在同一个kubernetes集群中,所有的pod网络默认互相联通,默认情况下 Pod 是可以接收来自任何发送方的请求,也可以向任何接收方发送请求。而如果我们要对这个情况作出限制,就需要启动网络插件的策略功能,因为pod 默认都是开放的 底层网路是放行的,就必须通过 NetworkPolicy 对象来指定放行策略。

Namespaces 达到以下目的:
1 对用户做隔离
2 为用户分配配置
3 为资源定制访问策略
4 部署相似的应用或单个应用的不同版本

跨namespace Pod与Service通信

通过Service的ExternalName类型即可实现跨namespace名称空间与Service通信。
通过DNS来解析,不是通过IP地址访问。
Service域名格式:$(service name).$(namespace).svc.cluster.local,其中 cluster.local 为指定的集群的域名

  1. [root@k8s ~]# kubectl get pod -A
  2. NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
  3. default       busybox                                    1/1     Running   0          57s
  4. default       myweb-544b6f5455-lwl7z                     1/1     Running   0          15m
  5. kube-system   calico-kube-controllers-5978c5f6b5-7wbkf   1/1     Running   0          23m
  6. kube-system   calico-node-gdd9x                          1/1     Running   0          23m
  7. kube-system   coredns-7ff77c879f-f4r2h                   1/1     Running   0          36m
  8. kube-system   coredns-7ff77c879f-m29w6                   1/1     Running   0          36m
  9. kube-system   etcd-k8s                                   1/1     Running   1          36m
  10. kube-system   kube-apiserver-k8s                         1/1     Running   1          36m
  11. kube-system   kube-controller-manager-k8s                1/1     Running   2          36m
  12. kube-system   kube-proxy-xlz6x                           1/1     Running   3          36m
  13. kube-system   kube-scheduler-k8s                         1/1     Running   2          36m
  14. test          myapp-687598b8b4-mbxsz                     1/1     Running   0          13m
  15. uat           myapp-687598b8b4-5rlhc                     1/1     Running   0          13m
  18. [root@k8s ~]# kubectl get ssvc -A
  19. error: the server doesn't have a resource type "ssvc"
  20. [root@k8s ~]# kubectl get svc -A
  21. [root@k8s ~]# kubectl get svc -A
  22. NAMESPACE     NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE
  23. default       kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP                  37m
  24. default       myweb        ClusterIP   10.96.171.251    <none>        80/TCP                   15m
  25. kube-system   kube-dns     ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP   37m
  26. test          myapp        ClusterIP   10.104.56.195    <none>        80/TCP                   13m
  27. uat           myapp        ClusterIP   10.107.250.146   <none>        80/TCP                   13m
  31. [root@k8s ~]# kubectl exec -it busybox  sh
  32. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
  33. / # 
  34. / # ping 10.107.250.146
  35. PING 10.107.250.146 (10.107.250.146): 56 data bytes
  36. 64 bytes from 10.107.250.146: seq=0 ttl=64 time=10.061 ms
  37. 64 bytes from 10.107.250.146: seq=1 ttl=64 time=0.077 ms
  38. ^C
  39. --- 10.107.250.146 ping statistics ---
  40. 2 packets transmitted, 2 packets received, 0% packet loss
  41. round-trip min/avg/max = 0.077/5.069/10.061 ms
  42. / # ping 
  43. / # ping 10.104.56.195
  44. PING 10.104.56.195 (10.104.56.195): 56 data bytes
  45. 64 bytes from 10.104.56.195: seq=0 ttl=64 time=0.061 ms
  46. 64 bytes from 10.104.56.195: seq=1 ttl=64 time=0.071 ms
  47. ^C
  48. --- 10.104.56.195 ping statistics ---
  49. 2 packets transmitted, 2 packets received, 0% packet loss
  50. round-trip min/avg/max = 0.061/0.066/0.071 ms
  51. / # ping 172.16.77.5
  52. PING 172.16.77.5 (172.16.77.5): 56 data bytes
  53. 64 bytes from 172.16.77.5: seq=0 ttl=64 time=0.092 ms
  54. 64 bytes from 172.16.77.5: seq=1 ttl=64 time=0.076 ms
  55. ^C
  56. --- 172.16.77.5 ping statistics ---
  57. 2 packets transmitted, 2 packets received, 0% packet loss
  58. round-trip min/avg/max = 0.076/0.084/0.092 ms
  59. / # nslookup myapp.uat.svc.cluster.local
  60. / # nslookup myapp.uat.svc.cluster.local
  61. Server:    10.96.0.10
  62. Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local
  64. Name:      myapp.uat.svc.cluster.local
  65. Address 1: 10.107.250.146 myapp.uat.svc.cluster.local
  66. / # ping myapp.uat.svc.cluster.local
  67. PING myapp.uat.svc.cluster.local (10.107.250.146): 56 data bytes
  68. 64 bytes from 10.107.250.146: seq=0 ttl=64 time=0.034 ms
  69. 64 bytes from 10.107.250.146: seq=1 ttl=64 time=0.170 ms
  70. ^C
  71. --- myapp.uat.svc.cluster.local ping statistics ---
  72. 2 packets transmitted, 2 packets received, 0% packet loss
  73. round-trip min/avg/max = 0.034/0.102/0.170 ms
  74. / # 
  77. / # ping myapp.test.svc.cluster.local
  78. PING myapp.test.svc.cluster.local (10.104.56.195): 56 data bytes
  79. 64 bytes from 10.104.56.195: seq=0 ttl=64 time=0.068 ms
  80. 64 bytes from 10.104.56.195: seq=1 ttl=64 time=0.068 ms
  81. ^C
  82. --- myapp.test.svc.cluster.local ping statistics ---
  83. 2 packets transmitted, 2 packets received, 0% packet loss
  84. round-trip min/avg/max = 0.068/0.068/0.068 ms
  85. / # nslookup  myapp.test.svc.cluster.local
  86. Server:    10.96.0.10
  87. Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local
  89. Name:      myapp.test.svc.cluster.local
  90. Address 1: 10.104.56.195 myapp.test.svc.cluster.local
  91. / #

