知识分享 – Kubernetes 1.19.0——网络策略

网络策略——-理解为防火墙

创建2个pod并打上标签
[root@vms61 chap10-net]# kubectl run pod1 --image=nginx --image-pull-policy=IfNotPresent --labels="name=pod1"
pod/pod1 created
[root@vms61 chap10-net]# kubectl run pod2 --image=nginx --image-pull-policy=IfNotPresent --labels="name=pod2"
pod/pod2 created
[root@vms61 chap10-net]# kubectl get pods
NAME   READY   STATUS    RESTARTS   AGE
pod1   1/1     Running   0          16s
pod2   1/1     Running   0          6s
[root@vms61 chap10-net]# kubectl get pods --show-labels 
NAME   READY   STATUS    RESTARTS   AGE   LABELS
pod1   1/1     Running   0          21s   name=pod1
pod2   1/1     Running   0          11s   name=pod2

创建2个svc
[root@vms61 chap10-net]# kubectl expose --name=svc1 pod pod1 --port=80 --type=NodePort 
service/svc1 exposed
[root@vms61 chap10-net]# kubectl expose --name=svc2 pod pod2 --port=80 --type=NodePort 
service/svc2 exposed
[root@vms61 chap10-net]# kubectl get svc
NAME   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
svc1   NodePort   10.110.91.208   <none>        80:32614/TCP   11s
svc2   NodePort   10.97.135.59    <none>        80:31706/TCP   4s

测试可以访问到两个svc
[root@vms61 chap10-net]# kubectl run pod-test --image=nginx --image-pull-policy=IfNotPresent
pod/pod-test created
[root@vms61 chap10-net]# kubectl get pods
NAME       READY   STATUS    RESTARTS   AGE
pod-test   1/1     Running   0          3s
pod1       1/1     Running   0          5m33s
pod2       1/1     Running   0          5m23s
[root@vms61 chap10-net]# kubectl exec -it pod1 -- bash
root@pod1:/# echo 11111 > /usr/share/nginx/html/index.html 
root@pod1:/# exit
exit
[root@vms61 chap10-net]# kubectl exec -it pod2 -- bash
root@pod2:/# echo 22222 > /usr/share/nginx/html/index.html      
root@pod2:/# exit
exit
[root@vms61 chap10-net]# kubectl get svc
NAME   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
svc1   NodePort   10.110.91.208   <none>        80:32614/TCP   6m33s
svc2   NodePort   10.97.135.59    <none>        80:31706/TCP   6m26s
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curs -s svc1
bash: curs: command not found
root@pod-test:/# curl -s svc1 
11111
root@pod-test:/# curl -s svc2
22222

加上端口浏览器也能访问到
要具备role这样条件的客户端才能访问,这里看出pod-test的标签不满足role,所以访问svc1失败
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mypolicy
spec:
  podSelector:
    matchLabels:
      name: pod1
  policyTypes:
  - Ingress
  ingress:
  - from:
   # - ipBlock:
   #     cidr: 172.17.0.0/16
   #     except:
   #     - 172.17.1.0/24
   # - namespaceSelector:
   #     matchLabels:
   #       project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml 
networkpolicy.networking.k8s.io/mypolicy created
[root@vms61 chap10-net]# kubectl get pods --show-labels 
NAME       READY   STATUS    RESTARTS   AGE   LABELS
pod-test   1/1     Running   0          51m   run=pod-test
pod1       1/1     Running   0          57m   name=pod1
pod2       1/1     Running   0          57m   name=pod2
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc2
22222
root@pod-test:/# curl -s svc1
^C
root@pod-test:/# exit

加上一个role=frontend的标签后又可以访问
[root@vms61 chap10-net]# kubectl label pod pod-test role=frontend
pod/pod-test labeled
[root@vms61 chap10-net]# kubectl get pods --show-labels 
NAME       READY   STATUS    RESTARTS   AGE   LABELS
pod-test   1/1     Running   0          54m   role=frontend,run=pod-test
pod1       1/1     Running   0          60m   name=pod1
pod2       1/1     Running   0          60m   name=pod2
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc1
11111
root@pod-test:/# exit
Exit

