calico NetworkPolicy

环境准备

创建命名空间 ns-calico-01

apiVersion: v1
kind: Namespace
metadata:
  name: ns-calico-01

创建 calico-01-busybox

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: ns-calico-01
  name: calico-01-busybox
  labels:
    app: calico-01-busybox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: calico-01-busybox
  template:
    metadata:
      labels:
        app: calico-01-busybox
        access: "true" #添加允许访问标签
    spec:
      containers:
      - name: calico-01-busybox
        image: nginx:alpine
        ports:
        - containerPort: 80

创建calico-01-nginx-01

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: ns-calico-01
  name: calico-01-nginx-01
  labels:
    app: calico-01-nginx-01
spec:
  replicas: 1
  selector:
    matchLabels:
      app: calico-01-nginx-01
  template:
    metadata:
      labels:
        app: calico-01-nginx-01
        access: "true" #添加允许访问标签
    spec:
      containers:
      - name: calico-01-nginx-01
        image: nginx:alpine
        ports:
        - containerPort: 80

创建calico-01-nginx-02

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: ns-calico-01
  name: calico-01-nginx-02
  labels:
    app: calico-01-nginx-02
spec:
  replicas: 1
  selector:
    matchLabels:
      app: calico-01-nginx-02
  template:
    metadata:
      labels:
        app: calico-01-nginx-02
    spec:
      containers:
      - name: calico-01-nginx-02
        image: nginx:alpine
        ports:
        - containerPort: 80

创建 Service calico-01-nginx

apiVersion: v1
kind: Service
metadata:
  name: calico-01-nginx
  namespace: ns-calico-01
  labels:
    app: calico-01-nginx-01
spec:
  selector:
    app: calico-01-nginx-01
  ports:
    - port: 80

编写网络策略 ns-calico-01

[root@M01 ns]# cat ns-calico-01-networkpolicy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx
  namespace: ns-calico-01
spec:
  podSelector:
    matchLabels:
      app: calico-01-nginx-01
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          access: "true"

编写测试POD

apiVersion: v1
kind: Namespace
metadata:
  name: ns-calico-02

---

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: ns-calico-02
  name: calico-02-busybox
  labels:
    app: calico-02-busybox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: calico-02-busybox
  template:
    metadata:
      labels:
        app: calico-02-busybox
        access: "true"
    spec:
      containers:
      - name: calico-02-busybox
        image: nginx:alpine
        ports:
        - containerPort: 80

环境准备完毕

[root@M01 ns]# kubectl -n ns-calico-01 get pod,svc -o wide
NAME                                     READY   STATUS    RESTARTS   AGE   IP              NODE     NOMINATED NODE   READINESS GATES
pod/calico-01-busybox-7d99bc6fc5-56lmt   1/1     Running   0          50m   10.46.205.240   work01   <none>           <none>
pod/calico-01-nginx-01-5669875f-qf6zf    1/1     Running   0          50m   10.46.205.238   work01   <none>           <none>
pod/calico-01-nginx-02-bcfc966bc-ll8v4   1/1     Running   0          50m   10.46.205.239   work01   <none>           <none>

NAME                      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE   SELECTOR
service/calico-01-nginx   ClusterIP   10.48.68.219   <none>        80/TCP    50m   app=calico-01-nginx-01
[root@M01 ns]#
[root@M01 ns]# kubectl -n ns-calico-02 get pod,svc -o wide
NAME                                     READY   STATUS    RESTARTS   AGE   IP              NODE     NOMINATED NODE   READINESS GATES
pod/calico-02-busybox-6866c8b66f-6czd2   1/1     Running   0          50m   10.46.205.241   work01   <none>           <none>

测试

我们在 calico-02-busybox-6866c8b66f-6czd2 的pod 上去curl 在没有加网络策略前 全通

[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.240
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:16:06 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes

[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.238
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:16:09 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes

[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.239
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:16:17 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes

###应用网络策略，并验证

[root@M01 ns]# kubectl apply -f ns-calico-01-networkpolicy.yml
networkpolicy.networking.k8s.io/access-nginx created
[root@M01 ns]# kubectl -n ns-calico-01 describe networkpolicies access-nginx
Name:         access-nginx
Namespace:    ns-calico-01
Created on:   2021-03-23 13:19:16 +0800 CST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     app=calico-01-nginx-01
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      PodSelector: access=true
  Not affecting egress traffic
  Policy Types: Ingress

测试结果1 我们用calico-02-busybox-6866c8b66f-6czd2 pod 去curl -I 10.46.205.238 不通

[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.240
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:20:45 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes

[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.239
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:20:53 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes
# 虽然我们在ns-calico-02-busybox中打了标签access=true
[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.238
curl: (28) Failed to connect to 10.46.205.238 port 80: Operation timed out
command terminated with exit code 28

测试结果2:

用 calico-01-busybox-7d99bc6fc5-56lmt 的pod 去curl -I 10.46.205.238 通 因为我们给这个pod打了 access=true的标签

[root@M01 ns]# kubectl -n ns-calico-01 exec -it calico-01-busybox-7d99bc6fc5-56lmt  -- curl -I 10.46.205.238
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:24:55 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes

测试结果3

我们用calico-01-nginx-02-bcfc966bc-ll8v4 pod 去curl -I 10.46.205.238不通，但其它pod通，不通的原因是因为没有加access: “true”

[root@M01 ns]# kubectl -n ns-calico-01 exec -it calico-01-nginx-02-bcfc966bc-ll8v4  -- curl -I 10.46.205.241
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:27:02 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes

[root@M01 ns]# kubectl -n ns-calico-01 exec -it calico-01-nginx-02-bcfc966bc-ll8v4  -- curl -I 10.46.205.240
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:27:10 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes

[root@M01 ns]# kubectl -n ns-calico-01 exec -it calico-01-nginx-02-bcfc966bc-ll8v4  -- curl -I 10.46.205.238
^Ccommand terminated with exit code 130

结论：
1、同namespace下，pod只要打了标签access=true就能访问。
2、跨namespace下，pod打了标签access=true 也无法访问。