让运维不加班,从一套On-Call响应机制开始!
661
2022-10-26
Kubernetes之NetworkPolicy的实践
之前做过NetworkPolicy的实践,那个比较简单,只验证了同一个namespace下不同应用之间的访问控制场景,本周实践了一下不同namespace下应用之间的访问控制场景,
首先还是创建应用,一个sshd,另一个httpd,分属于两个不同的namespace,
vim sshd-deployment.yaml,apiVersion: v1kind: Namespacemetadata: name: sshd labels: app: sshd---apiVersion: apps/v1kind: Deploymentmetadata: name: sshd labels: app: sshd namespace: sshdspec: selector: matchLabels: app: sshd template: metadata: labels: app: sshd spec: containers: - name: sshd image: docker.mirrors.ustc.edu.cn/rastasheep/ubuntu-sshd:14.04 imagePullPolicy: IfNotPresent ports: - containerPort: 22
vim httpd-deployment.yaml,apiVersion: v1kind: Namespacemetadata: name: httpd labels: app: httpd---apiVersion: apps/v1kind: Deploymentmetadata: name: httpd labels: app: httpd namespace: httpdspec: replicas: 3 selector: matchLabels: app: httpd template: metadata: labels: app: httpd spec: containers: - name: httpd image: docker.mirrors.ustc.edu.cn/library/httpd imagePullPolicy: IfNotPresent ports: - containerPort: 80
然后就是创建访问控制策略,先给两个namespace都搞成default deny,vim sshd-policy-deny-all.yaml,apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: default-deny namespace: sshdspec: podSelector: {} policyTypes: - Ingress - Egressvim httpd-policy-deny-all.yaml,apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: default-deny namespace: httpdspec: podSelector: {} policyTypes: - Ingress - Egress
然后再给sshd和httpd分别放开访问策略,
vim policy-sshd-access.yaml,apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: sshd-network-policy namespace: sshdspec: podSelector: matchLabels: app: sshd policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: app: httpdvim policy-httpd-access.yaml,apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: httpd-network-policy namespace: httpdspec: podSelector: matchLabels: app: httpd policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: app: sshd
最后看一下效果,
总结来说,NeworkPolicy要实现不同namespace下应用之间的访问控制需要做到两点:
1、每个namespace下要开default deny
2、访问双方应用各要搞一个放开访问策略
3、放开访问策略里匹配对端只能写namespace
NeworkPolicy最后是把策略下到iptables上的,像下面这样,
太复杂了,没梳理清楚,就先这样吧。
发表评论
暂时没有评论,来抢沙发吧~