修改配置文件只允许192.168.135.0/24这个网段访问
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mypolicy
spec:
  podSelector:
    matchLabels:
      app: xx
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 192.168.135.0/24
   #     except:
   #     - 172.17.1.0/24
   # - namespaceSelector:
   #     matchLabels:
   #       project: myproject
   # - podSelector:
   #     matchLabels:
   #       role: frontend
    ports:
    - protocol: TCP
      port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml 
networkpolicy.networking.k8s.io/mypolicy unchanged
[root@vms61 chap10-net]# kubectl get pods --show-labels 
NAME       READY   STATUS    RESTARTS   AGE   LABELS
pod-test   1/1     Running   0          65m   run=pod-test
pod1       1/1     Running   0          70m   app=xx,name=pod1
pod2       1/1     Running   0          70m   app=xx,name=pod2
[root@vms61 chap10-net]#  kubectl label pod pod-test role=frontend
pod/pod-test labeled
[root@vms61 chap10-net]# kubectl get svc
NAME   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
svc1   NodePort   10.110.91.208   <none>        80:32614/TCP   68m
svc2   NodePort   10.97.135.59    <none>        80:31706/TCP   68m

测试可以访问
这里不能访问,因为网段不一样
如果两个都放开,只要满足其中一个条件的,就可以访问
如果matchLabels不写,将会应用到全部的pod
[root@vms61 chap10-net]#  kubectl get pods --show-labels 
NAME       READY   STATUS    RESTARTS   AGE   LABELS
pod-test   1/1     Running   0          77m   run=pod-test
pod1       1/1     Running   0          82m   app=xx,name=pod1
pod2       1/1     Running   0          82m   app=xx,name=pod2
[root@vms61 chap10-net]# cat net1.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mypolicy
spec:
  podSelector:
    matchLabels:
  policyTypes:
  - Ingress
  ingress:
  - from:
   # - ipBlock:
   #     cidr: 192.168.135.0/24
   #     except:
   #     - 172.17.1.0/24
   # - namespaceSelector:
   #     matchLabels:
   #       project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml 
networkpolicy.networking.k8s.io/mypolicy configured
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc1
^C
root@pod-test:/# curl -s svc2
^C
root@pod-test:/# 

如果想要其他例如default命名空间里的pod访问,怎么办?

将namespaceSelector放开并写明default命名空间下的label就可以访问了
[root@vms61 chap10-net]# kubectl run pod-test1 --image=nginx --image-pull-policy=IfNotPresent -n default
pod/pod-test1 created
[root@vms61 chap10-net]# kubectl get pods -n default
NAME        READY   STATUS    RESTARTS   AGE
pod-test1   1/1     Running   0          9s
[root@vms61 chap10-net]# kubectl get pods -n default --show-labels 
NAME        READY   STATUS    RESTARTS   AGE   LABELS
pod-test1   1/1     Running   0          17s   run=pod-test1
[root@vms61 chap10-net]# kubectl label pod pod-test1 -n default role=frontend
pod/pod-test1 labeled
[root@vms61 chap10-net]# kubectl get pods -n default --show-labels 
NAME        READY   STATUS    RESTARTS   AGE     LABELS
pod-test1   1/1     Running   0          5m30s   role=frontend,run=pod-test1
[root@vms61 chap10-net]# kubectl label ns default aa=bb
namespace/default labeled
[root@vms61 chap10-net]# cat net1.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mypolicy
spec:
  podSelector:
    matchLabels:
  policyTypes:
  - Ingress
  ingress:
  - from:
   # - ipBlock:
   #     cidr: 192.168.135.0/24
   #     except:
   #     - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          aa: bb
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml 
networkpolicy.networking.k8s.io/mypolicy configured
[root@vms61 chap10-net]# kubectl exec -it -n default pod-test -- bash
Error from server (NotFound): pods "pod-test" not found
[root@vms61 chap10-net]# kubectl exec -it -n default pod-test1 -- bash
root@pod-test1:/# curl -s svc1
^C
root@pod-test1:/# curl -s svc1.chap10-net
11111
root@pod-test1:/# curl -s svc2.chap10-net 
22222

正文完