Networkpolicy resource of container orchestration system k8s

Time:2022-1-12

Previously, we learned about the basic working logic of k8s’s network plug-in flannel. For review, please refer to:https://www.cnblogs.com/qiuhom-1874/p/14225657.html; Today, let’s talk about k8s the topics related to networkpolicy;

What are the networkpolicy resources used for?

We know that on k8s, we can use namespaces to isolate multiple resources. Under different namespaces, we can create resources with the same name and type; Some resources must also rely on namespaces to be created; However, on k8s, the namespace cannot isolate the network. The so-called isolated network means that no matter which namespace the pod is created in, it can be accessed by pods in other namespaces; If we want to restrict the access of pods under the corresponding namespace to other namespaces or external clients, we can create networkpolicy resources under the corresponding namespace; The resource can restrict which pods can be accessed by external clients, or which pods cannot be accessed by which or which namespace pods; In addition to restricting the inbound traffic of pods in the corresponding namespace, it can also restrict the outbound traffic of pods in the corresponding namespace, allow or deny one or some pods to access pods in other namespaces or external services, etc; We can simply understand that networkpolicy is a firewall corresponding to the namespace; If we create the networkpolicy resource under the corresponding namespace, it can control the flow of pods under the namespace;

Basic working logic of networkpolicy

Tip: firstly, network policy is used to control the traffic of pod resources in a namespace; It can select the pod under the corresponding namespace through the pod selector. The pod that meets the conditions of the corresponding selector will be controlled by the policy defined in the network policy. The default pod selector is not clearly defined, which means that it matches all the pods under the corresponding namespace; Progress is used to define pod outbound policies. By default, explicitly defined policies are allowed to outbound, and no definition means rejection; The same logic applies to ingress. Only explicitly defined rules are allowed, and no definition means rejection; For outbound traffic, it will not take effect if we define it or not by default. It is allowed to be released. It will take effect only if the outbound rule corresponding to explicit configuration takes effect;

Example: the pod defined under the dev namespace does not allow any client access

[[email protected] ~]# cat denyall-ingress-dev.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: dev
spec:
  podSelector: {}
  policyTypes:
  - Ingress
[[email protected] ~]# 

Tip: the above resource list means to control the inbound traffic of the pod under the dev namespace and deny all clients access to the pod under the corresponding dev namespace; This includes the pod under the dev namespace;

Application resource list

Before applying, please ensure that the deployed network plug-in supports network policy. By default, the flannel network plug-in does not support network policy. We need to deploy the network plug-in canel, which can be combined with the flannel plug-in to enable it to have the network policy function of calico;

Deploy canel

[[email protected] ~]# kubectl apply -f https://docs.projectcalico.org/manifests/canal.yaml
configmap/canal-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrole.rbac.authorization.k8s.io/flannel configured
clusterrolebinding.rbac.authorization.k8s.io/canal-flannel created
clusterrolebinding.rbac.authorization.k8s.io/canal-calico created
daemonset.apps/canal created
serviceaccount/canal created
deployment.apps/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
poddisruptionbudget.policy/calico-kube-controllers created
[[email protected] ~]# 

Tip: after the above resources are running normally, we can apply the resource list to make its network policy take effect;

Create a dev namespace and create a deploy controller under it. The controller creates three nginx pods

[[email protected] manifests]# cat pod-demo.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: dev
  labels:
    name: dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-dep
  namespace: dev
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      rel: stable
  template:
    metadata:
      labels:
        app: nginx
        rel: stable
    spec:
      containers:
      - name: nginx
        image: nginx:1.14-alpine
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 80
[[email protected] manifests]# kubectl apply -f pod-demo.yaml
namespace/dev unchanged
deployment.apps/nginx-dep created
[[email protected] manifests]# kubectl get pods -n dev -o wide
NAME                        READY   STATUS    RESTARTS   AGE   IP           NODE             NOMINATED NODE   READINESS GATES
nginx-dep-cb74c595f-5d9tb   1/1     Running   0          51s   10.244.4.6   node04.k8s.org              
nginx-dep-cb74c595f-ftmn9   1/1     Running   0          51s   10.244.1.5   node01.k8s.org              
nginx-dep-cb74c595f-jf9p9   1/1     Running   0          51s   10.244.3.4   node03.k8s.org              
[[email protected] manifests]#

Before applying the above network policy, use the pod in default to access the pod under the corresponding dev namespace to see if it can be accessed normally?

