版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/scylhy/article/details/85482725
k8s NetworkPolicy
networkpolicy对象主要关注三个地方
第一个是绑定用的label;
第二个ingress;
第三个egress;
此外,就是一些默认策略,比如禁止所有,允许所有
- networkpolicy
[root@cce-demo1522483688765-00274 ~]# cat nwp.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db #这里是绑定用的label
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
role: frontend #策略匹配的pod标签
ports:
- protocol: TCP
port: 80
[root@cce-demo1522483688765-00274 ~]# kubectl create -f nwp.yaml
- 绑定pod
[root@cce-demo1522483688765-00274 ~]# kubectl run ng --image=nginx --port=80
[root@cce-demo1522483688765-00274 ~]# kubectl get pods -owide
NAME READY STATUS RESTARTS AGE IP NODE
hw1-5cfc9fbfc9-6jxgd 1/1 Running 0 1d 172.16.0.30 192.168.0.151
hw1-5cfc9fbfc9-p65lm 1/1 Running 0 1d 172.16.0.29 192.168.0.151
ng-7b94687b49-9z2gf 1/1 Running 0 58m 172.16.0.31 192.168.0.151
webapp1-6b8db97858-fsh2h 1/1 Running 0 1d 172.16.0.21 192.168.0.151
webapp2-666dd48bb4-6z44w 1/1 Running 0 1d 172.16.0.22 192.168.0.151
webapp3-84b7fd69c8-ljgrg 1/1 Running 0 1d 172.16.0.26 192.168.0.151
[root@cce-demo1522483688765-00274 ~]#
[root@cce-demo1522483688765-00274 ~]# kubectl label pod ng-7b94687b49-9z2gf role=db
- 远端pod访问
[root@cce-demo1522483688765-00274 ~]# kubectl exec -it hw1-5cfc9fbfc9-6jxgd bash
root@hw1-5cfc9fbfc9-6jxgd:/# curl 172.16.0.31
^C
root@hw1-5cfc9fbfc9-6jxgd:/#
[root@cce-demo1522483688765-00274 ~]# kubectl get pods -owide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE LABELS
hw1-5cfc9fbfc9-6jxgd 1/1 Running 0 1d 172.16.0.30 192.168.0.151 pod-template-hash=1797596975,role=gg,run=hw1
hw1-5cfc9fbfc9-p65lm 1/1 Running 0 1d 172.16.0.29 192.168.0.151 pod-template-hash=1797596975,run=hw1
ng-7b94687b49-9z2gf 1/1 Running 0 1h 172.16.0.31 192.168.0.151 pod-template-hash=3650243605,role=db,run=ng
webapp1-6b8db97858-fsh2h 1/1 Running 0 1d 172.16.0.21 192.168.0.151 app=webapp1,pod-template-hash=2648653414
webapp2-666dd48bb4-6z44w 1/1 Running 0 1d 172.16.0.22 192.168.0.151 app=webapp2,pod-template-hash=2228804660
webapp3-84b7fd69c8-ljgrg 1/1 Running 0 1d 172.16.0.26 192.168.0.151 app=webapp3,pod-template-hash=4063982574
[root@cce-demo1522483688765-00274 ~]# kubectl label pod hw1-5cfc9fbfc9-6jxgd role=frontend --overwrite
pod "hw1-5cfc9fbfc9-6jxgd" labeled
[root@cce-demo1522483688765-00274 ~]#
[root@cce-demo1522483688765-00274 ~]# kubectl exec -it hw1-5cfc9fbfc9-6jxgd bash
root@hw1-5cfc9fbfc9-6jxgd:/# curl 172.16.0.31
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@hw1-5cfc9fbfc9-6jxgd:/#
- egress的使用方法同ingress
- 禁止/允许所有入口访问
[root@cce-demo1522483688765-00274 ~]# cat nwp.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
[root@cce-demo1522483688765-00274 ~]#
[root@cce-demo1522483688765-00274 ~]# kubectl exec -it hw1-5cfc9fbfc9-6jxgd bash
root@hw1-5cfc9fbfc9-6jxgd:/# curl 172.16.0.31
^C #这里远端pod访问已经为禁止
root@hw1-5cfc9fbfc9-6jxgd:/#
...
[root@cce-demo1522483688765-00274 ~]# cat nwp.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- {}
[root@cce-demo1522483688765-00274 ~]# kubectl exec -it hw1-5cfc9fbfc9-6jxgd bash
root@hw1-5cfc9fbfc9-6jxgd:/# curl 172.16.0.31 #远端可以被访问到
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@hw1-5cfc9fbfc9-6jxgd:/#
- 禁止/允许所有出口访问相似