k8s NetworkPolicy
-
Namespace 隔离
默认情况下,所有 Pod 之间是全通的。每个 Namespace 可以配置独立的网络策略,来 隔离 Pod 之间的流量。
v1.7 + 版本通过创建匹配所有 Pod 的 Network Policy 来作为默认的网络策略
-
默认拒绝所有 Pod 之间 Ingress 通信
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: default-deny
spec:podSelector: {}policyTypes:- Ingress-
默认拒绝所有 Pod 之间 Egress 通信的策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: default-deny
spec:podSelector: {}policyTypes:- Egress
-
默认拒绝所有 Pod 之间 Ingress 和 Egress 通信的策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: default-deny
spec:podSelector: {}policyTypes:- Ingress- Egress-
默认允许所有 Pod 之间 Ingress 通信的策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: allow-all
spec:podSelector: {}ingress:- {}-
默认允许所有 Pod 之间 Egress 通信的策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: allow-all
spec:podSelector: {}egress:- {}-
Pod 隔离
通过使用标签选择器(包括 namespaceSelector 和 podSelector)来控制 Pod 之间的流量。
允许 default namespace 中带有 role=frontend 标签的 Pod 访问 default
namespace 中带有 role=db 标签 Pod 的 6379 端口
允许带有 project=myprojects 标签的 namespace 中所有 Pod 访问 default
namespace 中带有 role=db 标签 Pod 的 6379 端口apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: test-network-policynamespace: default
spec:podSelector:matchLabels:role: dbingress:- from:- namespaceSelector:matchLabels:project: myproject- podSelector:matchLabels:role: frontendports:- protocol: tcpport: 6379允许 default namespace 中带有 role=frontend 标签的 Pod 访问 default
namespace 中带有 role=db 标签 Pod 的 6379 端口
允许带有 project=myprojects 标签的 namespace 中所有 Pod 访问 default
namespace 中带有 role=db 标签 Pod 的 6379 端口
NetworkPolicy
238
允许 default namespace 中带有 role=db 标签的 Pod 访问 10.0.0.0/24 网段
的 TCP 5978 端口
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: test-network-policynamespace: default
spec:podSelector:matchLabels:role: dbpolicyTypes:- Ingress- Egressingress:- from:- ipBlock:cidr: 172.17.0.0/16except:- 172.17.1.0/24- namespaceSelector:matchLabels:project: myproject- podSelector:matchLabels:role: frontendports:- protocol: TCPport: 6379egress:- to:- ipBlock:cidr: 10.0.0.0/24ports:- protocol: TCPport: 5978-
例子
现在已经配置了一个nginx服务,访问端口是80,默认的状态是所有的pod都可以访问这个服务
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-deployment NodePort 10.102.52.246 <none> 80:31180/TCP 19d启动一个busybox pod来访问nginx-deployment服务
$ kubectl exec -it pod/busybox-test -- sh
/ # wget --spider --timeout=1 nginx-deployment
Connecting to nginx-deployment (10.102.52.246:80)
remote file exists
/ #现在给nginx-deployment服务配置network策略,使得pod无法访问这个服务
$ cat default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: default-deny
spec:podSelector: {}policyTypes:- Ingress$ kubectl create -f default-deny.yaml
networkpolicy.networking.k8s.io/default-deny created现在busybox的pod无法访问nginx-deployment服务了
$ kubectl exec -it pod/busybox-test -- sh
/ # wget --spider --timeout=1 nginx-deployment
Connecting to nginx-deployment (10.102.52.246:80)
wget: download timed out
/ # exit查看networkpolicy
$ kubectl get networkpolicy
NAME POD-SELECTOR AGE
default-deny <none> 102s
再创建一个运行带有 access=true 的 Pod 访问的网络策略:
表示所有带有 access=true label 的pods都可以访问nginx-deployment服务
$ cat nginx-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: access-nginx
spec:podSelector:matchLabels:app: nginxingress:- from:- podSelector:matchLabels:access: "true"启动一个带有access=true label的busybox服务
$ cat busybox-test.yaml
apiVersion: v1
kind: Pod
metadata:annotations:cni.projectcalico.org/containerID: fefc92be6bb04bacdf757a0b4132d72c2133c94dbfa684296cf59772817fc939cni.projectcalico.org/podIP: 172.16.43.1/32cni.projectcalico.org/podIPs: 172.16.43.1/32creationTimestamp: "2024-06-28T08:39:13Z"labels:access: "true"purpose: demonstrate-busyboxname: busybox-testnamespace: defaultresourceVersion: "208006"uid: 2d94690d-4f16-4bb6-a540-4682334170af
spec:containers:- command:- sleep- "3600"image: busyboximagePullPolicy: IfNotPresentname: busyboxresources:
... ...$ kubectl apply -f busybox-test.yaml此时看到busybox-test这个pod已经带有access=true的label了
$ kubectl describe pod busybox-test
Name: busybox-test
Namespace: default
Priority: 0
Service Account: default
Node: kevin-pc/192.168.227.129
Start Time: Fri, 28 Jun 2024 16:39:13 +0800
Labels: access=true然后通过busybox-test访问nginx服务就可以访问到了
$ kubectl exec -it pod/busybox-test -- sh
/ # wget --spider -timeout=1 nginx-deployment
Connecting to nginx-deployment (10.102.52.246:80)
remote file exists
/ #
-
删除networkpolicy
删除networkpolicy之后,所有的pod默认都可以访问nginx-deployment服务了
$ kubectl get networkpolicy
NAME POD-SELECTOR AGE
access-nginx app=nginx 10m
default-deny <none> 17m
$ kubectl delete network policy access-nginx-
几种访问策略的配置例子
-
禁止访问指定服务
首先启动一个nginx服务,并且给这个服务打上label
kubectl run web --image=nginx --labels app=web,env=prod --expose --po
rt 80
(没有配置ingress,所以所有的pod都没法访问这个服务)
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:name: web-deny-all
spec:podSelector:matchLabels:app: webenv: prod-
只允许指定 Pod 访问服务
kubectl run apiserver --image=nginx --labels app=bookstore,role=api -
-expose --port 80
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:name: api-allow
spec:podSelector:matchLabels:app: bookstorerole: apiingress:- from:- podSelector:matchLabels:app: bookstore-
禁止 namespace 中所有 Pod 之间的相互访问
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: default-denynamespace: default
spec:podSelector: {}-
禁止其他 namespace 访问服务
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:namespace: defaultname: web-deny-other-namespaces
spec:podSelector:matchLabels:ingress:- from:- podSelector: {}
-
只允许指定 namespace 访问服务
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:name: web-allow-prod
spec:podSelector:matchLabels:app: webingress:- from:- namespaceSelector:matchLabels:purpose: production-
允许外网访问服务
kubectl run web --image=nginx --labels=app=web --port 80
kubectl expose deployment/web --type=LoadBalancer
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:name: web-allow-external
spec:podSelector:matchLabels:app: webingress:- ports:- port: 80from: []