[[email protected] manifests]# kubectl get pods -n dev -o wide
NAME                        READY   STATUS    RESTARTS   AGE   IP           NODE             NOMINATED NODE   READINESS GATES
nginx-dep-cb74c595f-5d9tb   1/1     Running   0          86s   10.244.4.6   node04.k8s.org              
nginx-dep-cb74c595f-ftmn9   1/1     Running   0          86s   10.244.1.5   node01.k8s.org              
nginx-dep-cb74c595f-jf9p9   1/1     Running   0          86s   10.244.3.4   node03.k8s.org              
[[email protected] manifests]# kubectl get pods 
NAME    READY   STATUS    RESTARTS   AGE
web-0   1/1     Running   6          3d16h
web-1   1/1     Running   5          3d16h
web-2   1/1     Running   6          3d16h
[[email protected] manifests]# kubectl exec web-0 -it -- /bin/sh
/ # wget -O - -q 10.244.4.6



Welcome to nginx!

    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }



Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.

Thank you for using nginx.


/ #

Tip: you can see that the pod under the default namespace can normally access the pod under the dev namespace;

Application resource list

[[email protected] ~]# cat denyall-ingress-dev.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: dev
spec:
  podSelector: {}
  policyTypes:
  - Ingress
[[email protected] ~]# kubectl apply -f denyall-ingress-dev.yaml
networkpolicy.networking.k8s.io/deny-all-ingress created
[[email protected] ~]# kubectl get netpol -n dev
NAME               POD-SELECTOR   AGE
deny-all-ingress            10s
[[email protected] ~]# kubectl describe netpol deny-all-ingress -n dev
Name:         deny-all-ingress
Namespace:    dev
Created on:   2021-01-04 15:34:40 +0800 CST
Labels:       
Annotations:  
Spec:
  PodSelector:      (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
     (Selected pods are isolated for ingress connectivity)
  Not affecting egress traffic
  Policy Types: Ingress
[[email protected] ~]#

Tip: as can be seen from the details of netpol resources above, if the pod selector of the corresponding netpol resource is none, it means that all pods under the corresponding namespace are selected, and if the allowing ingress traffic is also none, it means that no client is allowed to access the pods under the namespace; If there is no outbound policy, it means that all outbound traffic is rejected; By default, only the inbound rules are effective, so the outbound rules here are not effective, that is, the outbound traffic is not limited; Policytypes indicates that the corresponding policy is effective. By default, it is not specified as progress;

Verification: use the pod under the default namespace to access the pod under the dev namespace to see if it can be accessed normally?

Tip: you can see that the current POD under the default namespace cannot access the pod under the dev namespace;

Verification: the pod under the dev namespace accesses the pod under the same namespace to see if it can be accessed?

Tip: you can see that the pod under the dev namespace can’t access the pod under the dev namespace, but you can access yourself. The reason is that you can access yourself, and the traffic will not go out. It is processed on the lo interface, so your access is not limited;

Verification: use the pod under the dev namespace to access the pod under the default namespace to see if it is allowed?

