1. 网络安全规则

1.关于网络安全规则

image.png

1. Firewall rules in kubernetes kubernetes 集群中的防火墙规则

2. Implemented by the Network Plugin CNI(Calico/Weave) 网络插件的实施方案

3. Namespace level 命名空间的级别

4. Restrict the ingress and/or Egress for a goup of pods based on certain rules and conditions 根据某些规则和条件限制一组Pod的进入和/或出口


注:
先决条件是必须使用支持NetworkPolicy的网络解决方案
默认状况下没有网络策略的状态并且:**

  1. by default every pod can access every pod 默认的可以访问任何pods
  2. pods are not isolated pods 不是孤立的

2. 常见的网络规则

1. 允许的其他Pod组(例外:Pod无法阻止对其自身的访问。都是靠pod标签实现的

1.1 允许包含某一组pod标签的pods组对外访问资源-egress出口

image.png

1.2 包含某一组pod标签的pods组允许被访问-ingress入口

image.png

2. 含有某一组pod标签的pods组允许来自含有一组namespace标签的服务访问

image.png

3. IP块(例外:始终允许往返运行Pod的节点的流量,无论Pod或节点的IP地址如何)

image.png

3. 练习题

1. Create Default Deny NetworkPolicy—创建一个默认的拒绝的网络规则

image.png

解析:
如上:使用nginx标准镜像创建两个pod,对外暴露80端口,进入两个容器curl对方返回index.html验证容器是互通 的。

  1. root@cks-master:~# kubectl run frontend --image=nginx
  2. pod/frontend created
  3. root@cks-master:~# kubectl run backend --image=nginx
  4. pod/backend created
  5. root@cks-master:~# kubectl expose pods frontend --port=80
  6. service/frontend exposed
  7. root@cks-master:~# kubectl expose pods backend --port=80
  8. service/backend exposed
  9. root@cks-master:~# kubectl get pods,svc
  10. NAME READY STATUS RESTARTS AGE
  11. pod/backend 1/1 Running 0 34s
  12. pod/frontend 1/1 Running 0 39s
  13. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
  14. service/backend ClusterIP 10.104.226.85 <none> 80/TCP 7s
  15. service/frontend ClusterIP 10.98.161.118 <none> 80/TCP 16s
  16. service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 37d
  17. root@cks-master:~# kubectl exec frontend curl backend
  18. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  19. % Total % Received % Xferd Average Speed Time Time Time Current
  20. Dload Upload Total Spent Left Speed
  21. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<!DOCTYPE html>
  22. <html>
  23. <head>
  24. <title>Welcome to nginx!</title>
  25. <style>
  26. body {
  27. width: 35em;
  28. margin: 0 auto;
  29. font-family: Tahoma, Verdana, Arial, sans-serif;
  30. }
  31. </style>
  32. </head>
  33. <body>
  34. <h1>Welcome to nginx!</h1>
  35. <p>If you see this page, the nginx web server is successfully installed and
  36. working. Further configuration is required.</p>
  37. <p>For online documentation and support please refer to
  38. <a href="http://nginx.org/">nginx.org</a>.<br/>
  39. Commercial support is available at
  40. <a href="http://nginx.com/">nginx.com</a>.</p>
  41. <p><em>Thank you for using nginx.</em></p>
  42. </body>
  43. </html>
  44. 100 612 100 612 0 0 298k 0 --:--:-- --:--:-- --:--:-- 298k
  45. root@cks-master:~# kubectl exec backend curl frontend
  46. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  47. % Total % Received % Xferd Average Speed Time Time Time Current
  48. Dload Upload Total Spent Left Speed
  49. 100 612 100 612 0 0 298k 0 --:--:-- --:--:-- --:--:-- 298k
  50. <!DOCTYPE html>
  51. <html>
  52. <head>
  53. <title>Welcome to nginx!</title>
  54. <style>
  55. body {
  56. width: 35em;
  57. margin: 0 auto;
  58. font-family: Tahoma, Verdana, Arial, sans-serif;
  59. }
  60. </style>
  61. </head>
  62. <body>
  63. <h1>Welcome to nginx!</h1>
  64. <p>If you see this page, the nginx web server is successfully installed and
  65. working. Further configuration is required.</p>
  66. <p>For online documentation and support please refer to
  67. <a href="http://nginx.org/">nginx.org</a>.<br/>
  68. Commercial support is available at
  69. <a href="http://nginx.com/">nginx.com</a>.</p>
  70. <p><em>Thank you for using nginx.</em></p>
  71. </body>
  72. </html>

image.png

进入kubernetes官方文档找到网络策略页面,(https://kubernetes.io/docs/concepts/services-networking/network-policies/)找到实例copy内容。
image.png

划重点:复制粘贴到vim时候yaml代码出现缩进错乱问题,so找到了下面解决的办法:

https://blog.csdn.net/annita2019/article/details/108924928

image.png

  1. root@cks-master:~/work# vim default-deny.yaml
  2. root@cks-master:~/work# kubectl apply -f default-deny.yaml
  3. networkpolicy.networking.k8s.io/default-deny created
  4. root@cks-master:~/work# cat default-deny.yaml
  5. apiVersion: networking.k8s.io/v1
  6. kind: NetworkPolicy
  7. metadata:
  8. name: default-deny
  9. namespace: default
  10. spec:
  11. podSelector: {}
  12. policyTypes:
  13. - Ingress
  14. - Egress
  15. root@cks-master:~/work# kubectl exec frontend curl backend
  16. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  17. % Total % Received % Xferd Average Speed Time Time Time Current
  18. Dload Upload Total Spent Left Speed
  19. 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0^C
  20. root@cks-master:~/work# kubectl exec backend curl frontend
  21. kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
  22. % Total % Received % Xferd Average Speed Time Time Time Current
  23. Dload Upload Total Spent Left Speed
  24. 0 0 0 0 0 0 0 0 --:--:-- 0:00:19 --:--:-- 0curl: (6) Could not resolve host: frontend
  25. command terminated with exit code 6

image.png
通过以上例子验证了通过default-deny 网络策略实现了backend 和frontend两个服务实现了拒绝访问。

2. Allow frontend pods to talk to backend pods-允许符合frontend标签的pod与带有backend标签的pod组会话。

我觉得这个地方稍微要复杂下入如下图
image.png

# cat backend.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: frontend
 ### cat frontend.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: frontend
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          run: backend

关于matchLabels的由来:
image.png
kubectl apply -f backend.yaml
kubectl apply -f frontend.yaml
但是还是不通,为什么呢?
image.png

image.png
忽略了一个本质,没有放通域名解析服务,不知道还记得默认的dns端口吗?kubernetes内部的服务的解析是靠coredns来完成的,当然了老的版本还有过kube-dns?skydns没有记错的话。so要允许dns协议。

##  deny.yaml##
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    ports:
      - port: 53
        protocol: TCP
      - port: 53
        protocol: UDP

image.png

3. based on namespaceSelector-基于命名空间标签允许backend标签的pod去访问符合namespace标签的应用

image.png

关于namespace的labels(默认建立是没有的,可以自己添加)
image.png
image.png
image.png

image.png
image.png