176:8080; Connection timed out- 1
- 2
2.3 case3 Ingress 以pod为单位,只允许通ns下特定pod访问的多个特定端口
相对上一题,允许访问的端口多一点
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tomcat-access--networkpolicy namespace: python spec: policyTypes: - Ingress podSelector: matchLabels: app: python-tomcat-app1-selector ingress: - from: - podSelector: matchLabels: app: python-nginx-selector ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP - protocol: TCP port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问 - protocol: TCP port: 80 - protocol: TCP port: 443- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
生效配置
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case3-ingress-podSelector-ns-MultiPort.yaml networkpolicy.networking.k8s.io/tomcat-access--networkpolicy created root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python NAME POD-SELECTOR AGE tomcat-access--networkpolicy app=python-tomcat-app1-selector 10s root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python Name: tomcat-access--networkpolicy Namespace: python Created on: 2022-08-17 14:17:47 +0800 CST Labels: <none> Annotations: <none> Spec: PodSelector: app=python-tomcat-app1-selector Allowing ingress traffic: To Port: 8080/TCP To Port: 80/TCP To Port: 443/TCP From: PodSelector: <none> Not affecting egress traffic Policy Types: Ingress- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
效果就是当前ns下可以访问这些端口,但非当前ns访问被拒绝
## python ns的pod root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.76.176:8080/app/ python app in tomcat / # curl 172.100.76.176:8080/app/ python app in tomcat / # curl 172.100.76.176:8080/app/ python app in tomcat ## 非python ns的pod root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 sh -n linux kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.76.176:8080/app/ curl: (28) Failed to connect to 172.100.76.176 port 8080 after 130380 ms: Operation timed out- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
2.4 case4 Ingress 以pod为单位,只允许通同ns下pod访问
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tomcat-access--networkpolicy namespace: python spec: policyTypes: - Ingress podSelector: #目标pod matchLabels: {} #匹配所有目标pod ingress: - from: - podSelector: #匹配源pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制) matchLabels: {}- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
效果和上题类似,但上单端口范围只有3个,这里没有指定,那么只要打开的端口都能被同ns下的pod访问,但跨ns则会被拒绝
## python ns的pod root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.76.176:8080/app/ python app in tomcat ## 非python ns的pod root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 sh -n linux kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.76.176:8080/app/ curl: (28) Failed to connect to 172.100.76.176 port 8080 after 130380 ms: Operation timed out- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
2.5 case5 Ingress ipBlock白名单
- 只要在白名单内,没有被except禁止的Pod ip都允许访问
- 在只设置了ipBlock匹配的前提下,其他namespace中没有在except范围的Pod也可以访问目标Pod.
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tomcat-access--networkpolicy namespace: python spec: policyTypes: - Ingress podSelector: #目标pod matchLabels: app: python-tomcat-app1-selector ingress: - from: # - podSelector: #匹配源pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制) # matchLabels: {} - ipBlock: cidr: 172.100.0.0/16 #白名单,允许访问的地址范围,没有允许的将禁止访问目标pod except: - 172.100.109.123/32 #在以上范围内禁止访问的源IP地址 ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP - protocol: TCP port: 8080 #允许通过TCP协议访问目标pod的8080端口,但是其它没有允许的端口将全部禁止访问 #port: 80 - protocol: TCP port: 3306 - protocol: TCP port: 6379- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
配置生效
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case5-ingress-ipBlock.yaml networkpolicy.networking.k8s.io/tomcat-access--networkpolicy created root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python NAME POD-SELECTOR AGE tomcat-access--networkpolicy app=python-tomcat-app1-selector 14s root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python Name: tomcat-access--networkpolicy Namespace: python Created on: 2022-08-17 15:01:55 +0800 CST Labels: <none> Annotations: <none> Spec: PodSelector: app=python-tomcat-app1-selector Allowing ingress traffic: To Port: 8080/TCP To Port: 3306/TCP To Port: 6379/TCP From: IPBlock: CIDR: 172.100.0.0/16 Except: 172.100.109.123/32 Not affecting egress traffic Policy Types: Ingress- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
通过ns python下的pod可以访问,通过ns default 和linux的pod也可以访问,但ip为172.100.109.123的pod无法访问