Tip: you can see that there is no problem using the pod under the dev namespace to access the pod under the default namespace. It shows that the rule just now only limits the inbound traffic of the pod under the dev namespace, not the outbound traffic; The response 404 in 10.244.4.5 and 3.3 is accessed above because the web service on the corresponding pod does not have a home page;

Example: limit the outbound traffic of pods in dev namespace and reject all outbound traffic of pods

[[email protected] ~]# cat denyall-Egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: 
  name: deny-all-egress
  namespace: dev
spec:
  podSelector: {}
  policyTypes:
  - Egress
[[email protected] ~]# 

Tip: the policytypes field is used to control which type of rule takes effect. This field is a list. By default, it is progress, which means that only inbound traffic is restricted. If it is explicitly manually defined as progress, it means that only outbound traffic is restricted; The logic of outbound policy and inbound policy are the same. As long as there is no explicit and defined policy, it means to reject the operation, and only the explicitly defined policy means to allow the corresponding operation; There are no outbound rules defined above, which means that all pods are denied access to external services;

Application resource list

[[email protected] ~]# kubectl apply -f denyall-Egress.yaml
networkpolicy.networking.k8s.io/deny-all-egress created
[[email protected] ~]# kubectl get netpol -n dev
NAME               POD-SELECTOR   AGE
deny-all-egress             10s
deny-all-ingress            24m
[[email protected] ~]# kubectl describe netpol deny-all-egress -n dev
Name:         deny-all-egress
Namespace:    dev
Created on:   2021-01-04 15:59:16 +0800 CST
Labels:       
Annotations:  
Spec:
  PodSelector:      (Allowing the specific traffic to all pods in this namespace)
  Not affecting ingress traffic
  Allowing egress traffic:
     (Selected pods are isolated for egress connectivity)
  Policy Types: Egress
[[email protected] ~]#

Verification: enter the pod interactive interface under the dev namespace to see if you can access pods under other namespaces?

Tip: you can see that now the pod under the dev namespace can be accessed, but the pod under the default namespace cannot be accessed;

Verification: remove the inbound restriction and use the pod under the dev namespace to access each other to see if it can be accessed normally?

[[email protected] ~]# kubectl get netpol -n dev
NAME               POD-SELECTOR   AGE
deny-all-egress             5m50s
deny-all-ingress            30m
[[email protected] ~]# kubectl delete netpol deny-all-ingress -n dev
networkpolicy.networking.k8s.io "deny-all-ingress" deleted
[[email protected] ~]# kubectl get netpol -n dev                    
NAME              POD-SELECTOR   AGE
deny-all-egress            6m9s
[[email protected] ~]# kubectl get pods -n dev -o wide                             
NAME                        READY   STATUS    RESTARTS   AGE   IP           NODE             NOMINATED NODE   READINESS GATES
nginx-dep-cb74c595f-5d9tb   1/1     Running   0          34m   10.244.4.6   node04.k8s.org              
nginx-dep-cb74c595f-ftmn9   1/1     Running   0          34m   10.244.1.5   node01.k8s.org              
nginx-dep-cb74c595f-jf9p9   1/1     Running   0          34m   10.244.3.4   node03.k8s.org              
[[email protected] ~]# kubectl exec -it nginx-dep-cb74c595f-5d9tb -n dev -- /bin/sh
/ # wget -O - -q 10.244.1.5
^C
/ # wget -O - -q 10.244.3.4
^C
/ # wget -O - -q 10.244.4.6



Welcome to nginx!

    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }



Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.

Thank you for using nginx.


/ #

Tip: you can see that after the outbound traffic is limited, pods in the same namespace cannot be accessed normally; But you can visit yourself;

Example: restrict the outbound traffic of pods in the dev namespace and allow pods in the dev namespace to access each other

[[email protected] ~]# cat allow-dev-Egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dev-egress
  namespace: dev
spec:
  podSelector: {}
  egress:
    - to:
      - podSelector:
          matchLabels:
            app: nginx
            rel: stable
      ports:
      - port: 80
        protocol: TCP 
  policyTypes:
  - Egress
[[email protected] ~]# 

