Previously, we learned about the basic working logic of k8s’s network plug-in flannel. For review, please refer to:https://www.cnblogs.com/qiuhom-1874/p/14225657.html; Today, let’s talk about k8s the topics related to networkpolicy;
What are the networkpolicy resources used for?
We know that on k8s, we can use namespaces to isolate multiple resources. Under different namespaces, we can create resources with the same name and type; Some resources must also rely on namespaces to be created; However, on k8s, the namespace cannot isolate the network. The so-called isolated network means that no matter which namespace the pod is created in, it can be accessed by pods in other namespaces; If we want to restrict the access of pods under the corresponding namespace to other namespaces or external clients, we can create networkpolicy resources under the corresponding namespace; The resource can restrict which pods can be accessed by external clients, or which pods cannot be accessed by which or which namespace pods; In addition to restricting the inbound traffic of pods in the corresponding namespace, it can also restrict the outbound traffic of pods in the corresponding namespace, allow or deny one or some pods to access pods in other namespaces or external services, etc; We can simply understand that networkpolicy is a firewall corresponding to the namespace; If we create the networkpolicy resource under the corresponding namespace, it can control the flow of pods under the namespace;
Basic working logic of networkpolicy
Tip: firstly, network policy is used to control the traffic of pod resources in a namespace; It can select the pod under the corresponding namespace through the pod selector. The pod that meets the conditions of the corresponding selector will be controlled by the policy defined in the network policy. The default pod selector is not clearly defined, which means that it matches all the pods under the corresponding namespace; Progress is used to define pod outbound policies. By default, explicitly defined policies are allowed to outbound, and no definition means rejection; The same logic applies to ingress. Only explicitly defined rules are allowed, and no definition means rejection; For outbound traffic, it will not take effect if we define it or not by default. It is allowed to be released. It will take effect only if the outbound rule corresponding to explicit configuration takes effect;
Example: the pod defined under the dev namespace does not allow any client access
[[email protected] ~]# cat denyall-ingress-dev.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {}
policyTypes:
- Ingress
[[email protected] ~]#
Tip: the above resource list means to control the inbound traffic of the pod under the dev namespace and deny all clients access to the pod under the corresponding dev namespace; This includes the pod under the dev namespace;
Application resource list
Before applying, please ensure that the deployed network plug-in supports network policy. By default, the flannel network plug-in does not support network policy. We need to deploy the network plug-in canel, which can be combined with the flannel plug-in to enable it to have the network policy function of calico;
Deploy canel
[[email protected] ~]# kubectl apply -f https://docs.projectcalico.org/manifests/canal.yaml
configmap/canal-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrole.rbac.authorization.k8s.io/flannel configured
clusterrolebinding.rbac.authorization.k8s.io/canal-flannel created
clusterrolebinding.rbac.authorization.k8s.io/canal-calico created
daemonset.apps/canal created
serviceaccount/canal created
deployment.apps/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
poddisruptionbudget.policy/calico-kube-controllers created
[[email protected] ~]#
Tip: after the above resources are running normally, we can apply the resource list to make its network policy take effect;
Create a dev namespace and create a deploy controller under it. The controller creates three nginx pods
[[email protected] manifests]# cat pod-demo.yaml
apiVersion: v1
kind: Namespace
metadata:
name: dev
labels:
name: dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-dep
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx
rel: stable
template:
metadata:
labels:
app: nginx
rel: stable
spec:
containers:
- name: nginx
image: nginx:1.14-alpine
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
[[email protected] manifests]# kubectl apply -f pod-demo.yaml
namespace/dev unchanged
deployment.apps/nginx-dep created
[[email protected] manifests]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5d9tb 1/1 Running 0 51s 10.244.4.6 node04.k8s.org
nginx-dep-cb74c595f-ftmn9 1/1 Running 0 51s 10.244.1.5 node01.k8s.org
nginx-dep-cb74c595f-jf9p9 1/1 Running 0 51s 10.244.3.4 node03.k8s.org
[[email protected] manifests]#
Before applying the above network policy, use the pod in default to access the pod under the corresponding dev namespace to see if it can be accessed normally?
