1. 网络安全规则

1.关于网络安全规则

image.png

1. Firewall rules in kubernetes kubernetes 集群中的防火墙规则

2. Implemented by the Network Plugin CNI(Calico/Weave) 网络插件的实施方案

3. Namespace level 命名空间的级别

4. Restrict the ingress and/or Egress for a goup of pods based on certain rules and conditions 根据某些规则和条件限制一组Pod的进入和/或出口


注: 先决条件是必须使用支持NetworkPolicy的网络解决方案
默认状况下没有网络策略的状态并且:**

  1. by default every pod can access every pod 默认的可以访问任何pods
  2. pods are not isolated pods 不是孤立的

2. 常见的网络规则

1. 允许的其他Pod组(例外:Pod无法阻止对其自身的访问。都是靠pod标签实现的

1.1 允许包含某一组pod标签的pods组对外访问资源-egress出口

image.png

1.2 包含某一组pod标签的pods组允许被访问-ingress入口

image.png

2. 含有某一组pod标签的pods组允许来自含有一组namespace标签的服务访问

image.png

3. IP块(例外:始终允许往返运行Pod的节点的流量,无论Pod或节点的IP地址如何)

image.png

3. 练习题

1. Create Default Deny NetworkPolicy—创建一个默认的拒绝的网络规则

image.png

解析:
如上:使用nginx标准镜像创建两个pod,对外暴露80端口,进入两个容器curl对方返回index.html验证容器是互通 的。

  1. root@cks-master:~# kubectl run frontend --image=nginx
  2. pod/frontend created
  3. root@cks-master:~# kubectl run backend --image=nginx
  4. pod/backend created
  5. root@cks-master:~# kubectl expose pods frontend --port=80
  6. service/frontend exposed
  7. root@cks-master:~# kubectl expose pods backend --port=80
  8. service/backend exposed
  9. root@cks-master:~# kubectl get pods,svc 
  10. NAME           READY   STATUS    RESTARTS   AGE
  11. pod/backend    1/1     Running   0          34s
  12. pod/frontend   1/1     Running   0          39s
  14. NAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
  15. service/backend      ClusterIP   10.104.226.85   <none>        80/TCP    7s
  16. service/frontend     ClusterIP   10.98.161.118   <none>        80/TCP    16s
  17. service/kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP   37d
  18. root@cks-master:~# kubectl exec frontend curl backend
  19. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  20.   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  21.                                  Dload  Upload   Total   Spent    Left  Speed
  22.   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0<!DOCTYPE html>
  23. <html>
  24. <head>
  25. <title>Welcome to nginx!</title>
  26. <style>
  27.     body {
  28.         width: 35em;
  29.         margin: 0 auto;
  30.         font-family: Tahoma, Verdana, Arial, sans-serif;
  31.     }
  32. </style>
  33. </head>
  34. <body>
  35. <h1>Welcome to nginx!</h1>
  36. <p>If you see this page, the nginx web server is successfully installed and
  37. working. Further configuration is required.</p>
  39. <p>For online documentation and support please refer to
  40. <a href="http://nginx.org/">nginx.org</a>.<br/>
  41. Commercial support is available at
  42. <a href="http://nginx.com/">nginx.com</a>.</p>
  44. <p><em>Thank you for using nginx.</em></p>
  45. </body>
  46. </html>
  47. 100   612  100   612    0     0   298k      0 --:--:-- --:--:-- --:--:--  298k
  48.  root@cks-master:~# kubectl exec backend curl frontend
  49. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  50.   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  51.                                  Dload  Upload   Total   Spent    Left  Speed
  52. 100   612  100   612    0     0   298k      0 --:--:-- --:--:-- --:--:--  298k
  53. <!DOCTYPE html>
  54. <html>
  55. <head>
  56. <title>Welcome to nginx!</title>
  57. <style>
  58.     body {
  59.         width: 35em;
  60.         margin: 0 auto;
  61.         font-family: Tahoma, Verdana, Arial, sans-serif;
  62.     }
  63. </style>
  64. </head>
  65. <body>
  66. <h1>Welcome to nginx!</h1>
  67. <p>If you see this page, the nginx web server is successfully installed and
  68. working. Further configuration is required.</p>
  70. <p>For online documentation and support please refer to
  71. <a href="http://nginx.org/">nginx.org</a>.<br/>
  72. Commercial support is available at
  73. <a href="http://nginx.com/">nginx.com</a>.</p>
  75. <p><em>Thank you for using nginx.</em></p>
  76. </body>
  77. </html>

image.png

进入kubernetes官方文档找到网络策略页面,(https://kubernetes.io/docs/concepts/services-networking/network-policies/)找到实例copy内容。
image.png

划重点:复制粘贴到vim时候yaml代码出现缩进错乱问题,so找到了下面解决的办法:

https://blog.csdn.net/annita2019/article/details/108924928

image.png

  1. root@cks-master:~/work# vim default-deny.yaml
  2. root@cks-master:~/work# kubectl apply -f default-deny.yaml 
  3. networkpolicy.networking.k8s.io/default-deny created
  4. root@cks-master:~/work# cat default-deny.yaml 
  5. apiVersion: networking.k8s.io/v1
  6. kind: NetworkPolicy
  7. metadata:
  8.   name: default-deny
  9.   namespace: default
  10. spec:
  11.   podSelector: {}
  12.   policyTypes:
  13.   - Ingress
  14.   - Egress
  15. root@cks-master:~/work# kubectl exec frontend curl backend
  16. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  17.   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  18.                                  Dload  Upload   Total   Spent    Left  Speed
  19.   0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0^C
  20. root@cks-master:~/work# kubectl exec backend curl frontend
  21. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  22.   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  23.                                  Dload  Upload   Total   Spent    Left  Speed
  24.   0     0    0     0    0     0      0      0 --:--:--  0:00:19 --:--:--     0curl: (6) Could not resolve host: frontend
  25. command terminated with exit code 6

image.png
通过以上例子验证了通过default-deny 网络策略实现了backend 和frontend两个服务实现了拒绝访问。

2. Allow frontend pods to talk to backend pods-允许符合frontend标签的pod与带有backend标签的pod组会话。

我觉得这个地方稍微要复杂下入如下图
image.png

# cat backend.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: frontend

 ### cat frontend.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: frontend
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          run: backend

关于matchLabels的由来:
image.png
kubectl apply -f backend.yaml
kubectl apply -f frontend.yaml
但是还是不通,为什么呢?
image.png

image.png
忽略了一个本质,没有放通域名解析服务,不知道还记得默认的dns端口吗?kubernetes内部的服务的解析是靠coredns来完成的,当然了老的版本还有过kube-dns?skydns没有记错的话。so要允许dns协议。

##  deny.yaml##
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    ports:
      - port: 53
        protocol: TCP
      - port: 53
        protocol: UDP

image.png

3. based on namespaceSelector-基于命名空间标签允许backend标签的pod去访问符合namespace标签的应用

image.png

关于namespace的labels(默认建立是没有的,可以自己添加)
image.png
image.png
image.png

image.png
image.png