Tip: to limit outbound traffic, you can define the allowed outbound rules in spec.egress; The to field is used to describe the accessed end, and its value type is a list object; The podselector field is used to describe the accessed end pod selector. Only the pods that meet the conditions of the corresponding pod selector are allowed to leave the station; spec.egress. The ports field is used to describe the port information of the accessed endpoint; This field is a list object; Note that the namespace is not specified in the rule by default, which means it matches the namespace of the current netpol; The above list shows that the pod under dev allows access to port 80 of the pod labeled app = nginx and rel = stable under the dev namespace;

Delete the deny all egress outbound policy and apply its resource manifest

[[email protected] ~]# kubectl get netpol -n dev
NAME              POD-SELECTOR   AGE
deny-all-egress            26m
[[email protected] ~]# kubectl delete netpol deny-all-egress -n dev
networkpolicy.networking.k8s.io "deny-all-egress" deleted
[[email protected] ~]# kubectl apply -f allow-dev-Egress.yaml
networkpolicy.networking.k8s.io/allow-dev-egress created
[[email protected] ~]# kubectl get netpol -n dev
NAME               POD-SELECTOR   AGE
allow-dev-egress            10s
[[email protected] ~]# kubectl describe netpol allow-dev-egress -n dev
Name:         allow-dev-egress
Namespace:    dev
Created on:   2021-01-04 16:34:23 +0800 CST
Labels:       
Annotations:  
Spec:
  PodSelector:      (Allowing the specific traffic to all pods in this namespace)
  Not affecting ingress traffic
  Allowing egress traffic:
    To Port: 80/TCP
    To:
      PodSelector: app=nginx,rel=stable
  Policy Types: Egress
[[email protected] ~]#

Verification: enter the pod under the dev namespace to see if the pod under the dev namespace can be accessed normally?

[[email protected] ~]# kubectl get pods -n dev -o wide
NAME                        READY   STATUS    RESTARTS   AGE   IP           NODE             NOMINATED NODE   READINESS GATES
nginx-dep-cb74c595f-5d9tb   1/1     Running   0          65m   10.244.4.6   node04.k8s.org              
nginx-dep-cb74c595f-ftmn9   1/1     Running   0          65m   10.244.1.5   node01.k8s.org              
nginx-dep-cb74c595f-jf9p9   1/1     Running   0          65m   10.244.3.4   node03.k8s.org              
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-5d9tb -- /bin/sh
/ # wget -O - -q 10.244.1.5



Welcome to nginx!

    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }



Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.

Thank you for using nginx.


/ # wget -O - -q 10.244.3.4



Welcome to nginx!

    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }



Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.

Thank you for using nginx.


/ #

Tip: you can see that the pod under the dev namespace can be accessed normally;

Verification: use the dev namespace pod to access the pod labeled app = nginx and rel = stable under the default namespace to see if it can be accessed normally?

[[email protected] ~]# kubectl get pods -n dev 
NAME                        READY   STATUS    RESTARTS   AGE
nginx-dep-cb74c595f-27qjp   1/1     Running   2          88m
nginx-dep-cb74c595f-b92s4   1/1     Running   1          88m
nginx-dep-cb74c595f-wdqnh   1/1     Running   1          88m
[[email protected] ~]# kubectl get pods -o wide --show-labels                      
NAME                        READY   STATUS    RESTARTS   AGE     IP            NODE             NOMINATED NODE   READINESS GATES   LABELS
nginx-dep-cb74c595f-5mwl2   1/1     Running   1          89m     10.244.4.18   node04.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-vxc9z   1/1     Running   1          89m     10.244.3.12   node03.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-z265t   1/1     Running   1          89m     10.244.2.13   node02.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
web-0                       1/1     Running   8          3d20h   10.244.2.14   node02.k8s.org                          app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-0
web-1                       1/1     Running   7          3d20h   10.244.4.16   node04.k8s.org                          app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-1
web-2                       1/1     Running   8          3d20h   10.244.3.11   node03.k8s.org                          app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-2
[[email protected] ~]# kubectl exec -it nginx-dep-cb74c595f-27qjp -n dev -- /bin/sh
/ # wget -O - -q 10.244.4.18
^C
/ # wget -O - -q 10.244.3.12
^C
/ # wget -O - -q 10.244.2.13
^C
/ #

