k8s网络插件calico实现网络隔离
文章目录
- 1、隔离模型
- 2、创建命名空间
- 3、创建网络访问策略
-
- 1、为default创建访问策略
- 2、为sub1和sub2创建访问策略
- 4、测试
-
- 4.1、创建pod
- 4.2、测试default中pod之间的通信
- 4.3、测试sub1中pod之间的通信
- 4.4、测试default中pod和sub1中pod之间的通信
- 4.5、测试default中pod和sub1中pod之间的通信
- 4.6、入网测试
- 总结
1、隔离模型
2、创建命名空间
创建明明空间sub1和sub2,分别打上对应标签ns:sub1和 ns:sub2
apiVersion: v1
kind: Namespace
metadata:
name: sub1
labels:
ns: sub1
---
apiVersion: v1
kind: Namespace
metadata:
name: sub2
labels:
ns: sub2
3、创建网络访问策略
.spec.PodSelector
顾名思义,它是pod选择器,基于标签选择与Network Policy处于同一namespace下的pod,如果pod被选中,则对其应用Network Policy中定义的规则。此为可选字段,当没有此字段时,表示选中所有pod。
.spec.PolicyTypes
Network Policy定义的规则可以分成两种,一种是入pod的Ingress规则,一种是出pod的Egress规则。本字段可以看作是一个开关,如果其中包含Ingress,则Ingress部分定义的规则生效,如果是Egress则Egress部分定义的规则生效,如果都包含则全部生效。当然此字段也可选,如果没有指定的话,则默认Ingress生效,如果Egress部分有定义的话,Egress才生效。怎么理解这句话,下文会提到,没有明确定义Ingress、Egress部分,它也是一种规则,默认规则而非没有规则。
.spec.ingress与.spec.egress
前者定义入pod规则,后者定义出pod规则,详细参考这里,这里只讲一下重点。上例中ingress与egress都只包含一条规则,两者都是数组,可以包含多条规则。当包含多条时,条目之间的逻辑关系是“或”,只要匹配其中一条就可以。.spec.ingress[].from
也是数组,数组成员对访问pod的外部source进行描述,符合条件的source才可以访问pod,有多种方法,如示例中的ip地址块、名称空间、pod标签等,数组中的成员也是逻辑或的关系。spec.ingress[].from.prots表示允许通过的协议及端口号。
.spec.egress.to定义的是pod想要访问的外部destination,其它与ingress相同。
.spec.ingress.to.namespaceSelector
namespace选择器,可以通过labels进行选择,此networkpolicy所属namespace下所有pod可以访问被选中的namespace下的pod
.spec.ingress.from.namespaceSelector
namespace选择器,可以通过labels进行选择,此networkpolicy所属namespace下所有pod可以被选中的namespace下的pod访问
1、为default创建访问策略
default中所有pod
只支持外网的入网和出网
屏蔽所有内网的出网和入网
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default
spec:
podSelector: {
}
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 172.1.0.0/12
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 172.1.0.0/12
policyTypes:
- Egress
- Ingress
2、为sub1和sub2创建访问策略
sub1和sub2相同
相比于default的访问策略
sub1和sub2中同一命名空间之中的pod可以相互访问
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: sub1
namespace: sub1
spec:
podSelector: {
}
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 172.1.0.0/12
- namespaceSelector:
matchLabels:
ns: sub1
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 172.1.0.0/12
- namespaceSelector:
matchLabels:
ns: sub1
policyTypes:
- Egress
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: sub2
namespace: sub2
spec:
podSelector: {
}
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 172.1.0.0/12
- namespaceSelector:
matchLabels:
ns: sub2
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 172.1.0.0/12
- namespaceSelector:
matchLabels:
ns: sub2
policyTypes:
- Egress
- Ingress
4、测试
- 测试出网情况,使用外网ip 106.13.118.232
- 测试同一命名空间下pod之间的访问
- 测试不同命名空间下pod之间的访问
- 测试外网的入网
4.1、创建pod
测试镜像为,vnc镜像
启动5个pod作为测试
开启hostPort端口映射,使用30001~30005主机端口
下面为pod模板
apiVersion: v1
kind: Pod
metadata:
#Pod的名称,全局唯一
name: ubuntu-vnc-1
namespace: default
spec:
containers:
#容器名称
- name: zyh
#容器对应的Docker Image
image: ubuntu-vnc:v2
#command: [ "/bin/bash", "-c", "--" ]
#args: [ "while true; do sleep 3600; done;" ]
ports:
- name: http
containerPort: 80
hostPort: 30001
protocol: TCP