[[email protected] manifests]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5d9tb 1/1 Running 0 86s 10.244.4.6 node04.k8s.org
nginx-dep-cb74c595f-ftmn9 1/1 Running 0 86s 10.244.1.5 node01.k8s.org
nginx-dep-cb74c595f-jf9p9 1/1 Running 0 86s 10.244.3.4 node03.k8s.org
[[email protected] manifests]# kubectl get pods
NAME READY STATUS RESTARTS AGE
web-0 1/1 Running 6 3d16h
web-1 1/1 Running 5 3d16h
web-2 1/1 Running 6 3d16h
[[email protected] manifests]# kubectl exec web-0 -it -- /bin/sh
/ # wget -O - -q 10.244.4.6
Welcome to nginx!
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
/ #
Tip: you can see that the pod under the default namespace can normally access the pod under the dev namespace;
Application resource list
[[email protected] ~]# cat denyall-ingress-dev.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {}
policyTypes:
- Ingress
[[email protected] ~]# kubectl apply -f denyall-ingress-dev.yaml
networkpolicy.networking.k8s.io/deny-all-ingress created
[[email protected] ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-ingress 10s
[[email protected] ~]# kubectl describe netpol deny-all-ingress -n dev
Name: deny-all-ingress
Namespace: dev
Created on: 2021-01-04 15:34:40 +0800 CST
Labels:
Annotations:
Spec:
PodSelector: (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
(Selected pods are isolated for ingress connectivity)
Not affecting egress traffic
Policy Types: Ingress
[[email protected] ~]#
Tip: as can be seen from the details of netpol resources above, if the pod selector of the corresponding netpol resource is none, it means that all pods under the corresponding namespace are selected, and if the allowing ingress traffic is also none, it means that no client is allowed to access the pods under the namespace; If there is no outbound policy, it means that all outbound traffic is rejected; By default, only the inbound rules are effective, so the outbound rules here are not effective, that is, the outbound traffic is not limited; Policytypes indicates that the corresponding policy is effective. By default, it is not specified as progress;
Verification: use the pod under the default namespace to access the pod under the dev namespace to see if it can be accessed normally?
Tip: you can see that the current POD under the default namespace cannot access the pod under the dev namespace;
Verification: the pod under the dev namespace accesses the pod under the same namespace to see if it can be accessed?
Tip: you can see that the pod under the dev namespace can’t access the pod under the dev namespace, but you can access yourself. The reason is that you can access yourself, and the traffic will not go out. It is processed on the lo interface, so your access is not limited;
Verification: use the pod under the dev namespace to access the pod under the default namespace to see if it is allowed?
Tip: you can see that there is no problem using the pod under the dev namespace to access the pod under the default namespace. It shows that the rule just now only limits the inbound traffic of the pod under the dev namespace, not the outbound traffic; The response 404 in 10.244.4.5 and 3.3 is accessed above because the web service on the corresponding pod does not have a home page;
Example: limit the outbound traffic of pods in dev namespace and reject all outbound traffic of pods
[[email protected] ~]# cat denyall-Egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: dev
spec:
podSelector: {}
policyTypes:
- Egress
[[email protected] ~]#
Tip: the policytypes field is used to control which type of rule takes effect. This field is a list. By default, it is progress, which means that only inbound traffic is restricted. If it is explicitly manually defined as progress, it means that only outbound traffic is restricted; The logic of outbound policy and inbound policy are the same. As long as there is no explicit and defined policy, it means to reject the operation, and only the explicitly defined policy means to allow the corresponding operation; There are no outbound rules defined above, which means that all pods are denied access to external services;
Application resource list
[[email protected] ~]# kubectl apply -f denyall-Egress.yaml
networkpolicy.networking.k8s.io/deny-all-egress created
[[email protected] ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-egress 10s
deny-all-ingress 24m
[[email protected] ~]# kubectl describe netpol deny-all-egress -n dev
Name: deny-all-egress
Namespace: dev
Created on: 2021-01-04 15:59:16 +0800 CST
Labels:
Annotations:
Spec:
PodSelector: (Allowing the specific traffic to all pods in this namespace)
Not affecting ingress traffic
Allowing egress traffic:
(Selected pods are isolated for egress connectivity)
Policy Types: Egress
[[email protected] ~]#
Verification: enter the pod interactive interface under the dev namespace to see if you can access pods under other namespaces?
Tip: you can see that now the pod under the dev namespace can be accessed, but the pod under the default namespace cannot be accessed;
Verification: remove the inbound restriction and use the pod under the dev namespace to access each other to see if it can be accessed normally?