Tip: you can see that the pod under the dev namespace accesses. The pod labeled app = nginx and rel = stable under the default namespace cannot be accessed normally because we do not specify the namespace of the corresponding access target in the policy. The default is the namespace of the corresponding netpol;

Example: allow the pod under the dev namespace to access the pod labeled app = nginx, rel = stable under the default and dev namespaces

[[email protected] ~]# cat allow-dev-def-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dev-egress
  namespace: dev
spec:
  podSelector: {} 
  egress:
    - to:
      - namespaceSelector:
          matchExpressions:
          - key: name
            operator: In
            values: ["def","dev"]
        podSelector:
          matchLabels:
            app: nginx
            rel: stable
      ports:
      - port: 80
        protocol: TCP 
  policyTypes:
  - Egress
[[email protected] ~]# 

Tip: spec.egress The namespeceselector field in to is used to describe the namespace where the accessed end is located; The podselector field is used to describe the pod of the accessed end; If “-” is used in front of only one of the two fields, the conditions specified by namespaceselector and podselector are and, that is, both conditions must be met; If both fields start with “-“, the conditions specified in the two fields are or relationships, that is, the conditions that meet one of the fields can be matched by rules; The above example shows that all pods under dev can access the pods under the namespace whose tags are name = def or name = dev, and the tags of these pods must be app = nginx, rel = stable; That is, to be accessed by the pod under the dev namespace, the corresponding pod should meet two conditions at the same time. First, there is a label of name = def or name = dev on the corresponding namespace; Secondly, pod itself should have two tags, APP = nginx and rel = stable; These two conditions are indispensable;

Delete the original netpol and apply the new list

[[email protected] ~]# kubectl get netpol -n dev
NAME               POD-SELECTOR   AGE
allow-dev-egress            28m
[[email protected] ~]# kubectl delete netpol allow-dev-egress -n dev
networkpolicy.networking.k8s.io "allow-dev-egress" deleted
[[email protected] ~]# kubectl apply -f allow-dev-def-egress.yaml 
networkpolicy.networking.k8s.io/allow-dev-egress created
[[email protected] ~]# kubectl get netpol -n dev                    
NAME               POD-SELECTOR   AGE
allow-dev-egress            5s
[[email protected] ~]# kubectl describe netpol allow-dev-egress -n dev
Name:         allow-dev-egress
Namespace:    dev
Created on:   2021-01-04 19:44:32 +0800 CST
Labels:       
Annotations:  
Spec:
  PodSelector:      (Allowing the specific traffic to all pods in this namespace)
  Not affecting ingress traffic
  Allowing egress traffic:
    To Port: 80/TCP
    To:
      NamespaceSelector: name in (def,dev)
      PodSelector: app=nginx,rel=stable
  Policy Types: Egress
[[email protected] ~]#

Tip: you can see that the corresponding outbound rule has two conditions. First, the namespace must match, name = def or name = dev, that is, the corresponding namespace must have such a label; Secondly, pod must meet the label of APP = nginx and rel = stable;

Label the default namespace with name = default

[[email protected] ~]# kubectl get ns --show-labels
NAME                   STATUS   AGE     LABELS
default                Active   27d     
dev                    Active   4h24m   name=dev
ingress-nginx          Active   13d     app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
kube-node-lease        Active   27d     
kube-public            Active   27d     
kube-system            Active   27d     
kubernetes-dashboard   Active   2d5h    
prod                   Active   57m     name=prod
[[email protected] ~]# kubectl label ns default name=def
namespace/default labeled
[[email protected] ~]# kubectl get ns --show-labels     
NAME                   STATUS   AGE     LABELS
default                Active   27d     name=def
dev                    Active   4h24m   name=dev
ingress-nginx          Active   13d     app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
kube-node-lease        Active   27d     
kube-public            Active   27d     
kube-system            Active   27d     
kubernetes-dashboard   Active   2d5h    
prod                   Active   58m     name=prod
[[email protected] ~]#

Verification: use the pod under dev to access the pod labeled app = nginx and rel = stable in the default and dev namespaces to see if the corresponding pod can be accessed?

