总目录索引:K8s网络Calico 从入门到放弃系列
1、创建服务
kubectl create ns advanced-policy-demo
由于k8s的v1.18.2版本弃用了replicas命令,使用yaml文件创建nginx服务
vim nginx-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: advanced-policy-demo labels: app: nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80 kubectl apply -f nginx-deployment.yaml
创建nginx的服务并暴露80端口
kubectl expose --namespace=advanced-policy-demo deployment nginx --port=80
验证访问权限
kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
wget -q --timeout=5 nginx -O -
并访问百度测试
wget -q --timeout=5 www.baidu.com -O -
2、拒绝所有入口流量
kubectl create -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: advanced-policy-demo spec: podSelector: matchLabels: {} policyTypes: - Ingress EOF
2.1验证访问权限
kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
wget -q --timeout=5 nginx -O -
wget -q --timeout=5 www.baidu.com -O -
可以看到,对Nginx服务的入口访问被拒绝,而仍然允许对出站Internet的出口访问。
3、允许进入nginx的流量
NetworkPolicy
,允许流量从advanced-policy-demo
kubectl create -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: access-nginx namespace: advanced-policy-demo spec: podSelector: matchLabels: app: nginx ingress: - from: - podSelector: matchLabels: {} EOF
验证访问nginx服务
kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
wget -q --timeout=5 nginx -O -
创建策略后,我们现在可以访问nginx服务。
4、拒绝所有出口流量
kubectl create -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: advanced-policy-demo spec: podSelector: matchLabels: {} policyTypes: - Egress EOF
4.1 验证访问权限,拒绝所有出口
现在,任何策略未明确允许的入站或出站流量都将被拒绝。
kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
nslookup nginx
wget -q --timeout=5 www.baidu.com -O -
5、允许DNS出口流量
name: kube-system
在kube-system
名称空间上创建一个标签,并在上创建一个标签,该标签NetworkPolicy
允许DNS从advanced-policy-demo
名称空间中的任何Pod到名称空间kube-system
kubectl label namespace kube-system name=kube-system
kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-access
namespace: advanced-policy-demo
spec:
podSelector:
matchLabels: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
EOF
5.1 验证访问权限-允许DNS访问
nslookup nginx
nslookup www.baidu.com
wget
6、允许出口流量到nginx
NetworkPolicy
,该命令允许从advanced-policy-demo
名称空间中的任何Pod 到具有app: nginx
kubectl create -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-to-advance-policy-ns namespace: advanced-policy-demo spec: podSelector: matchLabels: {} policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: nginx EOF
6.1 验证访问权限-允许对nginx进行出口访问
wget -q --timeout=5 nginx -O -
wget -q --timeout=5 www.baidu.com -O -
app: nginx
的advanced-policy-demo
7、清理名称空间
kubectl delete ns advanced-policy-demo
参考文章:https://docs.projectcalico.org/security/tutorials/kubernetes-policy-advanced