Kubernetes CKS 2021--网络策略networkpolicy

简介: Kubernetes CKS 2021--网络策略networkpolicy

Kubernetes NetworkPolicy 实战

tags: NetworkPolicy

文章目录

1. NetworkPolicy 策略

k8s官网: network policies

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

image.png

2. Practice - Frontend to Backend traffic

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

root@master:~# k run frontend --image=nginx
pod/frontend created
root@master:~# k run backend --image=nginx
pod/backend created
root@master:~# k expose pod frontend --port 80
service/frontend exposed
root@master:~# k expose pod backend --port 80
service/backend exposed
root@master:~# k get pods,svc
NAME           READY   STATUS    RESTARTS   AGE
pod/backend    1/1     Running   0          49s
pod/frontend   1/1     Running   0          58s
NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/backend      ClusterIP   10.104.232.138   <none>        80/TCP    14s
service/frontend     ClusterIP   10.111.199.32    <none>        80/TCP    23s
service/kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP   91d
root@master:~# k exec frontend -- curl backend
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   612  100   612    0     0  11547      0 --:--:-- --:--:-- --:--:-- 11547
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@master:~# k exec backend -- curl frontend
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   612  100   612    0     0   119k      0 --:--:-- --:--:-- --:--:--  119k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@master:~# vim default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
root@master:~# k create -f default-deny.yaml
networkpolicy.networking.k8s.io/deny created
root@master:~# vim frontend.yaml
# allows frontend pods to communicate with backend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: frontend
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          run: backend
root@master:~# k -f frontend.yaml create
networkpolicy.networking.k8s.io/frontend created
root@master:~# k exec frontend -- curl backend
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:08 --:--:--     0
root@master:~# vim backend.yaml
# allows backend pods to have incoming traffic from frontend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: frontend
root@master:~# k -f backend.yaml create
networkpolicy.networking.k8s.io/backend created
root@master:~# k exec frontend -- curl backend
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:08 --:--:--     0
root@master:~# k get pods --show-labels -owide
NAME       READY   STATUS    RESTARTS   AGE   IP                NODE    NOMINATED NODE   READINESS GATES   LABELS
backend    1/1     Running   0          29m   192.168.104.27    node2   <none>           <none>            run=backend
frontend   1/1     Running   0          30m   192.168.166.179   node1   <none>           <none>            run=frontend
root@master:~# k exec frontend -- curl 192.168.104.27
  % Total    % Received % X<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
ferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   612  100   612    0     0  18545      0 --:--:-- --:--:-- --:--:-- 19125
root@master:~# k exec backend -- curl 192.168.166.179 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
100   612  100   612    0     0   298k      0 --:--:-- --:--:-- --:--:--  298k

3. Practice - Backend to Database traffic

1035234-20181020215539574-213176954.png

kubectl create ns cassandra
kubectl edit ns cassandra 
apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: "2021-04-20T07:19:22Z"
  name: cassandra
  resourceVersion: "533198"
  uid: 766ae069-4dc9-4acd-a4db-ce852c293cc6
  labels:  #添加
    ns: cassandra #添加
spec:
  finalizers:
  - kubernetes
status:
  phase: Active
root@master:~# k  -n cassandra run cassandra --image=nginx
pod/cassandra created
root@master:~# k -n cassandra get pod -owide
NAME        READY   STATUS    RESTARTS   AGE   IP               NODE    NOMINATED NODE   READINESS GATES
cassandra   1/1     Running   0          73m   192.168.104.26   node2   <none>           <none>
root@master:~# k exec backend -- curl 192.168.104.26
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   612  100   612    0     0   597k      0 --:--:-- --:--:-- --:--:--  0
vim backend.yaml
# allows backend pods to have incoming traffic from frontend pods and to cassandra namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: backend
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
      - podSelector:
          matchLabels:
            run: frontend
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            ns: cassandra
root@master:~# k apply -f backend.yaml
Warning: resource networkpolicies/backend is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
networkpolicy.networking.k8s.io/backend configured
root@master:~# k exec backend -- curl 192.168.104.26
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   612  100   612    0     0   597k      0 --:--:-- --:--:-- --:--:--  597k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@master:~# cat cassandra-deny.yaml
# deny all incoming and outgoing traffic from all pods in namespace cassandra
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cassandra-deny
  namespace: cassandra
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
root@master:~# k create -f cassandra-deny.yaml 
networkpolicy.networking.k8s.io/cassandra-deny created
root@master:~# k exec backend -- curl 192.168.104.26
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0^C
# allows cassandra pods having incoming connection from backend namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cassandra
  namespace: cassandra
spec:
  podSelector:
    matchLabels:
      run: cassandra
  policyTypes:
    - Ingress
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            ns: default
root@master:~# k create -f cassandra.yaml 
networkpolicy.networking.k8s.io/cassandra created
root@master:~# k edit ns default
apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: "2021-01-19T03:27:58Z"
  labels: #添加
    ns: default   #添加
  name: default
  resourceVersion: "541475"
  uid: 2d566715-f0a4-49b3-b590-dfa7df30d0ba
spec:
  finalizers:
  - kubernetes
status:
  phase: Active
root@master:~# k exec backend -- curl 192.168.104.26
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   612  100   612    0     0   298k      0 --:--:-- --:--:-- --:--:--  597k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