[[email protected] ~]# kubectl get pods -n dev -o wide --show-labels
NAME                        READY   STATUS    RESTARTS   AGE    IP            NODE             NOMINATED NODE   READINESS GATES   LABELS
nginx-dep-cb74c595f-27qjp   1/1     Running   2          116m   10.244.1.18   node01.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-b92s4   1/1     Running   1          116m   10.244.4.17   node04.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-wdqnh   1/1     Running   1          116m   10.244.1.19   node01.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
[[email protected] ~]# kubectl get pods  -o wide --show-labels      
NAME                        READY   STATUS    RESTARTS   AGE     IP            NODE             NOMINATED NODE   READINESS GATES   LABELS
nginx-dep-cb74c595f-5mwl2   1/1     Running   1          117m    10.244.4.18   node04.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-vxc9z   1/1     Running   1          117m    10.244.3.12   node03.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-z265t   1/1     Running   1          117m    10.244.2.13   node02.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
web-0                       1/1     Running   8          3d21h   10.244.2.14   node02.k8s.org                          app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-0
web-1                       1/1     Running   7          3d21h   10.244.4.16   node04.k8s.org                          app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-1
web-2                       1/1     Running   8          3d21h   10.244.3.11   node03.k8s.org                          app=nginx,controller-revision-hash=web-6db9455fdf,statefulset.kubernetes.io/pod-name=web-2
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.17
Connecting to 10.244.4.17 (10.244.4.17:80)
/ # wget --spider --timeout=1 10.244.1.19 
Connecting to 10.244.1.19 (10.244.1.19:80)
/ # wget --spider --timeout=1 10.244.4.18
Connecting to 10.244.4.18 (10.244.4.18:80)
/ # wget --spider --timeout=1 10.244.3.12
Connecting to 10.244.3.12 (10.244.3.12:80)
/ # wget --spider --timeout=1 10.244.2.13
Connecting to 10.244.2.13 (10.244.2.13:80)
/ # wget --spider --timeout=1 10.244.2.14
Connecting to 10.244.2.14 (10.244.2.14:80)
wget: download timed out
/ #

Tip: you can see that pods with name = def or name = dev tags on the dev namespace and app = nginx and rel = stable tags on the corresponding pods can be accessed normally. If the corresponding namespace and pod tags cannot be met, the pods cannot be accessed; In the above example, the last podip does not meet the label of the pod, so the corresponding pod cannot be accessed;

Example: allow the pod under the dev namespace to access the pod under the namespace with the tag name = def or name = dev on the namespace or the tag name = prod on the namespace, and the pod under the corresponding namespace must have the tag app = nginx, rel = stable;

[[email protected] ~]# cat allow-dev-def-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dev-egress
  namespace: dev
spec:
  podSelector: {} 
  egress:
    - to:
      - namespaceSelector:
          matchExpressions:
          - key: name
            operator: In
            values: ["def","dev"]
    - to:
      - namespaceSelector:
          matchLables:
            name: prod
        podSelector:
          matchLabels:
            app: nginx
            rel: stable
      ports:
      - port: 80
        protocol: TCP 
  policyTypes:
  - Egress
[[email protected] ~]# 

