Kubernetes 1.20.5实验记录–Network Policy
1、创建Deployment:
文件deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy
spec:
replicas: 2
selector:
matchLabels:
run: deploy
template:
metadata:
labels:
run: deploy
spec:
containers:
- name: deploy
image: nginx
kubectl apply -f deploy.yaml
2、查看Pod状态:
kubectl get pod -o wide
3、创建Service:
文件service.yaml
apiVersion: v1
kind: Service
metadata:
name: service
spec:
ports:
- name: 8080-80
port: 8080
protocol: TCP
targetPort: 80
nodePort: 30303
selector:
run: deploy
type: NodePort
kubectl apply -f service.yaml
4、查看Service状态:
kubectl get service
6.1 无策略
1、访问测试:
(1)访问集群内部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 10.97.10.66:8080 --connect-timeout 5
(2)访问集群外部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 192.168.0.100 --connect-timeout 5
(3)外部访问:
curl 192.168.0.10:30303 --connect-timeout 5
6.2 matchLabels策略
1、创建NetworkPolicy:
文件networkpolicy-matchlabel.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-matchlabel
spec:
podSelector:
matchLabels:
run: deploy
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
ports:
- protocol: TCP
port: 80
kubectl apply -f networkpolicy-matchlabel.yaml
2、查看NetworkPolicy:
kubectl get networkpolicy
3、查看NetworkPolicy详细信息:
kubectl describe networkpolicy networkpolicy-matchlabel
4、访问测试:
(1)访问集群内部(无标签):
kubectl run client1 --image=cirros sleep 3600
kubectl exec client1 -it -- sh
curl 10.97.10.66:8080 --connect-timeout 5
无标签Pod无法访问
(2)访问集群内部(带标签):
kubectl run client2 --image=cirros --labels="access=true" sleep 3600
kubectl exec client2 -it -- sh
curl 10.97.10.66:8080 --connect-timeout 5
带标签Pod可以访问
(3)访问集群外部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 192.168.0.100 --connect-timeout 5
(4)外部访问:
curl 192.168.0.10:30303 --connect-timeout 5
5、删除NetworkPolicy:
kubectl delete -f networkpolicy-matchlabel.yaml
6.3 ipBlock策略
6.3.1 允许Pod所有出方向流量
1、创建NetworkPolicy:
文件networkpolicy-allow-all-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-allow-all-egress
spec:
podSelector:
matchLabels:
run: deploy
policyTypes:
- Egress
egress:
- {}
kubectl apply -f networkpolicy-allow-all-egress.yaml
2、查看NetworkPolicy:
kubectl get networkpolicy
3、查看NetworkPolicy详细信息:
kubectl describe networkpolicy networkpolicy-allow-all-egress
4、访问测试:
(1)访问集群内部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 10.97.10.66:8080 --connect-timeout 5
(2)访问集群外部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 192.168.0.100 --connect-timeout 5
(3)外部访问:
curl 192.168.0.10:30303 --connect-timeout 5
5、删除NetworkPolicy:
kubectl delete -f networkpolicy-allow-all-egress.yaml
6.3.2 允许Pod所有入方向流量
1、创建NetworkPolicy:
文件networkpolicy-allow-all-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-allow-all-ingress
spec:
podSelector:
matchLabels:
run: deploy
policyTypes:
- Ingress
ingress:
- {}
kubectl apply -f networkpolicy-allow-all-ingress.yaml
2、查看NetworkPolicy:
kubectl get networkpolicy
3、查看NetworkPolicy详细信息:
kubectl describe networkpolicy networkpolicy-allow-all-ingress
4、访问测试:
(1)访问集群内部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 10.97.10.66:8080 --connect-timeout 5
(2)访问集群外部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 192.168.0.100 --connect-timeout 5
(3)外部访问:
curl 192.168.0.10:30303 --connect-timeout 5
5、删除NetworkPolicy:
kubectl delete -f networkpolicy-allow-all-ingress.yaml
6.3.3 拒绝Pod所有出方向流量
1、创建NetworkPolicy:
文件networkpolicy-deny-all-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-deny-all-egress
spec:
podSelector:
matchLabels:
run: deploy
policyTypes:
- Egress
kubectl apply -f networkpolicy-deny-all-egress.yaml
2、查看NetworkPolicy:
kubectl get networkpolicy
3、查看NetworkPolicy详细信息:
kubectl describe networkpolicy networkpolicy-deny-all-egress
