k8s NetworkPolicy

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/scylhy/article/details/85482725

k8s NetworkPolicy

networkpolicy对象主要关注三个地方  
第一个是绑定用的label；  
第二个ingress；  
第三个egress;
此外，就是一些默认策略，比如禁止所有，允许所有

• networkpolicy

[root@cce-demo1522483688765-00274 ~]# cat nwp.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: test-network-policy
 namespace: default
spec:
 podSelector:
   matchLabels:
     role: db   #这里是绑定用的label
 policyTypes:
 - Ingress
 - Egress
 ingress:
 - from:
   - podSelector:
       matchLabels:
         role: frontend  #策略匹配的pod标签
   ports:
   - protocol: TCP
     port: 80
[root@cce-demo1522483688765-00274 ~]# kubectl create -f nwp.yaml 

• 绑定pod

[root@cce-demo1522483688765-00274 ~]# kubectl run ng --image=nginx --port=80
[root@cce-demo1522483688765-00274 ~]# kubectl get pods -owide
NAME                       READY     STATUS    RESTARTS   AGE       IP            NODE
hw1-5cfc9fbfc9-6jxgd       1/1       Running   0          1d        172.16.0.30   192.168.0.151
hw1-5cfc9fbfc9-p65lm       1/1       Running   0          1d        172.16.0.29   192.168.0.151
ng-7b94687b49-9z2gf        1/1       Running   0          58m       172.16.0.31   192.168.0.151
webapp1-6b8db97858-fsh2h   1/1       Running   0          1d        172.16.0.21   192.168.0.151
webapp2-666dd48bb4-6z44w   1/1       Running   0          1d        172.16.0.22   192.168.0.151
webapp3-84b7fd69c8-ljgrg   1/1       Running   0          1d        172.16.0.26   192.168.0.151
[root@cce-demo1522483688765-00274 ~]# 
[root@cce-demo1522483688765-00274 ~]# kubectl label pod ng-7b94687b49-9z2gf role=db

• 远端pod访问

[root@cce-demo1522483688765-00274 ~]# kubectl exec -it hw1-5cfc9fbfc9-6jxgd bash
root@hw1-5cfc9fbfc9-6jxgd:/# curl 172.16.0.31
^C
root@hw1-5cfc9fbfc9-6jxgd:/# 
[root@cce-demo1522483688765-00274 ~]# kubectl get pods -owide --show-labels
NAME                       READY     STATUS    RESTARTS   AGE       IP            NODE            LABELS
hw1-5cfc9fbfc9-6jxgd       1/1       Running   0          1d        172.16.0.30   192.168.0.151   pod-template-hash=1797596975,role=gg,run=hw1
hw1-5cfc9fbfc9-p65lm       1/1       Running   0          1d        172.16.0.29   192.168.0.151   pod-template-hash=1797596975,run=hw1
ng-7b94687b49-9z2gf        1/1       Running   0          1h        172.16.0.31   192.168.0.151   pod-template-hash=3650243605,role=db,run=ng
webapp1-6b8db97858-fsh2h   1/1       Running   0          1d        172.16.0.21   192.168.0.151   app=webapp1,pod-template-hash=2648653414
webapp2-666dd48bb4-6z44w   1/1       Running   0          1d        172.16.0.22   192.168.0.151   app=webapp2,pod-template-hash=2228804660
webapp3-84b7fd69c8-ljgrg   1/1       Running   0          1d        172.16.0.26   192.168.0.151   app=webapp3,pod-template-hash=4063982574
[root@cce-demo1522483688765-00274 ~]# kubectl label pod hw1-5cfc9fbfc9-6jxgd role=frontend --overwrite
pod "hw1-5cfc9fbfc9-6jxgd" labeled
[root@cce-demo1522483688765-00274 ~]# 
[root@cce-demo1522483688765-00274 ~]# kubectl exec -it hw1-5cfc9fbfc9-6jxgd bash 
root@hw1-5cfc9fbfc9-6jxgd:/# curl 172.16.0.31
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@hw1-5cfc9fbfc9-6jxgd:/# 

• egress的使用方法同ingress
• 禁止/允许所有入口访问

[root@cce-demo1522483688765-00274 ~]# cat nwp.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
[root@cce-demo1522483688765-00274 ~]# 
[root@cce-demo1522483688765-00274 ~]# kubectl exec -it hw1-5cfc9fbfc9-6jxgd bash
root@hw1-5cfc9fbfc9-6jxgd:/# curl 172.16.0.31
^C   #这里远端pod访问已经为禁止
root@hw1-5cfc9fbfc9-6jxgd:/# 
...
[root@cce-demo1522483688765-00274 ~]# cat nwp.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - {}
[root@cce-demo1522483688765-00274 ~]# kubectl exec -it hw1-5cfc9fbfc9-6jxgd bash
root@hw1-5cfc9fbfc9-6jxgd:/# curl 172.16.0.31  #远端可以被访问到
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@hw1-5cfc9fbfc9-6jxgd:/# 

• 禁止/允许所有出口访问相似