Application configuration list

[[email protected] ~]# kubectl apply -f allow-dev-def-egress.yaml
networkpolicy.networking.k8s.io/allow-dev-egress created
[[email protected] ~]# kubectl get netpol -n dev
NAME               POD-SELECTOR   AGE
allow-dev-egress            10s
[[email protected] ~]# kubectl describe netpol allow-dev-egress -n dev
Name:         allow-dev-egress
Namespace:    dev
Created on:   2021-01-04 20:44:42 +0800 CST
Labels:       
Annotations:  
Spec:
  PodSelector:      (Allowing the specific traffic to all pods in this namespace)
  Not affecting ingress traffic
  Allowing egress traffic:
    To Port:  (traffic allowed to all ports)
    To:
      NamespaceSelector: name in (def,dev)
    ----------
    To Port: 80/TCP
    To:
      NamespaceSelector: name=prod
      PodSelector: app=nginx,rel=stable
  Policy Types: Egress
[[email protected] ~]#

Verification: use the pod under the dev namespace to access the pod under the dev namespace to see if it can be accessed normally?

[[email protected] ~]# kubectl get pods -n dev -o wide 
NAME                        READY   STATUS    RESTARTS   AGE    IP            NODE             NOMINATED NODE   READINESS GATES
nginx-dep-cb74c595f-27qjp   1/1     Running   2          168m   10.244.1.18   node01.k8s.org              
nginx-dep-cb74c595f-b92s4   1/1     Running   1          168m   10.244.4.17   node04.k8s.org              
nginx-dep-cb74c595f-wdqnh   1/1     Running   1          168m   10.244.1.19   node01.k8s.org              
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.17
Connecting to 10.244.4.17 (10.244.4.17:80)
/ # wget --spider --timeout=1 10.244.1.19
Connecting to 10.244.1.19 (10.244.1.19:80)
/ # exit
[[email protected] ~]#

Tip: you can see that there is no problem in accessing pods under the dev namespace;

Verification: use the pod under the dev namespace to access the pod under the default namespace to see if it can be accessed normally?

[[email protected] ~]# kubectl get pods -n dev -o wide
NAME                        READY   STATUS    RESTARTS   AGE    IP            NODE             NOMINATED NODE   READINESS GATES
nginx-dep-cb74c595f-27qjp   1/1     Running   2          170m   10.244.1.18   node01.k8s.org              
nginx-dep-cb74c595f-b92s4   1/1     Running   1          170m   10.244.4.17   node04.k8s.org              
nginx-dep-cb74c595f-wdqnh   1/1     Running   1          170m   10.244.1.19   node01.k8s.org              
[[email protected] ~]# kubectl get pods -o wide
NAME                        READY   STATUS    RESTARTS   AGE     IP            NODE             NOMINATED NODE   READINESS GATES
nginx-dep-cb74c595f-5mwl2   1/1     Running   1          171m    10.244.4.18   node04.k8s.org              
nginx-dep-cb74c595f-vxc9z   1/1     Running   1          171m    10.244.3.12   node03.k8s.org              
nginx-dep-cb74c595f-z265t   1/1     Running   1          171m    10.244.2.13   node02.k8s.org              
web-0                       1/1     Running   8          3d22h   10.244.2.14   node02.k8s.org              
web-1                       1/1     Running   7          3d22h   10.244.4.16   node04.k8s.org              
web-2                       1/1     Running   8          3d22h   10.244.3.11   node03.k8s.org              
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.18
Connecting to 10.244.4.18 (10.244.4.18:80)
/ # wget --spider --timeout=1 10.244.3.12
Connecting to 10.244.3.12 (10.244.3.12:80)
/ # wget --spider --timeout=1 10.244.2.13
Connecting to 10.244.2.13 (10.244.2.13:80)
/ # wget --spider --timeout=1 10.244.2.14
Connecting to 10.244.2.14 (10.244.2.14:80)
/ # wget --spider --timeout=1 10.244.4.16
Connecting to 10.244.4.16 (10.244.4.16:80)
wget: server returned error: HTTP/1.1 403 Forbidden
/ # wget --spider --timeout=1 10.244.3.11
Connecting to 10.244.3.11 (10.244.3.11:80)
wget: server returned error: HTTP/1.1 403 Forbidden
/ #

Tip: you can see that all pods in the default namespace can be accessed by pods in the dev namespace; 403 is displayed later because the corresponding web service does not have a home page;

Verification: use the pod under the dev namespace to access the pod under the prod namespace to see if the corresponding pod can be accessed?

