环境准备
创建命名空间 ns-calico-01
apiVersion: v1
kind: Namespace
metadata:
name: ns-calico-01
创建 calico-01-busybox
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: ns-calico-01
name: calico-01-busybox
labels:
app: calico-01-busybox
spec:
replicas: 1
selector:
matchLabels:
app: calico-01-busybox
template:
metadata:
labels:
app: calico-01-busybox
access: "true" #添加允许访问标签
spec:
containers:
- name: calico-01-busybox
image: nginx:alpine
ports:
- containerPort: 80
创建calico-01-nginx-01
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: ns-calico-01
name: calico-01-nginx-01
labels:
app: calico-01-nginx-01
spec:
replicas: 1
selector:
matchLabels:
app: calico-01-nginx-01
template:
metadata:
labels:
app: calico-01-nginx-01
access: "true" #添加允许访问标签
spec:
containers:
- name: calico-01-nginx-01
image: nginx:alpine
ports:
- containerPort: 80
创建calico-01-nginx-02
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: ns-calico-01
name: calico-01-nginx-02
labels:
app: calico-01-nginx-02
spec:
replicas: 1
selector:
matchLabels:
app: calico-01-nginx-02
template:
metadata:
labels:
app: calico-01-nginx-02
spec:
containers:
- name: calico-01-nginx-02
image: nginx:alpine
ports:
- containerPort: 80
创建 Service calico-01-nginx
apiVersion: v1
kind: Service
metadata:
name: calico-01-nginx
namespace: ns-calico-01
labels:
app: calico-01-nginx-01
spec:
selector:
app: calico-01-nginx-01
ports:
- port: 80
编写网络策略 ns-calico-01
[root@M01 ns]# cat ns-calico-01-networkpolicy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
namespace: ns-calico-01
spec:
podSelector:
matchLabels:
app: calico-01-nginx-01
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
编写测试POD
apiVersion: v1
kind: Namespace
metadata:
name: ns-calico-02
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: ns-calico-02
name: calico-02-busybox
labels:
app: calico-02-busybox
spec:
replicas: 1
selector:
matchLabels:
app: calico-02-busybox
template:
metadata:
labels:
app: calico-02-busybox
access: "true"
spec:
containers:
- name: calico-02-busybox
image: nginx:alpine
ports:
- containerPort: 80
环境准备完毕
[root@M01 ns]# kubectl -n ns-calico-01 get pod,svc -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/calico-01-busybox-7d99bc6fc5-56lmt 1/1 Running 0 50m 10.46.205.240 work01 <none> <none>
pod/calico-01-nginx-01-5669875f-qf6zf 1/1 Running 0 50m 10.46.205.238 work01 <none> <none>
pod/calico-01-nginx-02-bcfc966bc-ll8v4 1/1 Running 0 50m 10.46.205.239 work01 <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/calico-01-nginx ClusterIP 10.48.68.219 <none> 80/TCP 50m app=calico-01-nginx-01
[root@M01 ns]#
[root@M01 ns]# kubectl -n ns-calico-02 get pod,svc -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/calico-02-busybox-6866c8b66f-6czd2 1/1 Running 0 50m 10.46.205.241 work01 <none> <none>
测试
我们在 calico-02-busybox-6866c8b66f-6czd2 的pod 上去curl 在没有加网络策略前 全通
[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.240
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:16:06 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes
[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.238
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:16:09 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes
[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.239
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:16:17 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes
###应用网络策略,并验证
[root@M01 ns]# kubectl apply -f ns-calico-01-networkpolicy.yml
networkpolicy.networking.k8s.io/access-nginx created
[root@M01 ns]# kubectl -n ns-calico-01 describe networkpolicies access-nginx
Name: access-nginx
Namespace: ns-calico-01
Created on: 2021-03-23 13:19:16 +0800 CST
Labels: <none>
Annotations: Spec:
PodSelector: app=calico-01-nginx-01
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
PodSelector: access=true
Not affecting egress traffic
Policy Types: Ingress
测试结果1 我们用calico-02-busybox-6866c8b66f-6czd2 pod 去curl -I 10.46.205.238 不通
[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.240
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:20:45 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes
[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.239
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:20:53 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes
# 虽然我们在ns-calico-02-busybox中打了标签access=true
[root@M01 ns]# kubectl -n ns-calico-02 exec -it calico-02-busybox-6866c8b66f-6czd2 -- curl -I 10.46.205.238
curl: (28) Failed to connect to 10.46.205.238 port 80: Operation timed out
command terminated with exit code 28
测试结果2:
用 calico-01-busybox-7d99bc6fc5-56lmt 的pod 去curl -I 10.46.205.238 通 因为我们给这个pod打了 access=true的标签
[root@M01 ns]# kubectl -n ns-calico-01 exec -it calico-01-busybox-7d99bc6fc5-56lmt -- curl -I 10.46.205.238
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:24:55 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes
测试结果3
我们用calico-01-nginx-02-bcfc966bc-ll8v4 pod 去curl -I 10.46.205.238不通,但其它pod通,不通的原因是因为没有加access: “true”
[root@M01 ns]# kubectl -n ns-calico-01 exec -it calico-01-nginx-02-bcfc966bc-ll8v4 -- curl -I 10.46.205.241
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:27:02 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes
[root@M01 ns]# kubectl -n ns-calico-01 exec -it calico-01-nginx-02-bcfc966bc-ll8v4 -- curl -I 10.46.205.240
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Tue, 23 Mar 2021 05:27:10 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 15 Dec 2020 14:55:32 GMT
Connection: keep-alive
ETag: "5fd8ce64-264"
Accept-Ranges: bytes
[root@M01 ns]# kubectl -n ns-calico-01 exec -it calico-01-nginx-02-bcfc966bc-ll8v4 -- curl -I 10.46.205.238
^Ccommand terminated with exit code 130
结论:
1、同namespace下,pod只要打了标签access=true就能访问。
2、跨namespace下,pod打了标签access=true 也无法访问。