一文搞懂Kubernetes網絡策略（中）

從CNCF基金會的成立，到Kubernetes社區蓬勃發展，歷經6載，17年異軍突起，在mesos、swarm等項目角逐中，拔得頭籌，繼而一統容器編排,其成功的關鍵緣由可歸納爲如下幾點：html

項目領導者們的堅守與遠見
社區的良好的運做與社區文化
社區與企業落地的正反饋

今天zouyee爲你們帶來《一文搞懂Kubernetes網絡策略（中）》，其中《kuberneter調度由淺入深：框架》正在編寫中，敬請期待，當前涉及版本均爲1.20.+。python

3、應用場景

3.1 通常場景

a. 禁止訪問指定服務

kubectl run web --image=nginx --labels app=web --expose --port 80
複製代碼

# 未有策略限制時，能夠訪問
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- http://web
<!DOCTYPE html>
<html>
<head>
複製代碼

建立網絡策略nginx

# cat web-deny-all.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-deny-all
spec:
  podSelector:
    matchLabels:
      app: web
  ingress: []
  
$ kubectl apply -f web-deny-all.yaml
networkpolicy "web-deny-all" created
複製代碼

訪問測試git

$ kubectl run busybox --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web
wget: download timed out
複製代碼

b. 限制訪問指定服務

kubectl run apiserver --image=nginx --labels app=bookstore,role=api --expose --port 80
複製代碼

建立網絡策略github

# cat api-allow.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: api-allow
spec:
  podSelector:
    matchLabels:
      app: bookstore
      role: api
  ingress:
  - from:
      - podSelector:
          matchLabels:
            app: bookstore
# kubectl apply -f api-allow.yaml
networkpolicy "api-allow" created
複製代碼

訪問測試web

建立不加label的pod，預期結果，訪問被限制
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://apiserver
wget: download timed out
/ # exit
建立帶app=bookstore標籤的pod，預期結果，訪問被限制
$ kubectl run busybox --rm -ti --image=busybox --labels app=bookstore,role=frontend /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://apiserver
<!DOCTYPE html>
<html><head>
/ # exit
複製代碼

c. 放通訪問限制

kubectl run apiserver --image=nginx --labels app=bookstore,role=api --expose --port 80
複製代碼

應用a中的網絡策略，限制全部流量redis

# cat web-deny-all.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-deny-all
spec:
  podSelector:
    matchLabels:
      app: web
  ingress: []
  
$ kubectl apply -f web-deny-all.yaml
networkpolicy "web-deny-all" created
複製代碼

建立放統統網絡策略api

# cat web-deny-all.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-allow-all
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: web
  ingress:
  - {}
  
$ kubectl apply -f web-allow-all.yaml
networkpolicy "web-allow-all" created
# 須要注意deny跟allow的細微差異就是[]與{}，其中{}表明
- from:
    podSelector: {}
    namespaceSelector: {}
複製代碼

3.2 namespace限制

a. 禁止 namespace 中非白名單流量

建立網絡策略數組

# cat default-deny-all.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
  namespace: default
spec:
  podSelector: {}
  ingress: []
# kubectl apply -f default-deny-all.yaml
複製代碼

說明:markdown

namespace: default 該策略部署於default
podSelector爲{}指匹配全部pod，於是該策略對default命名空間的全部pod都有效
ingress未指定，於是對於全部進入流量都禁止

b. 禁止其餘 namespace 流量

kubectl create namespace secondary
kubectl run web --namespace secondary --image=nginx \
    --labels=app=web --expose --port 80
複製代碼

建立網絡配置

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: secondary
  name: web-deny-other-namespaces
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}
複製代碼

訪問測試

# default命名空間訪問
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.secondary
wget: download timed out
/ # exit
# secondary命名空間訪問
$ kubectl run busybox --rm -ti --image=busybox --namespace=secondary /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.secondary
<!DOCTYPE html>
<html>
複製代碼

c. 運行全部namespace流量

kubectl run web --image=nginx --labels app=web --expose --port 80
複製代碼

建立網絡策略

# cat web-allow-all-namespaces.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: default
  name: web-allow-all-namespaces
spec:
  podSelector:
    matchLabels:
      app: web
  ingress:
  - from:
    - namespaceSelector: {}
# kubectl apply -f web-allow-all-namespaces.yaml
# kubectl create namespace secondary
複製代碼

說明：

app: web網絡策略應用到該標籤pod
namespaceSelector: {}匹配全部命名空間

訪問測試

# kubectl run busybox --rm -ti --image=busybox --namespace=secondary /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.secondary
<!DOCTYPE html>
<html>
複製代碼

c. 指定 namespace 訪問服務

# kubectl run web --image=nginx \
    --labels=app=web --expose --port 80
# kubectl create namespace dev
# kubectl label namespace/dev purpose=testing
# kubectl create namespace prod
# kubectl label namespace/prod purpose=production
複製代碼

建立網絡策略

# cat web-allow-prod.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-allow-prod
spec:
  podSelector:
    matchLabels:
      app: web
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          purpose: production
# kubectl apply -f web-allow-prod.yaml
複製代碼

d. 容許其餘namespace的指定pod的流量

⚠️ Kubernetes 1.11後支持podSelector 與namespaceSelector的運算符操做，同時須要網絡插件支持

# kubectl run web --image=nginx \
    --labels=app=web --expose --port 80
# kubectl create namespace other
# kubectl create namespace other
複製代碼