root@k8s-master-01:~# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 -n python sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.76.176:8080/app/ python app in tomcat ## ip为172.100.109.123的pod无法访问 root@k8s-master-01:/# kubectl exec -it test-centos-pod bash -n linux kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. [root@test-centos-pod /]# hostname -I 172.100.109.123 [root@test-centos-pod /]# curl 172.100.76.176:8080/app/ curl: (7) Failed connect to 172.100.76.176:8080; Connection timed out- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
2.6 只允许某个特定的ns访问当前ns下所有pod
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tomcat-access--networkpolicy namespace: python spec: policyTypes: - Ingress podSelector: #目标pod matchLabels: {} #允许访问python namespace 中的所有pod ingress: - from: - namespaceSelector: matchLabels: nsname: linux #只允许指定的namespace访问 - namespaceSelector: matchLabels: nsname: python #只允许指定的namespace访问 ports: #入栈规则,如果指定目标端口就是匹配全部端口和协议,协议TCP, UDP, or SCTP - protocol: TCP port: 8080 - protocol: TCP port: 3306 - protocol: TCP port: 6379- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
配置生效
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case6-ingress-namespaceSelector.yaml networkpolicy.networking.k8s.io/tomcat-access--networkpolicy created root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python NAME POD-SELECTOR AGE tomcat-access--networkpolicy <none> 20s root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python Name: tomcat-access--networkpolicy Namespace: python Created on: 2022-08-17 15:19:54 +0800 CST Labels: <none> Annotations: <none> Spec: PodSelector: <none> (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic: To Port: 8080/TCP To Port: 3306/TCP To Port: 6379/TCP From: NamespaceSelector: nsname=linux From: NamespaceSelector: nsname=python Not affecting egress traffic Policy Types: Ingress ## namespace的标签一定要对,否则就会失败 root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe ns linux Name: linux Labels: kubernetes.io/metadata.name=linux nsname=linux Annotations: <none> Status: Active No resource quota. No LimitRange resource. root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe ns python Name: python Labels: kubernetes.io/metadata.name=python nsname=python Annotations: <none> Status: Active No resource quota. No LimitRange resource.- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
linux和python ns的pod访问被允许,其他pod访问被拒绝
## linux ns的pod访问允许 root@k8s-master-01:~# kubectl exec -it linux-nginx-deployment-5cd9566d7f-rrd98 sh -n linux kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.76.176:8080/app/ python app in tomcat ## python ns的pod访问被允许 root@k8s-master-01:~# kubectl exec -it test-centos-pod -n python bash kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. [root@test-centos-pod /]# curl 172.100.76.176:8080/app/ python app in tomcat ## 其他ns的访问拒绝 root@k8s-master-01:~# kubectl exec -it test-centos-pod bash kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. [root@test-centos-pod /]# curl 172.100.76.176:8080/app/ curl: (7) Failed connect to 172.100.76.176:8080; Connection timed out ## node直接访问也拒绝 root@k8s-master-01:/# curl 172.100.76.176:8080/app/ curl: (7) Failed to connect to 172.100.76.176 port 8080: Connection timed out- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
2.7 Egress 出口方向限制目的IP和端口
- 基于Egress白名单,定义ns中匹配成功的pod可以访问ipBlock指定的地址和ports指定的端口.
- 匹配成功的pod访问未明确定义在Egress的白名单的其他IP的请求,将拒绝
- 没有匹配成功的源Pod,主动发起的出口访问请求不受影响.
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress-access-networkpolicy namespace: python spec: policyTypes: - Egress podSelector: #目标pod选择器 matchLabels: #基于label匹配目标pod app: python-tomcat-app1-selector #匹配python namespace中app的值为python-tomcat-app1-selector的pod,然后基于egress中的指定网络策略进行出口方向的 网络限制 egress: - to: - ipBlock: cidr: 172.100.0.0/16 #允许匹配到的pod出口访问的目的CIDR地址范围 - ipBlock: cidr: 192.168.31.111/32 #允许匹配到的pod出口访问的目的主机 ports: - protocol: TCP port: 80 #允许匹配到的pod访问目的端口为80的访问 - protocol: TCP port: 30014 - protocol: UDP port: 53- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
配置生效
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case7-Egress-ipBlock.yaml networkpolicy.networking.k8s.io/egress-access-networkpolicy created root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python NAME POD-SELECTOR AGE egress-access-networkpolicy app=python-tomcat-app1-selector 2m55s root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python Name: egress-access-networkpolicy Namespace: python Created on: 2022-08-17 15:47:32 +0800 CST Labels: <none> Annotations: <none> Spec: PodSelector: app=python-tomcat-app1-selector Not affecting ingress traffic Allowing egress traffic: To Port: 80/TCP To Port: 30014/TCP To Port: 53/UDP To: IPBlock: CIDR: 172.100.0.0/16 Except: To: IPBlock: CIDR: 192.168.31.111/32 Except: Policy Types: Egress- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
