總目錄索引:K8s網絡Calico 從入門到放棄系列
1、創建服務
kubectl create ns advanced-policy-demo
由於k8s的v1.18.2版本棄用了replicas命令,使用yaml文件創建nginx服務
vim nginx-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: advanced-policy-demo labels: app: nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80 kubectl apply -f nginx-deployment.yaml
創建nginx的服務並暴露80端口
kubectl expose --namespace=advanced-policy-demo deployment nginx --port=80
驗證訪問權限
kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
wget -q --timeout=5 nginx -O -
並訪問百度測試
wget -q --timeout=5 www.baidu.com -O -
2、拒絕所有入口流量
kubectl create -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: advanced-policy-demo spec: podSelector: matchLabels: {} policyTypes: - Ingress EOF
2.1驗證訪問權限
kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
wget -q --timeout=5 nginx -O -
wget -q --timeout=5 www.baidu.com -O -
可以看到,對Nginx服務的入口訪問被拒絕,而仍然允許對出站Internet的出口訪問。
3、允許進入nginx的流量
NetworkPolicy
,允許流量從advanced-policy-demo
kubectl create -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: access-nginx namespace: advanced-policy-demo spec: podSelector: matchLabels: app: nginx ingress: - from: - podSelector: matchLabels: {} EOF
驗證訪問nginx服務
kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
wget -q --timeout=5 nginx -O -
創建策略後,我們現在可以訪問nginx服務。
4、拒絕所有出口流量
kubectl create -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: advanced-policy-demo spec: podSelector: matchLabels: {} policyTypes: - Egress EOF
4.1 驗證訪問權限,拒絕所有出口
現在,任何策略未明確允許的入站或出站流量都將被拒絕。
kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
nslookup nginx
wget -q --timeout=5 www.baidu.com -O -
5、允許DNS出口流量
name: kube-system
在kube-system
名稱空間上創建一個標籤,並在上創建一個標籤,該標籤NetworkPolicy
允許DNS從advanced-policy-demo
名稱空間中的任何Pod到名稱空間kube-system
kubectl label namespace kube-system name=kube-system
kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-access
namespace: advanced-policy-demo
spec:
podSelector:
matchLabels: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
EOF
5.1 驗證訪問權限-允許DNS訪問
nslookup nginx
nslookup www.baidu.com
wget
6、允許出口流量到nginx
NetworkPolicy
,該命令允許從advanced-policy-demo
名稱空間中的任何Pod 到具有app: nginx
kubectl create -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-to-advance-policy-ns namespace: advanced-policy-demo spec: podSelector: matchLabels: {} policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: nginx EOF
6.1 驗證訪問權限-允許對nginx進行出口訪問
wget -q --timeout=5 nginx -O -
wget -q --timeout=5 www.baidu.com -O -
app: nginx
的advanced-policy-demo
7、清理名稱空間
kubectl delete ns advanced-policy-demo
參考文章:https://docs.projectcalico.org/security/tutorials/kubernetes-policy-advanced