4、访问测试:
(1)访问集群内部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 10.97.10.66:8080 --connect-timeout 5
(2)访问集群外部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 192.168.0.100 --connect-timeout 5
(3)外部访问:
curl 192.168.0.10:30303 --connect-timeout 5
5、删除NetworkPolicy:
kubectl delete -f networkpolicy-deny-all-egress.yaml
6.3.4 拒绝Pod所有入方向流量
1、创建NetworkPolicy:
文件networkpolicy-deny-all-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-deny-all-ingress
spec:
podSelector:
matchLabels:
run: deploy
policyTypes:
- Ingress
kubectl apply -f networkpolicy-deny-all-ingress.yaml
2、查看NetworkPolicy:
kubectl get networkpolicy
3、查看NetworkPolicy详细信息:
kubectl describe networkpolicy networkpolicy-deny-all-ingress
4、访问测试:
(1)访问集群内部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 10.97.10.66:8080 --connect-timeout 5
(2)访问集群外部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 192.168.0.100 --connect-timeout 5
(3)外部访问:
curl 192.168.0.10:30303 --connect-timeout 5
5、删除NetworkPolicy:
kubectl delete -f networkpolicy-deny-all-ingress.yaml
6.3.5 拒绝Pod所有双方向流量
1、创建NetworkPolicy:
文件networkpolicy-deny-all-both.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-deny-all-both
spec:
podSelector:
matchLabels:
run: deploy
policyTypes:
- Ingress
- Egress
kubectl apply -f networkpolicy-deny-all-both.yaml
2、查看NetworkPolicy:
kubectl get networkpolicy
3、查看NetworkPolicy详细信息:
kubectl describe networkpolicy networkpolicy-deny-all-both
4、访问测试:
(1)访问集群内部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 10.97.10.66:8080 --connect-timeout 5
(2)访问集群外部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 192.168.0.100 --connect-timeout 5
(3)外部访问:
curl 192.168.0.10:30303 --connect-timeout 5
5、删除NetworkPolicy:
kubectl delete -f networkpolicy-deny-all-both.yaml
6.3.6 允许Pod部分出方向流量
1、创建NetworkPolicy:
文件networkpolicy-allow-cidr-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-allow-cidr-egress
spec:
podSelector:
matchLabels:
run: deploy
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 192.168.0.100/32
ports:
- protocol: TCP
port: 80
kubectl apply -f networkpolicy-allow-cidr-egress.yaml
2、查看NetworkPolicy:
kubectl get networkpolicy
3、查看NetworkPolicy详细信息:
kubectl describe networkpolicy networkpolicy-allow-cidr-egress
4、访问测试:
(1)访问集群内部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 10.97.10.66:8080 --connect-timeout 5
(2)访问集群外部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 192.168.0.100 --connect-timeout 5
(3)外部访问:
curl 192.168.0.10:30303 --connect-timeout 5
5、删除NetworkPolicy:
kubectl delete -f networkpolicy-allow-cidr-egress.yaml
6.3.7 允许Pod部分入方向流量
1、创建客户端:
kubectl run clientx --image=cirros sleep 3600
kubectl run clienty --image=cirros sleep 3600
2、查看客户端地址:
kubectl get pod -o wide
3、创建NetworkPolicy:
文件networkpolicy-allow-cidr-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-allow-cidr-ingress
spec:
podSelector:
matchLabels:
run: deploy
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.244.189.120/32
ports:
- protocol: TCP
port: 80
kubectl apply -f networkpolicy-allow-cidr-ingress.yaml
4、查看NetworkPolicy:
kubectl get networkpolicy
5、查看NetworkPolicy详细信息:
kubectl describe networkpolicy networkpolicy-allow-cidr-ingress
6、访问测试:
(1)访问集群内部:
kubectl exec clientx -it -- sh
curl 10.97.10.66:8080 --connect-timeout 5
kubectl exec clienty -it -- sh
curl 10.97.10.66:8080 --connect-timeout 5
(2)访问集群外部:
kubectl exec -it deploy-7ffbfc5ff4-pjwlj -- sh
curl 192.168.0.100 --connect-timeout 5
(3)外部访问:
外部访问,经过Worker节点,源地址经IPVS转换,存在部分问题
7、删除NetworkPolicy:
kubectl delete -f networkpolicy-allow-cidr-ingress.yaml
8、删除Service:
kubectl delete -f service.yaml
9、删除Deployment:
kubectl delete -f deploy.yaml