[[email protected] ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-egress 5m50s
deny-all-ingress 30m
[[email protected] ~]# kubectl delete netpol deny-all-ingress -n dev
networkpolicy.networking.k8s.io "deny-all-ingress" deleted
[[email protected] ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-egress 6m9s
[[email protected] ~]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5d9tb 1/1 Running 0 34m 10.244.4.6 node04.k8s.org
nginx-dep-cb74c595f-ftmn9 1/1 Running 0 34m 10.244.1.5 node01.k8s.org
nginx-dep-cb74c595f-jf9p9 1/1 Running 0 34m 10.244.3.4 node03.k8s.org
[[email protected] ~]# kubectl exec -it nginx-dep-cb74c595f-5d9tb -n dev -- /bin/sh
/ # wget -O - -q 10.244.1.5
^C
/ # wget -O - -q 10.244.3.4
^C
/ # wget -O - -q 10.244.4.6
Welcome to nginx!
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
/ #
Tip: you can see that after the outbound traffic is limited, pods in the same namespace cannot be accessed normally; But you can visit yourself;
Example: restrict the outbound traffic of pods in the dev namespace and allow pods in the dev namespace to access each other
[[email protected] ~]# cat allow-dev-Egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dev-egress
namespace: dev
spec:
podSelector: {}
egress:
- to:
- podSelector:
matchLabels:
app: nginx
rel: stable
ports:
- port: 80
protocol: TCP
policyTypes:
- Egress
[[email protected] ~]#
Tip: to limit outbound traffic, you can define the allowed outbound rules in spec.egress; The to field is used to describe the accessed end, and its value type is a list object; The podselector field is used to describe the accessed end pod selector. Only the pods that meet the conditions of the corresponding pod selector are allowed to leave the station; spec.egress. The ports field is used to describe the port information of the accessed endpoint; This field is a list object; Note that the namespace is not specified in the rule by default, which means it matches the namespace of the current netpol; The above list shows that the pod under dev allows access to port 80 of the pod labeled app = nginx and rel = stable under the dev namespace;
Delete the deny all egress outbound policy and apply its resource manifest
[[email protected] ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-egress 26m
[[email protected] ~]# kubectl delete netpol deny-all-egress -n dev
networkpolicy.networking.k8s.io "deny-all-egress" deleted
[[email protected] ~]# kubectl apply -f allow-dev-Egress.yaml
networkpolicy.networking.k8s.io/allow-dev-egress created
[[email protected] ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
allow-dev-egress 10s
[[email protected] ~]# kubectl describe netpol allow-dev-egress -n dev
Name: allow-dev-egress
Namespace: dev
Created on: 2021-01-04 16:34:23 +0800 CST
Labels:
Annotations:
Spec:
PodSelector: (Allowing the specific traffic to all pods in this namespace)
Not affecting ingress traffic
Allowing egress traffic:
To Port: 80/TCP
To:
PodSelector: app=nginx,rel=stable
Policy Types: Egress
[[email protected] ~]#
Verification: enter the pod under the dev namespace to see if the pod under the dev namespace can be accessed normally?
[[email protected] ~]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5d9tb 1/1 Running 0 65m 10.244.4.6 node04.k8s.org
nginx-dep-cb74c595f-ftmn9 1/1 Running 0 65m 10.244.1.5 node01.k8s.org
nginx-dep-cb74c595f-jf9p9 1/1 Running 0 65m 10.244.3.4 node03.k8s.org
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-5d9tb -- /bin/sh
/ # wget -O - -q 10.244.1.5
Welcome to nginx!
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
/ # wget -O - -q 10.244.3.4
Welcome to nginx!
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
/ #
Tip: you can see that the pod under the dev namespace can be accessed normally;
Verification: use the dev namespace pod to access the pod labeled app = nginx and rel = stable under the default namespace to see if it can be accessed normally?