参考:


k8s networkpolicy 网络策略详解

Kubernetes NetworkPolicy

Get started with Kubernetes network policy

Network Policy

Deep Dive into Network Policy

Kubernetes Network Policies: A Practitioner’s Guide


相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
相关文章
|
24天前
|
存储 安全 网络安全
云计算时代的网络安全挑战与策略
【10月更文挑战第34天】在数字化转型的浪潮中,云计算作为一项关键技术,正深刻改变着企业的运营方式。然而,随着云服务的普及,网络安全问题也日益凸显。本文将探讨云计算环境下的安全挑战,并提出相应的防护策略。
|
4天前
|
存储 安全 网络安全
云计算与网络安全:探索云服务的安全挑战与策略
在数字化的浪潮下,云计算成为企业转型的重要推手。然而,随着云服务的普及,网络安全问题也日益凸显。本文将深入探讨云计算环境下的安全挑战,并提出相应的防护策略,旨在为企业构建安全的云环境提供指导。
|
11天前
|
云安全 监控 安全
云计算环境下的网络安全策略与实践
在数字化时代,云计算已成为企业和个人存储、处理数据的重要方式。然而,随着云服务的普及,网络安全问题也日益凸显。本文将探讨如何在云计算环境中实施有效的网络安全措施,包括加密技术、访问控制、安全监控和应急响应计划等方面。我们将通过具体案例分析,展示如何在实际场景中应用这些策略,以保护云中的数据不受威胁。
|
19天前
|
存储 安全 网络安全
云计算与网络安全:探索云服务中的信息安全策略
【10月更文挑战第39天】随着云计算的飞速发展,越来越多的企业和个人将数据和服务迁移到云端。然而,随之而来的网络安全问题也日益突出。本文将从云计算的基本概念出发,深入探讨在云服务中如何实施有效的网络安全和信息安全措施。我们将分析云服务模型(IaaS, PaaS, SaaS)的安全特性,并讨论如何在这些平台上部署安全策略。文章还将涉及最新的网络安全技术和实践,旨在为读者提供一套全面的云计算安全解决方案。
|
19天前
|
云安全 安全 网络安全
云计算与网络安全:技术挑战与解决策略
【10月更文挑战第39天】随着云计算技术的飞速发展,网络安全问题也日益凸显。本文将探讨云计算环境下的网络安全挑战,并提出相应的解决策略。通过分析云服务模型、网络安全威胁以及信息安全技术的应用,我们将揭示如何构建一个安全的云计算环境。
|
22天前
|
云安全 安全 网络安全
云计算与网络安全:挑战与应对策略####
云计算作为信息技术的一场革命,为数据存储和计算提供了前所未有的便利和效率。然而,随着云计算的广泛应用,其带来的网络安全问题也日益凸显。本文将探讨云计算环境下的主要网络安全挑战,包括数据泄露、网络攻击、身份和访问管理等问题,并分析云服务提供商和企业用户如何通过技术手段和管理策略来应对这些挑战。此外,还将讨论云计算与信息安全领域的最新发展趋势,旨在为读者提供一个全面的理解和实用的指导。通过深入剖析云计算的工作原理和安全机制,我们可以更好地理解如何保护我们的网络和信息安全。只有云计算提供商和用户共同努力,才能建立一个安全可靠的云计算环境。 ####
|
22天前
|
监控 安全 网络安全
网络安全的盾牌:漏洞防御与加密技术的现代策略
【10月更文挑战第36天】在数字化浪潮中,网络安全成为保护个人隐私和企业资产的关键防线。本文深入探讨网络安全漏洞的成因、影响及防御措施,并分析加密技术如何为信息安全提供坚固保障。通过案例分析和代码示例,揭示提升安全意识的重要性及其在防范网络攻击中的作用,旨在为读者提供一套全面的网络安全解决方案和预防策略。
|
27天前
|
存储 安全 云计算
云上防线:云计算时代的网络安全策略
云上防线:云计算时代的网络安全策略
36 4
|
23天前
|
Kubernetes 监控 Java
如何设置 Kubernetes的垃圾回收策略为定期
如何设置 Kubernetes的垃圾回收策略为定期
|
23天前
|
Kubernetes Java 调度
Kubernetes中的Pod垃圾回收策略是什么
Kubernetes中的Pod垃圾回收策略是什么