Kubernetes之NetworkPolicy的实践

Kubernetes之NetworkPolicy的实践

之前做过NetworkPolicy的实践，那个比较简单，只验证了同一个namespace下不同应用之间的访问控制场景，本周实践了一下不同namespace下应用之间的访问控制场景，

首先还是创建应用，一个sshd，另一个httpd，分属于两个不同的namespace，

vim sshd-deployment.yaml，apiVersion: v1kind: Namespacemetadata:  name: sshd  labels:    app: sshd---apiVersion: apps/v1kind: Deploymentmetadata:  name: sshd  labels:    app: sshd  namespace: sshdspec:  selector:    matchLabels:      app: sshd  template:    metadata:      labels:        app: sshd    spec:      containers:      - name: sshd        image: docker.mirrors.ustc.edu.cn/rastasheep/ubuntu-sshd:14.04        imagePullPolicy: IfNotPresent        ports:        - containerPort: 22

vim httpd-deployment.yaml，apiVersion: v1kind: Namespacemetadata:  name: httpd  labels:    app: httpd---apiVersion: apps/v1kind: Deploymentmetadata:  name: httpd  labels:    app: httpd  namespace: httpdspec:  replicas: 3  selector:    matchLabels:      app: httpd  template:    metadata:      labels:        app: httpd    spec:      containers:      - name: httpd        image: docker.mirrors.ustc.edu.cn/library/httpd        imagePullPolicy: IfNotPresent        ports:        - containerPort: 80

然后就是创建访问控制策略，先给两个namespace都搞成default deny，vim sshd-policy-deny-all.yaml，apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: default-deny  namespace: sshdspec:  podSelector: {}  policyTypes:  - Ingress  - Egressvim httpd-policy-deny-all.yaml，apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: default-deny  namespace: httpdspec:  podSelector: {}  policyTypes:  - Ingress  - Egress

然后再给sshd和httpd分别放开访问策略，

vim policy-sshd-access.yaml，apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: sshd-network-policy  namespace: sshdspec:  podSelector:    matchLabels:      app: sshd  policyTypes:  - Egress  egress:  - to:    - namespaceSelector:        matchLabels:          app: httpdvim policy-httpd-access.yaml，apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: httpd-network-policy  namespace: httpdspec:  podSelector:    matchLabels:      app: httpd  policyTypes:  - Ingress  ingress:  - from:    - namespaceSelector:        matchLabels:          app: sshd

最后看一下效果，

总结来说，NeworkPolicy要实现不同namespace下应用之间的访问控制需要做到两点：

1、每个namespace下要开default deny

2、访问双方应用各要搞一个放开访问策略

3、放开访问策略里匹配对端只能写namespace

NeworkPolicy最后是把策略下到iptables上的，像下面这样，

太复杂了，没梳理清楚，就先这样吧。