Kubernetes of network policy (Network Policy)

Others 2019-06-10 09:35:23 views: null

Series catalog

Outline

Kubernetes requires all pod cluster, either within a node or across nodes can communicate directly, or that all work in the same pod across the nodes in the network, this network is generally two-story virtual network, called pod network. When installing the guide kubernetes, plugin achieved by the selection and installation of the network. By default, the cluster among all pod, pod and can communicate between nodes.

Network mainly solve two problems, one is connectivity, you can communicate over the network between the entities. Another is the isolation, for safety, to limit network traffic purposes, but also to control the communication between entities. Network Policy used to achieve isolation, only traffic that matches the rules to enter the pod, empathy only match traffic rules before they can leave the pod.

Note, however, kubernetes support network to achieve network plugin pod there are many, not all support the Network Policy, need to take this into account when selecting network plugin is kubernetes, the need for isolation? Available network plugin and support Network Policy please refer here .

Fundamental

Network Policy is kubernetes of a resource type that belongs to a namespace. Comprising the contents key logically two parts, one pod selector pod selected based on the tag at the same namespace, wherein the action defined in the rule selected pod. Another is the rule, is the network traffic in and out of the pod rule, which uses a white list mode, comply with the rules by, does not comply with the rules of refuse.

Network Policy Object Description Spec

Spec given first example, the key field in conjunction with the example described in the logical Spec respect Spec fully described with reference herein . Examples are as follows:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978

Object creation method is the same as the other ReplicaSet. apiVersion, kind, with the same meaning as other types of metadata objects, not described in detail.

.spec.PodSelector

As the name suggests, it is a pod selector, based on the label and select Network Policy in the pod under the same namespace, if the pod rule is selected, the Network Policy defined in its application. This is an optional field, when the field is absent, represents select all pod.

.spec.PolicyTypes

Network Policy defined rules can be divided into two, one is the rules of the pod Ingress, Egress rule one is out of the pod. This field can be seen as a switch, if it contains Ingress, the part of the definition rule applies Ingress, Egress if the Egress portion defined rule applies, if it contains the full effect. Of course, this field is also optional, if not specified, the default Ingress into force, if Egress part of the definition, then, Egress to take effect. How to understand this sentence, will be mentioned below, there is no clear definition of Ingress, Egress part, it is also a rule, rather than the default rule is no rule.

.spec.ingress与.spec.egress

The former defines the pod rule, which defines the rules of the pod, detailed reference here, where they talk about focus. Ingress and egress the embodiment comprising only one rule, both arrays may comprise a plurality of rules. When included a plurality of logical relationship between the entries is "OR", wherein a match can be long. .spec.ingress []. from
also array, the array members access to the external source described in the pod, qualified source pod can access, there are a variety of methods, such as the example ip address block, a namespace, pod labels , a member of the array or the logic of relations. spec.ingress []. from.prots allows represented by protocol and port number.

.spec.egress.to define an external destination pod you want to access, and other ingress same.

The default rule

Does not define the rules is not without rules, then the default rule takes effect, the following default rules display usage.

All flow into the pod is disabled by default (Default deny all ingress traffic)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress

The example is not defined pod selector indicates if a pod under the namespace Network Policy not select any objects, the application object, if another object in the Network Policy is not applied to.

Ingress policyTypes value, represents the present embodiment Ingress is enabled rule. But this case did not define the specific Ingress, then apply the default rule. The default rule banning all traffic into the pod, but exceptions are if the source node pod is running, then allowed to pass.

The default allows all traffic into the pod (Default allow all ingress traffic)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all
spec:
  podSelector: {}
  ingress:
  - {}

The same is not defined pod selector, meaning the same as the previous example. Note that the definition of ingress, this is the rule, but the rule of entry is empty, the default rule is different, and represent all allowed through.

The pod is disabled by default all traffic (Default deny all egress traffic)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Egress

And is disabled by default all traffic into the pod (Default deny all ingress traffic) with just become the flow rate of the

Pod default allows all traffic (Default allow all egress traffic)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all
spec:
  podSelector: {}
  egress:
  - {}
  policyTypes:
  - Egress

The default allow all traffic into the pod (Default allow all ingress traffic) with just become out of the flow.

Disabled by default all traffic into and out of pod (Default deny all ingress and all egress traffic)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

No need to explain, but please note that traffic from Network Policy restrictions between the pod and the running node.

Real Use Cases

The following example shows through a real common usage Network Policy

Creating nginx pod instance with the Deployment and exposed with service

$ kubectl run nginx --image=nginx --replicas=2
deployment "nginx" created
$ kubectl expose deployment nginx --port=80
service "nginx" exposed

The results confirm the creation

$ kubectl get svc,pod
NAME                        CLUSTER-IP    EXTERNAL-IP   PORT(S)    AGE
svc/kubernetes              10.100.0.1    <none>        443/TCP    46m
svc/nginx                   10.100.0.16   <none>        80/TCP     33s
 
NAME                        READY         STATUS        RESTARTS   AGE
po/nginx-701339712-e0qfq    1/1           Running       0          35s
po/nginx-701339712-o00ef    1/1           Running       0          35s

Nginx connectivity testing services

$ kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
 
Hit enter for command prompt
 
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #

Adding isolation by creating a Network Policy Object

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: access-nginx
spec:
  podSelector:
    matchLabels:
      run: nginx
  ingress:
  - from:
    - podSelector:
        matchLabels:
          access: "true"

Only allowed to contain access: "true" label pod access nginx service.

Create a Network Policy

$ kubectl create -f nginx-policy.yaml
networkpolicy "access-nginx" created

Test isolation

$ kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
 
Hit enter for command prompt
 
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
wget: download timed out
/ #

Adding access to pod: "true" tag testing connectivity

$ kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
 
Hit enter for command prompt
 
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #

Guess you like

Origin www.cnblogs.com/tylerzhou/p/10995797.html
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com