Kubernetes 1.19.0——网络策略
原创Kubernetes 1.19.0——网络策略
原创
gz_naldo
修改于 2020-10-15 17:54:41
修改于 2020-10-15 17:54:41
网络策略-------理解为防火墙
创建2个pod并打上标签
[root@vms61 chap10-net]# kubectl run pod1 --image=nginx --image-pull-policy=IfNotPresent --labels="name=pod1"
pod/pod1 created
[root@vms61 chap10-net]# kubectl run pod2 --image=nginx --image-pull-policy=IfNotPresent --labels="name=pod2"
pod/pod2 created
[root@vms61 chap10-net]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod1 1/1 Running 0 16s
pod2 1/1 Running 0 6s
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod1 1/1 Running 0 21s name=pod1
pod2 1/1 Running 0 11s name=pod2
创建2个svc
[root@vms61 chap10-net]# kubectl expose --name=svc1 pod pod1 --port=80 --type=NodePort
service/svc1 exposed
[root@vms61 chap10-net]# kubectl expose --name=svc2 pod pod2 --port=80 --type=NodePort
service/svc2 exposed
[root@vms61 chap10-net]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc1 NodePort 10.110.91.208 <none> 80:32614/TCP 11s
svc2 NodePort 10.97.135.59 <none> 80:31706/TCP 4s
测试可以访问到两个svc
[root@vms61 chap10-net]# kubectl run pod-test --image=nginx --image-pull-policy=IfNotPresent
pod/pod-test created
[root@vms61 chap10-net]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-test 1/1 Running 0 3s
pod1 1/1 Running 0 5m33s
pod2 1/1 Running 0 5m23s
[root@vms61 chap10-net]# kubectl exec -it pod1 -- bash
root@pod1:/# echo 11111 > /usr/share/nginx/html/index.html
root@pod1:/# exit
exit
[root@vms61 chap10-net]# kubectl exec -it pod2 -- bash
root@pod2:/# echo 22222 > /usr/share/nginx/html/index.html
root@pod2:/# exit
exit
[root@vms61 chap10-net]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc1 NodePort 10.110.91.208 <none> 80:32614/TCP 6m33s
svc2 NodePort 10.97.135.59 <none> 80:31706/TCP 6m26s
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curs -s svc1
bash: curs: command not found
root@pod-test:/# curl -s svc1
11111
root@pod-test:/# curl -s svc2
22222
加上端口浏览器也能访问到
要具备role这样条件的客户端才能访问,这里看出pod-test的标签不满足role,所以访问svc1失败
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
name: pod1
policyTypes:
- Ingress
ingress:
- from:
# - ipBlock:
# cidr: 172.17.0.0/16
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy created
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 51m run=pod-test
pod1 1/1 Running 0 57m name=pod1
pod2 1/1 Running 0 57m name=pod2
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc2
22222
root@pod-test:/# curl -s svc1
^C
root@pod-test:/# exit
加上一个role=frontend的标签后又可以访问
[root@vms61 chap10-net]# kubectl label pod pod-test role=frontend
pod/pod-test labeled
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 54m role=frontend,run=pod-test
pod1 1/1 Running 0 60m name=pod1
pod2 1/1 Running 0 60m name=pod2
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc1
11111
root@pod-test:/# exit
Exit
修改配置文件只允许192.168.135.0/24这个网段访问
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
app: xx
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.135.0/24
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
# - podSelector:
# matchLabels:
# role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy unchanged
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 65m run=pod-test
pod1 1/1 Running 0 70m app=xx,name=pod1
pod2 1/1 Running 0 70m app=xx,name=pod2
[root@vms61 chap10-net]# kubectl label pod pod-test role=frontend
pod/pod-test labeled
[root@vms61 chap10-net]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc1 NodePort 10.110.91.208 <none> 80:32614/TCP 68m
svc2 NodePort 10.97.135.59 <none> 80:31706/TCP 68m
测试可以访问
这里不能访问,因为网段不一样
如果两个都放开,只要满足其中一个条件的,就可以访问
如果matchLabels不写,将会应用到全部的pod
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 77m run=pod-test
pod1 1/1 Running 0 82m app=xx,name=pod1
pod2 1/1 Running 0 82m app=xx,name=pod2
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
policyTypes:
- Ingress
ingress:
- from:
# - ipBlock:
# cidr: 192.168.135.0/24
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy configured
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc1
^C
root@pod-test:/# curl -s svc2
^C
root@pod-test:/# 如果想要其他例如default命名空间里的pod访问,怎么办?
将namespaceSelector放开并写明default命名空间下的label就可以访问了
[root@vms61 chap10-net]# kubectl run pod-test1 --image=nginx --image-pull-policy=IfNotPresent -n default
pod/pod-test1 created
[root@vms61 chap10-net]# kubectl get pods -n default
NAME READY STATUS RESTARTS AGE
pod-test1 1/1 Running 0 9s
[root@vms61 chap10-net]# kubectl get pods -n default --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test1 1/1 Running 0 17s run=pod-test1
[root@vms61 chap10-net]# kubectl label pod pod-test1 -n default role=frontend
pod/pod-test1 labeled
[root@vms61 chap10-net]# kubectl get pods -n default --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test1 1/1 Running 0 5m30s role=frontend,run=pod-test1
[root@vms61 chap10-net]# kubectl label ns default aa=bb
namespace/default labeled
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
policyTypes:
- Ingress
ingress:
- from:
# - ipBlock:
# cidr: 192.168.135.0/24
# except:
# - 172.17.1.0/24
- namespaceSelector:
matchLabels:
aa: bb
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy configured
[root@vms61 chap10-net]# kubectl exec -it -n default pod-test -- bash
Error from server (NotFound): pods "pod-test" not found
[root@vms61 chap10-net]# kubectl exec -it -n default pod-test1 -- bash
root@pod-test1:/# curl -s svc1
^C
root@pod-test1:/# curl -s svc1.chap10-net
11111
root@pod-test1:/# curl -s svc2.chap10-net
22222原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读