[[email protected] ~]# kubectl get ns prod --show-labels
NAME   STATUS   AGE    LABELS
prod   Active   118m   name=prod
[[email protected] ~]# kubectl get pods -n prod -o wide --show-labels
NAME                         READY   STATUS    RESTARTS   AGE    IP            NODE             NOMINATED NODE   READINESS GATES   LABELS
nginx-dep-cb74c595f-rzbv2    1/1     Running   0          118m   10.244.4.19   node04.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-v8ssx    1/1     Running   0          118m   10.244.3.13   node03.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep-cb74c595f-zsqcc    1/1     Running   0          118m   10.244.2.15   node02.k8s.org                          app=nginx,pod-template-hash=cb74c595f,rel=stable
nginx-dep1-f85fdcdbc-kdq5b   1/1     Running   0          117m   10.244.1.21   node01.k8s.org                          app=nginx,pod-template-hash=f85fdcdbc
nginx-dep1-f85fdcdbc-n8cvs   1/1     Running   0          117m   10.244.3.14   node03.k8s.org                          app=nginx,pod-template-hash=f85fdcdbc
nginx-dep1-f85fdcdbc-vz2mp   1/1     Running   0          117m   10.244.4.20   node04.k8s.org                          app=nginx,pod-template-hash=f85fdcdbc
[[email protected] ~]# kubectl get pods -n dev
NAME                        READY   STATUS    RESTARTS   AGE
nginx-dep-cb74c595f-27qjp   1/1     Running   2          174m
nginx-dep-cb74c595f-b92s4   1/1     Running   1          174m
nginx-dep-cb74c595f-wdqnh   1/1     Running   1          174m
[[email protected] ~]# kubectl exec -it -n dev nginx-dep-cb74c595f-27qjp -- /bin/sh
/ # wget --spider --timeout=1 10.244.4.20 
Connecting to 10.244.4.20 (10.244.4.20:80)
wget: download timed out
/ # wget --spider --timeout=1 10.244.3.14 
Connecting to 10.244.3.14 (10.244.3.14:80)
wget: download timed out
/ # wget --spider --timeout=1 10.244.1.21
Connecting to 10.244.1.21 (10.244.1.21:80)
wget: download timed out
/ # wget --spider --timeout=1 10.244.2.15
Connecting to 10.244.2.15 (10.244.2.15:80)
/ # wget --spider --timeout=1 10.244.3.13
Connecting to 10.244.3.13 (10.244.3.13:80)
/ # wget --spider --timeout=1 10.244.4.19
Connecting to 10.244.4.19 (10.244.4.19:80)
/ #

Tip: it can be seen that in the prod namespace, all pods with the corresponding pod tag app = nginx and rel = stable can be accessed by the pod under dev. if the corresponding tag is not app = nginx and rel = stable, it cannot be accessed;

It can be concluded from the above example that on k8s, the network policy is a white list mechanism. The so-called white list mechanism means that only clearly defined policies can be allowed to be released. By default, if there is no specified rule, it is rejected, that is, those with mismatched conditions will be rejected; Secondly, for ingress or egress, the corresponding from or to is the information used to specify the access end or the accessed end; If we do not define the namespaceselector field in the corresponding field, the default ingress or egrss will match the namespace of the current netpol, that is, when the namespaceselector field is not explicitly specified, other corresponding conditions are for the namespace of the current netpol; Multiple conditions are used in combination. If multiple conditions are in one list, it means that multiple conditions are and related, that is, the specified conditions need to meet the corresponding policies at the same time before they can be released; If multiple conditions are no longer in the same list, there is a or relationship between multiple conditions, that is, if one of the conditions is met, it will be released by the corresponding policy;