创建pod对应ip
default ubuntu-vnc-1 172.11.205.146
default ubuntu-vnc-2 172.11.205.147
sub1 ubuntu-vnc-3 172.11.205.148
sub1 ubuntu-vnc-4 172.11.205.149
sub2 ubuntu-vnc-5 172.11.205.150
4.2、测试default中pod之间的通信
-
进入ubuntu-vnc-1中
#测试出网ping 106.13.118.232 root@ubuntu-vnc-1:/root# ping 106.13.118.232 PING 106.13.118.232 (106.13.118.232): 56 data bytes 64 bytes from 106.13.118.232: icmp_seq=0 ttl=52 time=28.637 ms 64 bytes from 106.13.118.232: icmp_seq=1 ttl=52 time=28.978 ms 64 bytes from 106.13.118.232: icmp_seq=2 ttl=52 time=31.893 ms 64 bytes from 106.13.118.232: icmp_seq=3 ttl=52 time=28.490 ms 64 bytes from 106.13.118.232: icmp_seq=4 ttl=52 time=27.679 ms 64 bytes from 106.13.118.232: icmp_seq=5 ttl=52 time=28.395 ms 64 bytes from 106.13.118.232: icmp_seq=6 ttl=52 time=28.359 ms 64 bytes from 106.13.118.232: icmp_seq=7 ttl=52 time=28.945 ms 64 bytes from 106.13.118.232: icmp_seq=8 ttl=52 time=28.167 ms 64 bytes from 106.13.118.232: icmp_seq=9 ttl=52 time=27.802 ms 64 bytes from 106.13.118.232: icmp_seq=10 ttl=52 time=27.804 ms 64 bytes from 106.13.118.232: icmp_seq=11 ttl=52 time=27.502 ms 64 bytes from 106.13.118.232: icmp_seq=12 ttl=52 time=27.933 ms 64 bytes from 106.13.118.232: icmp_seq=13 ttl=52 time=28.100 ms 64 bytes from 106.13.118.232: icmp_seq=14 ttl=52 time=28.016 ms 64 bytes from 106.13.118.232: icmp_seq=15 ttl=52 time=27.551 ms ^C--- 106.13.118.232 ping statistics --- 16 packets transmitted, 16 packets received, 0% packet loss round-trip min/avg/max/stddev = 27.502/28.391/31.893/1.005 ms #访问172.11.205.147 root@ubuntu-vnc-1:/root# ping 172.11.205.147 PING 172.11.205.147 (172.11.205.147): 56 data bytes ^C--- 172.11.205.147 ping statistics --- 25 packets transmitted, 0 packets received, 100% packet loss -
进入ubuntu-vnc-2中
#测试出网ping 106.13.118.232 root@ubuntu-vnc-2:/root# ping 106.13.118.232 PING 106.13.118.232 (106.13.118.232): 56 data bytes 64 bytes from 106.13.118.232: icmp_seq=0 ttl=52 time=28.881 ms 64 bytes from 106.13.118.232: icmp_seq=1 ttl=52 time=28.398 ms 64 bytes from 106.13.118.232: icmp_seq=2 ttl=52 time=28.302 ms 64 bytes from 106.13.118.232: icmp_seq=3 ttl=52 time=27.717 ms ^C--- 106.13.118.232 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 27.717/28.324/28.881/0.414 ms #访问172.11.205.146 root@ubuntu-vnc-2:/root# ping 172.11.205.146 PING 172.11.205.146 (172.11.205.146): 56 data bytes ^C--- 172.11.205.146 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss -
可以看出,ubuntu-vnc-1和 ubuntu-vnc-2是相互隔离的,但是都可以访问外网
4.3、测试sub1中pod之间的通信
-
进入ubuntu-vnc-3中
#测试出网ping 106.13.118.232 root@ubuntu-vnc-3:/root# ping 106.13.118.232 PING 106.13.118.232 (106.13.118.232): 56 data bytes 64 bytes from 106.13.118.232: icmp_seq=0 ttl=52 time=29.570 ms 64 bytes from 106.13.118.232: icmp_seq=1 ttl=52 time=28.493 ms 64 bytes from 106.13.118.232: icmp_seq=2 ttl=52 time=28.178 ms 64 bytes from 106.13.118.232: icmp_seq=3 ttl=52 time=28.016 ms ^C--- 106.13.118.232 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 28.016/28.564/29.570/0.605 ms #访问172.11.205.149 root@ubuntu-vnc-3:/root# ping 172.11.205.149 PING 172.11.205.149 (172.11.205.149): 56 data bytes 64 bytes from 172.11.205.149: icmp_seq=0 ttl=63 time=0.203 ms 64 bytes from 172.11.205.149: icmp_seq=1 ttl=63 time=0.154 ms 64 bytes from 172.11.205.149: icmp_seq=2 ttl=63 time=0.125 ms 64 bytes from 172.11.205.149: icmp_seq=3 ttl=63 time=0.183 ms ^C--- 172.11.205.149 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.125/0.166/0.203/0.030 ms -
进入ubuntu-vnc-4中
#测试出网ping 106.13.118.232 root@ubuntu-vnc-4:/root# ping 106.13.118.232 PING 106.13.118.232 (106.13.118.232): 56 data bytes 64 bytes from 106.13.118.232: icmp_seq=0 ttl=52 time=29.126 ms 64 bytes from 106.13.118.232: icmp_seq=1 ttl=52 time=28.551 ms 64 bytes from 106.13.118.232: icmp_seq=2 ttl=52 time=28.755 ms 64 bytes from 106.13.118.232: icmp_seq=3 ttl=52 time=28.337 ms ^C--- 106.13.118.232 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 28.337/28.692/29.126/0.291 ms #访问172.11.205.148 root@ubuntu-vnc-4:/root# ping 172.11.205.148 PING 172.11.205.148 (172.11.205.148): 56 data bytes 64 bytes from 172.11.205.148: icmp_seq=0 ttl=63 time=0.174 ms 64 bytes from 172.11.205.148: icmp_seq=1 ttl=63 time=0.117 ms 64 bytes from 172.11.205.148: icmp_seq=2 ttl=63 time=0.092 ms 64 bytes from 172.11.205.148: icmp_seq=3 ttl=63 time=0.137 ms ^C--- 172.11.205.148 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.092/0.130/0.174/0.030 ms -
可以看出,sub1中的pod之间可以正常通信,且正常访问外网
4.4、测试default中pod和sub1中pod之间的通信
-
进入ubuntu-vnc-1
# ping 172.11.205.148 root@ubuntu-vnc-1:/root# ping 172.11.205.148 PING 172.11.205.148 (172.11.205.148): 56 data bytes ^C--- 172.11.205.148 ping statistics --- 15 packets transmitted, 0 packets received, 100% packet loss # ping 172.11.205.149 root@ubuntu-vnc-1:/root# ping 172.11.205.149 PING 172.11.205.149 (172.11.205.149): 56 data bytes ^C--- 172.11.205.149 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss -
进入ubuntu-vnc-3
#ping 172.11.205.146 root@ubuntu-vnc-3:/root# ping 172.11.205.146 PING 172.11.205.146 (172.11.205.146): 56 data bytes ^C--- 172.11.205.146 ping statistics --- 12 packets transmitted, 0 packets received, 100% packet loss -
可以看出default中的pod和sub1中的pod无法通信
4.5、测试default中pod和sub1中pod之间的通信
-
进入ubuntu-vnc-5
# ping 172.11.205.148 root@ubuntu-vnc-5:/root# ping 172.11.205.148 PING 172.11.205.148 (172.11.205.148): 56 data bytes ^C--- 172.11.205.148 ping statistics --- 17 packets transmitted, 0 packets received, 100% packet loss # ping 172.11.205.149 root@ubuntu-vnc-5:/root# ping 172.11.205.149 PING 172.11.205.149 (172.11.205.149): 56 data bytes ^C--- 172.11.205.149 ping statistics --- 19 packets transmitted, 0 packets received, 100% packet loss -
进入ubuntu-vnc-3
# ping 172.11.205.150 root@ubuntu-vnc-3:/root# ping 170.11.25.150 PING 170.11.25.150 (170.11.25.150): 56 data bytes ^C--- 170.11.25.150 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss -
可以看出sub1中的pod和sub2中的pod无法通信
4.6、入网测试
外网可以访问pod
总结
calico网络插件支持networkpolicy网络访问策略
通过networkpolicy可以控制pod之间的隔离通信,且支持外网访问