Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Tip

请在使用站内资源的同时不要恶意进行爬取或倒链等行为,感谢支持!



Note

相关文档:

UI Button
colorblue
newWindowtrue
sizesmall
displayblock
iconlink
title链接
urlhttps://editor.cilium.io/betterprogramming.pub/k8s-network-policy-made-simple-with-cilium-editor-a5b55781291c



Info
iconfalse

Table of Contents


Kubernetes NetworkPolicy Ingress 实战演练

通过 ingress 策略对多 namespace 环境下进行实战演练,准备测试用例:

Code Block
languagebash
titleweather-v1.yaml
collapsetrue
##################################################################################################
# Frontend service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: frontend
  labels:
    app: frontend
    service: frontend
spec:
  ports:
  - port: 3000
    name: http
  selector:
    app: frontend
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend-v1
  labels:
    app: frontend
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: frontend
      env-o: ops
  template:
    metadata:
      labels:
        app: frontend
        version: v1
        env-o: ops
    spec:
      containers:
      - name: frontend
        image: istioweather/frontend:v1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3000
---
##################################################################################################
# Advertisement service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: advertisement
  labels:
    app: advertisement
    service: advertisement
spec:
  ports:
  - port: 3003
    name: http
  selector:
    app: advertisement
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: advertisement-v1
  labels:
    app: advertisement
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: advertisement
      env-o: ops
  template:
    metadata:
      labels:
        app: advertisement
        version: v1
        env-o: ops
    spec:
      containers:
      - name: advertisement
        image: istioweather/advertisement:v1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3003
---
##################################################################################################
# Forecast service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: forecast
  labels:
    app: forecast
    service: forecast
spec:
  ports:
  - port: 3002
    name: http
  selector:
    app: forecast
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: forecast-v1
  labels:
    app: forecast
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: forecast
      env-o: ops
  template:
    metadata:
      labels:
        env-o: ops
        app: forecast
        version: v1
    spec:
      containers:
      - name: forecast
        image: istioweather/forecast:v1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3002
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: frontend
  namespace: weather
spec:
  rules:
  - host: frontend.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: frontend
            port:
              number: 3000

直接进行部署:

Code Block
languagebash
$ kubectl create namespace weather
$ kubectl apply -f weather-v1.yaml
$ kubectl get svc,pod -n weather
NAME                    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/advertisement   ClusterIP   10.22.192.13    <none>        3003/TCP   146m
service/forecast        ClusterIP   10.31.27.191    <none>        3002/TCP   146m
service/frontend        ClusterIP   10.30.175.181   <none>        3000/TCP   146m

NAME                                    READY   STATUS    RESTARTS   AGE
pod/advertisement-v1-795c4645b8-pwqfj   1/1     Running   0          146m
pod/forecast-v1-767c5c859f-bqvlj        1/1     Running   0          146m
pod/frontend-v1-594d97fcfb-r9hqr        1/1     Running   0          146m

测试服务部署在 defautl 中:

Code Block
languagebash
titlebusybox.yaml
collapsetrue
apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox-lifecycles-nginx-sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: busybox-lifecycles-nginx-sleep
      env-o: nginx-sleep
  template:
    metadata:
      labels:
        app: busybox-lifecycles-nginx-sleep
        env-o: default
    spec:
      terminationGracePeriodSeconds: 120
      containers:
      - image: slzcc/terminal-ctl:ubuntu-20.04
        imagePullPolicy: Always
        command:
          - nginx
          - -g
          - daemon off;
        name: busybox
        lifecycle:
          preStop:
           exec:
             command:
             - /bin/sh -c sleep 120
      restartPolicy: Always

---
apiVersion: v1
kind: Service
metadata:
  name: busybox-lifecycles-nginx-sleep
  labels:
    app: busybox-lifecycles-nginx-sleep
spec:
  ports:
   - name: http
     port: 80
     targetPort: 80
     protocol: TCP
  selector:
    app: busybox-lifecycles-nginx-sleep

部署服务:

Code Block
languagebash
$ kubectl apply -f busybox.yaml

测试完全无法访问

首先进入 busybox 容器访问 weather 下的 frontend:

Code Block
languagebash
$ kubectl exec -it $(kubectl get pod -l app=busybox-lifecycles-nginx-sleep | tail -1 | awk '{print $1}') bash
$ curl frontend.weather:3000 -I
HTTP/1.1 200 OK
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Wed, 12 Jun 2019 12:44:50 GMT
ETag: W/"86d-16b4bb82dd0"
Content-Type: text/html; charset=UTF-8
Content-Length: 2157
Date: Fri, 14 Jan 2022 06:22:36 GMT
Connection: keep-alive

在没有任何策略下是完全可以访问的,然后注入 Ingress 禁止所有请求:

Code Block
languagebash
titledeny-all.yaml
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: weather
spec:
  podSelector: {}
  policyTypes:
  - Ingress

部署后则无法正常访问了, 请求被阻塞直到超时退出:

Code Block
languagebash
$ curl frontend.weather:3000
curl: (28) Failed to connect to frontend.weather port 3000: Connection timed out

此时不光是跨 namespace 的 pod 无法访问,同 namespace 也无法正常访问了:

Code Block
languagebash
$ kubectl exec -it $(kubectl get pod -l app=forecast -n weather | tail -1 | awk '{print $1}') -n weather bash
$ curl frontend:3000

此时 weather 下的所有 Pod 的 Ingress 网络状态都是拒绝状态。

同 Namespace 下可以访问

目前同 weather 无法进行访问,配置如下策略,让其可以正常访问:

Code Block
languagebash
titleweather-env-o-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: weather-env-o-network-policy
  namespace: weather
spec:
  podSelector:
    matchLabels:
      env-o: ops
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          env-o: ops

上述配置对由 env-o: ops 的 pod 可允许 env-o: ops 的 pod 进行访问,虽然感觉很绕口但是目的是让同 namespace 下的服务可以正常访问。

或者更简单的办法:

Code Block
languagebash
titleweather-env-o-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: weather-env-o-network-policy
  namespace: weather
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:     
  - from:
    - podSelector: {}

跨 Namespace 下可以访问

对跨 namespace 的服务已开启可访问策略:

Code Block
languagebash
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: weather
spec:
  podSelector:
    matchLabels:
      app: frontend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: default
    - podSelector:
        matchLabels:
          app: busybox-lifecycles-nginx-sleep

对 namespace 标签为 name: default 下的 Pod 标签为 app: busybox-lifecycles-nginx-sleep 可以访问 frontend 服务。

首先需要修改 namespace 标签添加 name: default 才可以正常使用。

当然也可以去掉 podSelector,让 default 下的所有 pod 都可以访问 frontend 服务。

文档创建于 , 最后一次更新于 , 文档当前的状态 

Status
colourYellow
title未完成
Status
colourGreen
title正式版
Status
colourRed
title停止更新
 , 当前编写页面的版本 
Status
colourBlue
titlev1.3.1
 。