[[email protected] ~]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
nginx-dep-cb74c595f-27qjp 1/1 Running 2 88m
nginx-dep-cb74c595f-b92s4 1/1 Running 1 88m
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 88m
[[email protected] ~]# kubectl get pods -o wide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
nginx-dep-cb74c595f-5mwl2 1/1 Running 1 89m 10.244.4.18 node04.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-vxc9z 1/1 Running 1 89m 10.244.3.12 node03.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-z265t 1/1 Running 1 89m 10.244.2.13 node02.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
web-0 1/1 Running 8 3d20h 10.244.2.14 node02.k8s.org app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-0
web-1 1/1 Running 7 3d20h 10.244.4.16 node04.k8s.org app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-1
web-2 1/1 Running 8 3d20h 10.244.3.11 node03.k8s.org app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-2
[[email protected] ~]# kubectl exec -it nginx-dep-cb74c595f-27qjp -n dev -- /bin/sh
/ # wget -O - -q 10.244.4.18
^C
/ # wget -O - -q 10.244.3.12
^C
/ # wget -O - -q 10.244.2.13
^C
/ #
Tip: you can see that the pod under the dev namespace accesses. The pod labeled app = nginx and rel = stable under the default namespace cannot be accessed normally because we do not specify the namespace of the corresponding access target in the policy. The default is the namespace of the corresponding netpol;
Example: allow the pod under the dev namespace to access the pod labeled app = nginx, rel = stable under the default and dev namespaces
[[email protected] ~]# cat allow-dev-def-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dev-egress
namespace: dev
spec:
podSelector: {}
egress:
- to:
- namespaceSelector:
matchExpressions:
- key: name
operator: In
values: ["def","dev"]
podSelector:
matchLabels:
app: nginx
rel: stable
ports:
- port: 80
protocol: TCP
policyTypes:
- Egress
[[email protected] ~]#
Tip: spec.egress The namespeceselector field in to is used to describe the namespace where the accessed end is located; The podselector field is used to describe the pod of the accessed end; If “-” is used in front of only one of the two fields, the conditions specified by namespaceselector and podselector are and, that is, both conditions must be met; If both fields start with “-“, the conditions specified in the two fields are or relationships, that is, the conditions that meet one of the fields can be matched by rules; The above example shows that all pods under dev can access the pods under the namespace whose tags are name = def or name = dev, and the tags of these pods must be app = nginx, rel = stable; That is, to be accessed by the pod under the dev namespace, the corresponding pod should meet two conditions at the same time. First, there is a label of name = def or name = dev on the corresponding namespace; Secondly, pod itself should have two tags, APP = nginx and rel = stable; These two conditions are indispensable;
Delete the original netpol and apply the new list
[[email protected] ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
allow-dev-egress 28m
[[email protected] ~]# kubectl delete netpol allow-dev-egress -n dev
networkpolicy.networking.k8s.io "allow-dev-egress" deleted
[[email protected] ~]# kubectl apply -f allow-dev-def-egress.yaml
networkpolicy.networking.k8s.io/allow-dev-egress created
[[email protected] ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
allow-dev-egress 5s
[[email protected] ~]# kubectl describe netpol allow-dev-egress -n dev
Name: allow-dev-egress
Namespace: dev
Created on: 2021-01-04 19:44:32 +0800 CST
Labels:
Annotations:
Spec:
PodSelector: (Allowing the specific traffic to all pods in this namespace)
Not affecting ingress traffic
Allowing egress traffic:
To Port: 80/TCP
To:
NamespaceSelector: name in (def,dev)
PodSelector: app=nginx,rel=stable
Policy Types: Egress
[[email protected] ~]#
Tip: you can see that the corresponding outbound rule has two conditions. First, the namespace must match, name = def or name = dev, that is, the corresponding namespace must have such a label; Secondly, pod must meet the label of APP = nginx and rel = stable;
Label the default namespace with name = default
[[email protected] ~]# kubectl get ns --show-labels
NAME STATUS AGE LABELS
default Active 27d
dev Active 4h24m name=dev
ingress-nginx Active 13d app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
kube-node-lease Active 27d
kube-public Active 27d
kube-system Active 27d
kubernetes-dashboard Active 2d5h
prod Active 57m name=prod
[[email protected] ~]# kubectl label ns default name=def
namespace/default labeled
[[email protected] ~]# kubectl get ns --show-labels
NAME STATUS AGE LABELS
default Active 27d name=def
dev Active 4h24m name=dev
ingress-nginx Active 13d app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
kube-node-lease Active 27d
kube-public Active 27d
kube-system Active 27d
kubernetes-dashboard Active 2d5h
prod Active 58m name=prod
[[email protected] ~]#
Verification: use the pod under dev to access the pod labeled app = nginx and rel = stable in the default and dev namespaces to see if the corresponding pod can be accessed?
