kubernetes学习笔记之十三:基于calico的网络策略入门
2024-10-18 21:25:42
一、.安装calico
[root@k8s-master01 ~]# kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
clusterrole.rbac.authorization.k8s.io "calico" created
clusterrole.rbac.authorization.k8s.io "flannel" configured
clusterrolebinding.rbac.authorization.k8s.io "canal-flannel" created
clusterrolebinding.rbac.authorization.k8s.io "canal-calico" created
[root@k8s-master01 ~]# kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml
configmap "canal-config" created
daemonset.extensions "canal" created
serviceaccount "canal" created
customresourcedefinition.apiextensions.k8s.io "felixconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "bgpconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "ippools.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "hostendpoints.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "clusterinformations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworkpolicies.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworksets.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "networkpolicies.crd.projectcalico.org" created
[root@k8s-master01 ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
canal-888kk / ContainerCreating 1m
canal-9rk4k / ContainerCreating 1m
canal-xxvrz / ContainerCreating 1m
二、基于calico设置网络策略
1.查看配置帮助
[root@k8s-master01 ~]# kubectl explain networkpolicy
[root@k8s-master01 ~]# kubectl explain networkpolicy.spec
egress <[]Object> #定义出栈规则
ingress <[]Object> #定义入栈规则
podSelector <Object> -required- #选择将规则应用至哪些pod上
policyTypes <[]string> #策略类型,如果没有指定规则,同时egress或者ingress规则存在,那么都会生效,
[root@k8s-master01 ~]# kubectl explain networkpolicy.spec.egress
ports <[]Object> #目标端口(客户端),可以有多个端口,也可以知道端口的协议
to <[]Object> #目标地址,可以是一个IP段,名称空间或者一组pod,可以同时都选择,但是需要注意的是,k8s将取其中的交集,如无必要,尽量不要配置
[root@k8s-master01 ~]# kubectl explain networkpolicy.spec.ingress
from <[]Object> #目标地址,与egress相同
ports <[]Object> #目标端口(本地端口),注意和egress的区别
2.创建一个ingress默认拒绝的示例
[root@k8s-master01 networkpolicy]# kubectl create namespace dev
[root@k8s-master01 networkpolicy]# kubectl create namespace prod
[root@k8s-master01 networkpolicy]# vim ingress-def.yaml
apiVersion: networking.k8s.io/v1 #注意资源版本号,extensions/v1beta1在1.9中已经被废弃
kind: NetworkPolicy
metadata:
name: deng-all-ingress
spec:
podSelector: {} #{}表示选择所有pod,即整个名称空间
olicyTypes:
- Ingress #选择ingress规则,当前没有定义具体的ingress规则,则表示使用默认规则,默认规则为拒绝,没有包含egress规则,则表示默认egress放行,注意其中默认规则的区别,被选择的规则默认规则为拒绝,没有被选择的默认规则为允许
[root@k8s-master01 networkpolicy]# kubectl apply -f ingress-def.yaml -n dev
[root@k8s-master01 networkpolicy]# kubectl get networkpolicy -n dev
NAME POD-SELECTOR AGE
deng-all-ingress <none> 53s
验证
[root@k8s-master01 networkpolicy]# cat pod_demo.yaml
kind: Pod
apiVersion: v1
metadata:
name: task-pv-pod #为了能在多个名称空间创建,不要添加namespace
spec:
containers:
- name: nginx
image: ikubernetes/myapp:v1
ports:
- containerPort:
name: www
[root@k8s-master01 networkpolicy]# kubectl apply -f pod_demo.yaml -n dev #在名称为dev的名称空间中创建一个pod
pod "task-pv-pod" created
[root@k8s-master01 networkpolicy]# kubectl get pod -n dev -o wide #查看pod的IP地址
NAME READY STATUS RESTARTS AGE IP NODE
task-pv-pod / Running 20s 10.244.1.2 k8s-node01
[root@k8s-master01 networkpolicy]# curl 10.244.1.2 #访问这个地址,可以发现无法访问
^C
[root@k8s-master01 networkpolicy]# kubectl apply -f pod_demo.yaml -n prod #在名称为prod的名称空间中创建一个pod
pod "task-pv-pod" created
[root@k8s-master01 networkpolicy]# kubectl get pod -n prod -o wide #获取pod的IP地址
NAME READY STATUS RESTARTS AGE IP NODE
task-pv-pod / Running 7s 10.244.1.3 k8s-node01
[root@k8s-master01 networkpolicy]# curl 10.244.1.3 #访问,可以正常访问
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
3.显示定义一个ingress规则,允许访问dev名称空间中的pod
[root@k8s-master01 networkpolicy]# cat allow-netpol.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: all-myapp-ingress
spec:
podSelector:
matchLabels:
app: myapp
ingress:
- from:
- ipBlock:
cidr: 10.244.0.0/
except:
- 10.244.1.2/
ports:
- protocol: TCP
port:
- protocol: TCP
port:
[root@k8s-master01 networkpolicy]# kubectl apply -f allow-netpol.yaml -n dev
networkpolicy.networking.k8s.io "all-myapp-ingress" created
[root@k8s-master01 networkpolicy]# kubectl get networkpolicy -n dev
NAME POD-SELECTOR AGE
all-myapp-ingress app=myapp 54s
deng-all-ingress <none> 32m
验证:
[root@k8s-master01 networkpolicy]# curl 10.244.1.2
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master01 networkpolicy]# curl 10.244.1.2:
curl: () Failed connect to 10.244.1.2:; 拒绝连接
[root@k8s-master01 networkpolicy]# curl 10.244.1.2:6443 #注意6443和443的区别
^C
4.egress默认拒绝(验证步骤忽略)
[root@k8s-master01 networkpolicy]# cat egress-def.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deng-all-egress
spec:
podSelector: {}
policyTypes:
- Egress
官方文档:https://docs.projectcalico.org/v3.3/introduction/
基于k8s安装文档:https://docs.projectcalico.org/v3.3/getting-started/kubernetes/
最新文章
- 数据库(Database)
- iOS开发——高级篇——地图 MapKit
- 电赛总结(三)——DA芯片总结
- E文阅读
- ECSHOP在线手册之模板结构说明 (适用版本v2.7.3)
- [BZOJ 1033] [ZJOI2008] 杀蚂蚁antbuster 【模拟!】
- jquery-ui-widget
- Ajax-javascript
- LeetCode-4. 两个排序数组的中位数(详解)
- JDBC详解(汇总)
- Java 在PDF文档中绘制图形
- Django的安装和一些操作
- Java设计模式学习记录-观察者模式
- 好程序员分享Javascript设计模式
- 最短路 次短路 k短路(k很小)
- luogu3810 陌上花开 (cdq分治)
- 常见配置redis.conf介绍
- codeforces 482B. Interesting Array【线段树区间更新】
- HTML通过jQuery传值赋值
- python+selenium 环境配置