测试
root@python-tomcat-app1-deployment-6b795c66d5-bp55c:/usr/local/tomcat# curl 172.100.109.124/app/ linux app in tomcat root@python-tomcat-app1-deployment-6b795c66d5-bp55c:/usr/local/tomcat# curl 192.168.31.111:30014/app/ python app in tomcat- 1
- 2
- 3
- 4
- 5
- 6
2.8 Egress 出口方向限制目的Pod和端口
基于podSelect选择器,限制源pod能够访问目的pod
- 匹配成功的源pod只能访问指定的目的pod的指定端口
- 其他没有被允许的出口请求将被禁止访问
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress-access-networkpolicy namespace: python spec: policyTypes: - Egress podSelector: #目标pod选择器 matchLabels: #基于label匹配目标pod app: python-nginx-selector #匹配python namespace中app的值为python-tomcat-app1-selector的pod,然后基于egress中的指定网络策略进行出口方向的网络限制 egress: - to: - podSelector: #匹配pod,matchLabels: {}为不限制源pod即允许所有pod,写法等同于resources(不加就是不限制) matchLabels: app: python-tomcat-app1-selector ports: - protocol: TCP port: 8080 #允许80端口的访问 - protocol: TCP port: 53 #允许DNS的解析 - protocol: UDP port: 53- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
生效配置
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case8-Egress-PodSelector.yaml networkpolicy.networking.k8s.io/egress-access-networkpolicy created root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python NAME POD-SELECTOR AGE egress-access-networkpolicy app=python-nginx-selector 15s root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python Name: egress-access-networkpolicy Namespace: python Created on: 2022-08-17 15:59:43 +0800 CST Labels: <none> Annotations: <none> Spec: PodSelector: app=python-nginx-selector Not affecting ingress traffic Allowing egress traffic: To Port: 8080/TCP To Port: 53/TCP To Port: 53/UDP To: PodSelector: app=python-tomcat-app1-selector Policy Types: Egress- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
此时ns python下的nginx只能访问ns python下的8080端口
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 sh -n python kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.109.124 ^C / # curl 172.100.109.124/app/ ^C / # curl 172.100.76.176:8080/app/ python app in tomcat / # curl www.baidu.com curl: (6) Could not resolve host: www.baidu.com- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
2.9 Egress 只允许特定的Pod访问特定的NS的特定端口
允许linux和python2个ns访问python的python-nginx-selector标签的pod
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress-access-networkpolicy namespace: python spec: policyTypes: - Egress podSelector: #目标pod选择器 matchLabels: #基于label匹配目标pod app: python-nginx-selector #匹配python namespace中app的值为python-tomcat-app1-selector的pod,然后基于egress中的指定网络策略进行出口方向的网络限 制 egress: - to: - namespaceSelector: matchLabels: nsname: python #指定允许访问的目的namespace - namespaceSelector: matchLabels: nsname: linux #指定允许访问的目的namespace ports: - protocol: TCP port: 8080 #允许80端口的访问 - protocol: TCP port: 53 #允许DNS的解析 - protocol: UDP port: 53- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
部署
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl apply -f case9-Egress-namespaceSelector.yaml networkpolicy.networking.k8s.io/egress-access-networkpolicy created root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl get networkpolicies.networking.k8s.io -n python NAME POD-SELECTOR AGE egress-access-networkpolicy app=python-nginx-selector 18s root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl describe networkpolicies.networking.k8s.io -n python Name: egress-access-networkpolicy Namespace: python Created on: 2022-08-17 16:13:15 +0800 CST Labels: <none> Annotations: <none> Spec: PodSelector: app=python-nginx-selector Not affecting ingress traffic Allowing egress traffic: To Port: 8080/TCP To Port: 53/TCP To Port: 53/UDP To: NamespaceSelector: nsname=python To: NamespaceSelector: nsname=linux Policy Types: Egress- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
测试
root@k8s-master-01:/opt/k8s-data/yaml/NetWorkPolicy-case/python-ns2# kubectl exec -it python-nginx-deployment-7bbc6bf578-bntx4 sh -n python kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # curl 172.100.76.176:8080/app/ python app in tomcat / # curl 172.100.109.125:8080/app/ linux app in tomcat / # curl 172.100.109.124/app/ curl: (28) Failed to connect to 172.100.109.124 port 80 after 129999 ms: Operation timed out- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
至此9种不同的情况已经实现,实际工作中会互相嵌套使用.
-
相关阅读:
SpringBoot--获取路径中的参数(x-www-form-urlencoded)--方法/实例
如何制作自动输入短信验证码?
django学习入门系列之第三点《BootSrap初了解》
前端新手Vue3+Vite+Ts+Pinia+Sass项目指北系列文章 —— 第二章 环境部署
LeetCode--回文数
5W2H模拟
服务器崩溃,主要都有哪些原因又怎么解决服务器崩溃。
基于VMware从零搭建Linux系统
NewStarCTF 公开赛-web
一文速通MybatisPlus
- 原文地址:https://blog.csdn.net/qq_29974229/article/details/126388867