建立網絡策略

# cat web-allow-all-ns-monitoring.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-allow-all-ns-monitoring
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: web
  ingress:
    - from:
      - namespaceSelector:     # 選擇namespaces中帶有team=operations標籤的pod
          matchLabels:
            team: operations  
        podSelector:           # 選擇帶有type=monitoring標籤的pod
          matchLabels:
            type: monitoring
# kubectl apply -f web-allow-all-ns-monitoring.yaml
複製代碼

訪問測試

kubectl run busybox --rm -ti --image=busybox  /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
wget: download timed out

(訪問限制)
/ # exit

# kubectl run busybox --rm -ti --image=busybox --labels type=monitoring /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
wget: download timed out

(訪問限制)

# kubectl run busybox --rm -ti --image=busybox --namespace=other /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
wget: download timed out

(訪問限制)

# kubectl run busybox --rm -ti --image=busybox --namespace=other  --labels type=monitoring /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://web.default
<!DOCTYPE html>
<html>
<head>
...
(容許訪問)
複製代碼

3.3 容許外網訪問服務

kubectl run web --image=nginx --labels=app=web --port 80
kubectl expose pod/web --type=LoadBalancer
kubectl get svc web
NAME   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
web    LoadBalancer   10.233.54.206   <pending>     80:32548/TCP   40s
直至EXTERNAL-IP分配IP爲止
複製代碼

建立網絡策略

# cat web-allow-external.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-allow-external
spec:
  podSelector:
    matchLabels:
      app: web
  ingress:
  - ports:
    - port: 80
    from: []
# kubectl apply -f web-allow-external.yaml
複製代碼

3.5 高級功能

a. 容許應用固定端口流量

# kubectl run busybox -ti --image=busybox --labels=app=apiserver /bin/sh
If you don't see a command prompt, try pressing enter.
# nohup python3 -m http.server 8001 &
# nohup python3 -m http.server 5001 &
# exit
# kubectl create service clusterip apiserver \
    --tcp 8001:8000 \
    --tcp 5001:5000
複製代碼

建立網絡策略

# cat api-allow-5000.yml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: api-allow-5000
spec:
  podSelector:
    matchLabels:
      app: apiserver
  ingress:
  - ports:
    - port: 5000
    from:
    - podSelector:
        matchLabels:
          role: monitoring
# kubectl apply -f api-allow-5000.yml
複製代碼

訪問測試

# 啓動pod未攜帶指定label時，訪問受限
# kubectl run busybox --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://apiserver:8001
wget: download timed out

/ # wget -qO- --timeout=2 http://apiserver:5001/metrics
wget: download timed out

# 啓動pod攜帶指定label時，訪問不受限
$ kubectl run busybox --rm -ti --image=busybox --labels=role=monitoring /bin/sh
/ # wget -qO- --timeout=2 http://apiserver:8001
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
...

/ # wget -qO- --timeout=2 http://apiserver:5001/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
...
複製代碼

b. 多標籤限制

說明：Network Policy定義一組微服務訪問某一應用,以下述示例中，一組微服務共享redis服務

kubectl run db --image=redis:4 --port 6379 --expose \
    --labels app=bookstore,role=db
複製代碼

如下服務共享redis服務

service	labels
`search`	`app=bookstore` `role=search`
`api`	`app=bookstore` `role=api`
`catalog`	`app=inventory` `role=web`

建立網絡策略

# cat redis-allow-services.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: redis-allow-services
spec:
  podSelector:
    matchLabels:
      app: bookstore
      role: db
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: bookstore
          role: search
    - podSelector:
        matchLabels:
          app: bookstore
          role: api
    - podSelector:
        matchLabels:
          app: inventory
          role: web
# kubectl apply -f redis-allow-services.yaml
複製代碼

訪問測試

$ kubectl run busybox --rm -ti --image=curl --labels=app=inventory,role=web /bin/sh

/ # nc -v -w 2 db 6379
db (10.233.27.143:6379) open

(works)

$ kubectl run busybox --rm -ti --image=curl --labels=app=other /bin/sh

/ # nc -v -w 2 db 6379
nc: db (10.233.27.143:6379): Operation timed out

(訪問受限)
複製代碼

3.6 控制出口流量

a. 禁止應用的出口流量

kubectl run web --image=nginx --labels app=web --expose --port 80
複製代碼

建立網絡策略

# cat foo-deny-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: foo-deny-egress
spec:
  podSelector:
    matchLabels:
      app: foo
  policyTypes:
  - Egress
  egress: []
# kubectl apply -f foo-deny-egress.yaml
複製代碼

說明：

policyTypes: ["egress"] 該策略類型爲出口流量
egress: [] 策略爲空說明出口流量所有禁止

b. 禁止命名空間非白名單流量

建立網絡策略

# cat default-deny-all-egress.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all-egress
  namespace: default
spec:
  policyTypes:
  - Egress
  podSelector: {}
  egress: []
# kubectl apply -f default-deny-all-egress.yaml
複製代碼

說明：

podSelector爲空，說明匹配全部pod
egress爲空數組，說明禁止全部符合podSelector的出口流量

後續相關內容，請查看公衆號：DCOS

一文搞懂Kubernetes網絡策略（中）

3、應用場景

3.1 通常場景

a. 禁止訪問指定服務

b. 限制訪問指定服務

c. 放通訪問限制

3.2 namespace限制

a. 禁止 namespace 中非白名單流量

b. 禁止其餘 namespace 流量

c. 運行全部namespace流量

c. 指定 namespace 訪問服務

d. 容許其餘namespace的指定pod的流量

3.3 容許外網訪問服務

3.5 高級功能

a. 容許應用固定端口流量

b. 多標籤限制

3.6 控制出口流量

a. 禁止應用的出口流量

b. 禁止命名空間非白名單流量

參考文檔