[[email protected] ~]# kubectl get pods -n dev -o wide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
nginx-dep-cb74c595f-27qjp 1/1 Running 2 116m 10.244.1.18 node01.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-b92s4 1/1 Running 1 116m 10.244.4.17 node04.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 116m 10.244.1.19 node01.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
[[email protected] ~]# kubectl get pods -o wide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
nginx-dep-cb74c595f-5mwl2 1/1 Running 1 117m 10.244.4.18 node04.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-vxc9z 1/1 Running 1 117m 10.244.3.12 node03.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-z265t 1/1 Running 1 117m 10.244.2.13 node02.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
web-0 1/1 Running 8 3d21h 10.244.2.14 node02.k8s.org app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-0
web-1 1/1 Running 7 3d21h 10.244.4.16 node04.k8s.org app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-1
web-2 1/1 Running 8 3d21h 10.244.3.11 node03.k8s.org app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-2
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.17
Connecting to 10.244.4.17 (10.244.4.17:80)
/ # wget --spider --timeout=1 10.244.1.19
Connecting to 10.244.1.19 (10.244.1.19:80)
/ # wget --spider --timeout=1 10.244.4.18
Connecting to 10.244.4.18 (10.244.4.18:80)
/ # wget --spider --timeout=1 10.244.3.12
Connecting to 10.244.3.12 (10.244.3.12:80)
/ # wget --spider --timeout=1 10.244.2.13
Connecting to 10.244.2.13 (10.244.2.13:80)
/ # wget --spider --timeout=1 10.244.2.14
Connecting to 10.244.2.14 (10.244.2.14:80)
wget: download timed out
/ #
Tip: you can see that pods with name = def or name = dev tags on the dev namespace and app = nginx and rel = stable tags on the corresponding pods can be accessed normally. If the corresponding namespace and pod tags cannot be met, the pods cannot be accessed; In the above example, the last podip does not meet the label of the pod, so the corresponding pod cannot be accessed;
Example: allow the pod under the dev namespace to access the pod under the namespace with the tag name = def or name = dev on the namespace or the tag name = prod on the namespace, and the pod under the corresponding namespace must have the tag app = nginx, rel = stable;
[[email protected] ~]# cat allow-dev-def-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dev-egress
namespace: dev
spec:
podSelector: {}
egress:
- to:
- namespaceSelector:
matchExpressions:
- key: name
operator: In
values: ["def","dev"]
- to:
- namespaceSelector:
matchLables:
name: prod
podSelector:
matchLabels:
app: nginx
rel: stable
ports:
- port: 80
protocol: TCP
policyTypes:
- Egress
[[email protected] ~]#
Application configuration list
[[email protected] ~]# kubectl apply -f allow-dev-def-egress.yaml
networkpolicy.networking.k8s.io/allow-dev-egress created
[[email protected] ~]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
allow-dev-egress 10s
[[email protected] ~]# kubectl describe netpol allow-dev-egress -n dev
Name: allow-dev-egress
Namespace: dev
Created on: 2021-01-04 20:44:42 +0800 CST
Labels:
Annotations:
Spec:
PodSelector: (Allowing the specific traffic to all pods in this namespace)
Not affecting ingress traffic
Allowing egress traffic:
To Port: (traffic allowed to all ports)
To:
NamespaceSelector: name in (def,dev)
----------
To Port: 80/TCP
To:
NamespaceSelector: name=prod
PodSelector: app=nginx,rel=stable
Policy Types: Egress
[[email protected] ~]#
Verification: use the pod under the dev namespace to access the pod under the dev namespace to see if it can be accessed normally?
[[email protected] ~]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-27qjp 1/1 Running 2 168m 10.244.1.18 node01.k8s.org
nginx-dep-cb74c595f-b92s4 1/1 Running 1 168m 10.244.4.17 node04.k8s.org
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 168m 10.244.1.19 node01.k8s.org
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.17
Connecting to 10.244.4.17 (10.244.4.17:80)
/ # wget --spider --timeout=1 10.244.1.19
Connecting to 10.244.1.19 (10.244.1.19:80)
/ # exit
[[email protected] ~]#
Tip: you can see that there is no problem in accessing pods under the dev namespace;
Verification: use the pod under the dev namespace to access the pod under the default namespace to see if it can be accessed normally?