  1. bash-5.0# kubectl -n cicd-demo-project get pod |grep nacos
  2. cicd-demo-nacos-v1-685fbf8f57-pqtws             1/1     Running   0          3d19h
  3. nacos-0                                         1/1     Running   0          6d13h
  4. nacos-1                                         1/1     Running   0          6d13h
  5. nacos-2                                         1/1     Running   0          6d13h
  6. bash-5.0# kubectl -n cicd-demo-project get svc |grep nacos
  7. cicd-demo-nacos              NodePort    172.26.233.80    <none>        8848:31471/TCP        16d
  8. nacos-headless               ClusterIP   None             <none>        8848/TCP              6d16h
  9. bash-5.0# kubectl -n ur-api-test-project exec -it restcloud-gateway-4.5-5cd5679677-cx4mw sh
  10. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
  11. /usr/local/apache-tomcat-8.5.55 # ping 172.26.233.80
  12. PING 172.26.233.80 (172.26.233.80): 56 data bytes
  13. 64 bytes from 172.26.233.80: seq=0 ttl=64 time=0.066 ms
  14. 64 bytes from 172.26.233.80: seq=1 ttl=64 time=0.058 ms
  15. 64 bytes from 172.26.233.80: seq=2 ttl=64 time=0.063 ms
  16. 64 bytes from 172.26.233.80: seq=3 ttl=64 time=0.072 ms
  17. 64 bytes from 172.26.233.80: seq=4 ttl=64 time=0.053 ms
  18. 64 bytes from 172.26.233.80: seq=5 ttl=64 time=0.059 ms
  19. ^C
  20. --- 172.26.233.80 ping statistics ---
  21. 6 packets transmitted, 6 packets received, 0% packet loss
  22. round-trip min/avg/max = 0.053/0.061/0.072 ms
  23. /usr/local/apache-tomcat-8.5.55 #
  28. /usr/local/apache-tomcat-8.5.55 # nslookup cicd-demo-nacos.cicd-demo-project.svc.cluster.local
  29. Server:         169.254.25.10
  30. Address:        169.254.25.10:53
  32. Non-authoritative answer:
  33. Name:   cicd-demo-nacos.cicd-demo-project.svc.cluster.local
  34. Address: 120.240.95.35
  36. Non-authoritative answer:
  37. *** Can't find cicd-demo-nacos.cicd-demo-project.svc.cluster.local: No answer
  39. /usr/local/apache-tomcat-8.5.55 #

华为云 CCE

设置命名空间级的网络策略

https://support.huaweicloud.com/usermanual-cce/cce_01_0286.html
kubesphere
https://kubesphere.com.cn/docs/project-administration/project-network-isolation
https://kubesphere.com.cn/docs/pluggable-components/network-policy

kubernetes
https://kubernetes.io/zh/docs/concepts/services-networking/dns-pod-service
https://blog.csdn.net/polywg/article/details/109814803
https://www.kubernetes.org.cn/1909.html

跨命名空间pod 访问service dns名称而不是clusterIP,dns记录不会变,IP地址会变。
[
https://blog.csdn.net/kongliand/article/details/114916990

](https://blog.csdn.net/kongliand/article/details/114916990)