Cluster Setup - Network Policies网络规则

原创

对你无可奈何

修改于 2021-03-10 17:49:05

7480

文章被收录于专栏：运维专栏运维专栏

1. 网络安全规则

https://cloud.tencent.com/act?from=10680

https://cloud.tencent.com/act/season?from=14065

https://cloud.tencent.com/?from=10680

1.关于网络安全规则

1. Firewall rules in kubernetes kubernetes 集群中的防火墙规则

2. Implemented by the Network Plugin CNI(Calico/Weave) 网络插件的实施方案

3. Namespace level 命名空间的级别

4. Restrict the ingress and/or Egress for a goup of pods based on certain rules and conditions 根据某些规则和条件限制一组Pod的进入和/或出口

注： 先决条件是必须使用支持NetworkPolicy的网络解决方案

默认状况下没有网络策略的状态并且：

by default every pod can access every pod 默认的可以访问任何pods
pods are not isolated pods 不是孤立的

2. 常见的网络规则

1. 允许的其他Pod组（例外：Pod无法阻止对其自身的访问。都是靠pod标签实现的）

1.1 允许包含某一组标签的pods组对外访问资源-egress出口

1.2 包含某一组标签的pods组允许被访问-ingress入口

2. 含有某一组标签的pods组允许来自含有一组namespace标签的服务访问

3. IP块（例外：始终允许往返运行Pod的节点的流量，无论Pod或节点的IP地址如何）

3. 练习题

1. Create Default Deny NetworkPolicy--创建一个默认的拒绝的网络规则

解析：

如上：使用nginx标准镜像创建两个pod,对外暴露80端口，进入两个容器curl对方返回index.html验证容器是互通的。

root@cks-master:~# kubectl run frontend --image=nginx
pod/frontend created
root@cks-master:~# kubectl run backend --image=nginx
pod/backend created
root@cks-master:~# kubectl expose pods frontend --port=80
service/frontend exposed
root@cks-master:~# kubectl expose pods backend --port=80
service/backend exposed
root@cks-master:~# kubectl get pods,svc 
NAME           READY   STATUS    RESTARTS   AGE
pod/backend    1/1     Running   0          34s
pod/frontend   1/1     Running   0          39s

NAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/backend      ClusterIP   10.104.226.85   <none>        80/TCP    7s
service/frontend     ClusterIP   10.98.161.118   <none>        80/TCP    16s
service/kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP   37d
root@cks-master:~# kubectl exec frontend curl backend
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
100   612  100   612    0     0   298k      0 --:--:-- --:--:-- --:--:--  298k
 root@cks-master:~# kubectl exec backend curl frontend
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   612  100   612    0     0   298k      0 --:--:-- --:--:-- --:--:--  298k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

进入kubernetes官方文档找到网络策略页面，(https://kubernetes.io/docs/concepts/services-networking/network-policies/)找到实例copy内容。

划重点：复制粘贴到vim时候yaml代码出现缩进错乱问题，so找到了下面解决的办法：

https://blog.csdn.net/annita2019/article/details/108924928

root@cks-master:~/work# vim default-deny.yaml
root@cks-master:~/work# kubectl apply -f default-deny.yaml 
networkpolicy.networking.k8s.io/default-deny created
root@cks-master:~/work# cat default-deny.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
root@cks-master:~/work# kubectl exec frontend curl backend
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0^C
root@cks-master:~/work# kubectl exec backend curl frontend
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:19 --:--:--     0curl: (6) Could not resolve host: frontend
command terminated with exit code 6

通过以上例子验证了通过default-deny 网络策略实现了backend 和frontend两个服务实现了拒绝访问。

2. Allow frontend pods to talk to backend pods-允许符合frontend标签的pod与带有backend标签的pod组会话。

我觉得这个地方稍微要复杂下入如下图

# cat backend.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: frontend

 ### cat frontend.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: frontend
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          run: backend

关于matchLabels的由来：

kubectl apply -f backend.yaml

kubectl apply -f frontend.yaml

但是还是不通，为什么呢？

忽略了一个本质，没有放通域名解析服务，不知道还记得默认的dns端口吗？kubernetes内部的服务的解析是靠coredns来完成的，当然了老的版本还有过kube-dns？skydns没有记错的话。so要允许dns协议。

##  deny.yaml##
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    ports:
      - port: 53
        protocol: TCP
      - port: 53
        protocol: UDP