[[email protected] ~]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-27qjp 1/1 Running 2 170m 10.244.1.18 node01.k8s.org
nginx-dep-cb74c595f-b92s4 1/1 Running 1 170m 10.244.4.17 node04.k8s.org
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 170m 10.244.1.19 node01.k8s.org
[[email protected] ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-dep-cb74c595f-5mwl2 1/1 Running 1 171m 10.244.4.18 node04.k8s.org
nginx-dep-cb74c595f-vxc9z 1/1 Running 1 171m 10.244.3.12 node03.k8s.org
nginx-dep-cb74c595f-z265t 1/1 Running 1 171m 10.244.2.13 node02.k8s.org
web-0 1/1 Running 8 3d22h 10.244.2.14 node02.k8s.org
web-1 1/1 Running 7 3d22h 10.244.4.16 node04.k8s.org
web-2 1/1 Running 8 3d22h 10.244.3.11 node03.k8s.org
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.18
Connecting to 10.244.4.18 (10.244.4.18:80)
/ # wget --spider --timeout=1 10.244.3.12
Connecting to 10.244.3.12 (10.244.3.12:80)
/ # wget --spider --timeout=1 10.244.2.13
Connecting to 10.244.2.13 (10.244.2.13:80)
/ # wget --spider --timeout=1 10.244.2.14
Connecting to 10.244.2.14 (10.244.2.14:80)
/ # wget --spider --timeout=1 10.244.4.16
Connecting to 10.244.4.16 (10.244.4.16:80)
wget: server returned error: HTTP/1.1 403 Forbidden
/ # wget --spider --timeout=1 10.244.3.11
Connecting to 10.244.3.11 (10.244.3.11:80)
wget: server returned error: HTTP/1.1 403 Forbidden
/ #
Tip: you can see that all pods in the default namespace can be accessed by pods in the dev namespace; 403 is displayed later because the corresponding web service does not have a home page;
Verification: use the pod under the dev namespace to access the pod under the prod namespace to see if the corresponding pod can be accessed?
[[email protected] ~]# kubectl get ns prod --show-labels
NAME STATUS AGE LABELS
prod Active 118m name=prod
[[email protected] ~]# kubectl get pods -n prod -o wide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
nginx-dep-cb74c595f-rzbv2 1/1 Running 0 118m 10.244.4.19 node04.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-v8ssx 1/1 Running 0 118m 10.244.3.13 node03.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-zsqcc 1/1 Running 0 118m 10.244.2.15 node02.k8s.org app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep1-f85fdcdbc-kdq5b 1/1 Running 0 117m 10.244.1.21 node01.k8s.org app=nginx,pod-template-hash=f85fdcdbc
nginx-dep1-f85fdcdbc-n8cvs 1/1 Running 0 117m 10.244.3.14 node03.k8s.org app=nginx,pod-template-hash=f85fdcdbc
nginx-dep1-f85fdcdbc-vz2mp 1/1 Running 0 117m 10.244.4.20 node04.k8s.org app=nginx,pod-template-hash=f85fdcdbc
[[email protected] ~]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
nginx-dep-cb74c595f-27qjp 1/1 Running 2 174m
nginx-dep-cb74c595f-b92s4 1/1 Running 1 174m
nginx-dep-cb74c595f-wdqnh 1/1 Running 1 174m
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.20
Connecting to 10.244.4.20 (10.244.4.20:80)
wget: download timed out
/ # wget --spider --timeout=1 10.244.3.14
Connecting to 10.244.3.14 (10.244.3.14:80)
wget: download timed out
/ # wget --spider --timeout=1 10.244.1.21
Connecting to 10.244.1.21 (10.244.1.21:80)
wget: download timed out
/ # wget --spider --timeout=1 10.244.2.15
Connecting to 10.244.2.15 (10.244.2.15:80)
/ # wget --spider --timeout=1 10.244.3.13
Connecting to 10.244.3.13 (10.244.3.13:80)
/ # wget --spider --timeout=1 10.244.4.19
Connecting to 10.244.4.19 (10.244.4.19:80)
/ #
Tip: it can be seen that in the prod namespace, all pods with the corresponding pod tag app = nginx and rel = stable can be accessed by the pod under dev. if the corresponding tag is not app = nginx and rel = stable, it cannot be accessed;
It can be concluded from the above example that on k8s, the network policy is a white list mechanism. The so-called white list mechanism means that only clearly defined policies can be allowed to be released. By default, if there is no specified rule, it is rejected, that is, those with mismatched conditions will be rejected; Secondly, for ingress or egress, the corresponding from or to is the information used to specify the access end or the accessed end; If we do not define the namespaceselector field in the corresponding field, the default ingress or egrss will match the namespace of the current netpol, that is, when the namespaceselector field is not explicitly specified, other corresponding conditions are for the namespace of the current netpol; Multiple conditions are used in combination. If multiple conditions are in one list, it means that multiple conditions are and related, that is, the specified conditions need to meet the corresponding policies at the same time before they can be released; If multiple conditions are no longer in the same list, there is a or relationship between multiple conditions, that is, if one of the conditions is met, it will be released by the corresponding policy;