RBAC
[root@k8s-master rbac]# cat serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cicd-token
namespace: app-team1
[root@k8s-master rbac]# cat clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cicd-token
namespace: app-team1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deployment-clusterrole
subjects:
- kind: ServiceAccount
name: cicd-token
namespace: app-team1
[root@k8s-master rbac]# cat clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployment-clusterrole
rules:
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
verbs:
- create
NetworkPolicy
需求, 只允许client1 能够访问web服务器80端口, 而client2则不能
[root@k8s-master yaml]# cat deployment-2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: web
name: web
spec:
replicas: 1
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- image: nginx:1.16
name: nginx
resources: {}
[root@k8s-master yaml]# cat deployment-3.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: client1
spec:
replicas: 1
selector:
matchLabels:
app: busybox1
template:
metadata:
labels:
app: busybox1
spec:
containers:
- image: busybox
name: busybox1
command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 36000']
resources: {}
[root@k8s-master yaml]# cat deployment-4.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: client2
spec:
replicas: 1
selector:
matchLabels:
app: busybox2
template:
metadata:
labels:
app: busybox2
spec:
containers:
- image: busybox
name: busybox
command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 36000']
resources: {}
部署network policy
[root@k8s-master yaml]# cat network.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
project: defaults
- podSelector:
matchLabels:
app: busybox1
ports:
- protocol: TCP
port: 80
配置pod之间缺省规则为block
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress