-
网络策略实战
网络策略实战
在命名空间 dev 中创建⽹络策略 dev-policy,只允许 命名空间 prod 中的 pod 连上 dev 中 pod 的 80 端⼝,注意:这⾥有 2 个 ns ,⼀个为 dev(⽬标pod的ns),另外⼀个为prod(访 问源pod的ns)
🔋创建命名空间
首先创建两个命名空间dev和prod:
root@k8s-master:~# kubectl create namespace dev namespace/dev created root@k8s-master:~# kubectl create namespace prod namespace/prod created #查看已存在的命名空间 root@k8s-master:~# kubectl get namespaces --show-labels NAME STATUS AGE LABELS app-team1 Active 673d kubernetes.io/metadata.name=app-team1 default Active 688d kubernetes.io/metadata.name=default dev Active 34m kubernetes.io/metadata.name=dev fubar Active 673d kubernetes.io/metadata.name=fubar ing-internal Active 673d kubernetes.io/metadata.name=ing-internal ingress-nginx Active 672d app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx,kubernetes.io/metadata.name=ingress-nginx kube-node-lease Active 688d kubernetes.io/metadata.name=kube-node-lease kube-public Active 688d kubernetes.io/metadata.name=kube-public kube-system Active 688d kubernetes.io/metadata.name=kube-system kubesphere-system Active 26h kubernetes.io/metadata.name=kubesphere-system my-app Active 673d kubernetes.io/metadata.name=my-app,name=my-app prod Active 34m kubernetes.io/metadata.name=prod- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
🔌在两个命名空间生成Pod
这里使用Deployment生成Pod
首先在dev空间生成Pod:
dev-deploy.ymlapiVersion: apps/v1 kind: Deployment metadata: name: dev-deploy namespace: dev spec: replicas: 1 selector: matchLabels: app: dev-pod template: metadata: labels: app: dev-pod spec: containers: - name: nginx image: nginx:latest ports: - containerPort: 80- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
root@k8s-master:~# vim dev-depoly.yml root@k8s-master:~# kubectl apply -f dev-depoly.yml deployment.apps/dev-deploy created- 1
- 2
- 3
- 4
查看Pod信息:
root@k8s-master:~# kubectl get pod -n dev -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES dev-deploy-6dccc6d68c-rqzrr 1/1 Running 0 39s 10.244.169.162 k8s-node2- 1
- 2
- 3
- 4
然后在prod生成Pod:
prod-pod.ymlapiVersion: apps/v1 kind: Deployment metadata: name: prod-deploy namespace: prod spec: replicas: 1 selector: matchLabels: app: prod-pod template: metadata: labels: app: prod-pod spec: containers: - name: nginx image: nginx:latest ports: - containerPort: 80- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
root@k8s-master:~# vim prod-deploy.yml root@k8s-master:~# kubectl apply -f prod-deploy.yml deployment.apps/prod-deploy created- 1
- 2
- 3
- 4
查看Pod信息:
root@k8s-master:~# kubectl get pod -n prod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES prod-deploy-7559496b85-8frb9 1/1 Running 0 65s 10.244.169.163 k8s-node2- 1
- 2
- 3
- 4
🖨️设置网络策略
在命名空间dev中设置网络策略
目标:dev
访问:prod
设置入口隔离规则:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: dev-policy namespace: dev spec: podSelector: matchLabels: app: dev-pod policyTypes: - Ingress #因为是外部访问,所以设置dev的入口隔离 ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: prod - podSelector: matchLabels: {} #选择prod所有Pod ports: - protocol: TCP port: 80- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
设置网络策略:
root@k8s-master:~# vim dev-policy.yml root@k8s-master:~# kubectl apply -f dev-policy.yml networkpolicy.networking.k8s.io/dev-policy created- 1
- 2
- 3
- 4
查看网络策略:
root@k8s-master:~# kubectl describe networkpolicy -n dev Name: dev-policy Namespace: dev Created on: 2023-10-27 17:59:26 +0800 CST Labels:Annotations: Spec: PodSelector: app=dev-pod Allowing ingress traffic: To Port: 80/TCP From: NamespaceSelector: kubernetes.io/metadata.name=prod From: PodSelector: Not affecting egress traffic Policy Types: Ingress - 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
进入prod的Pod里的容器里:
root@k8s-master:~# kubectl get pod -n prod --show-labels NAME READY STATUS RESTARTS AGE LABELS prod-deploy-7559496b85-8frb9 1/1 Running 0 25m app=prod-pod,pod-template-hash=7559496b85 root@k8s-master:~# kubectl exec -it prod-deploy-7559496b85-8frb9 -n prod -- /bin/bash #访问dev-pod的ip 默认80端口 root@prod-deploy-7559496b85-8frb9:/# curl 10.244.169.162 <!DOCTYPE html>Welcome to nginx!<<span class="token operator">/</span>title> <style> html <span class="token punctuation">{<!-- --></span> color-scheme: light dark<span class="token punctuation">;</span> <span class="token punctuation">}</span> body <span class="token punctuation">{<!-- --></span> width: 35em<span class="token punctuation">;</span> margin: 0 auto<span class="token punctuation">;</span> font-family: Tahoma<span class="token punctuation">,</span> Verdana<span class="token punctuation">,</span> Arial<span class="token punctuation">,</span> sans-serif<span class="token punctuation">;</span> <span class="token punctuation">}</span> <<span class="token operator">/</span>style> <<span class="token operator">/</span>head> <body> <h1>Welcome to nginx!<<span class="token operator">/</span>h1> <p><span class="token keyword">If</span> you see this page<span class="token punctuation">,</span> the nginx web server is successfully installed and working<span class="token punctuation">.</span> Further configuration is required<span class="token punctuation">.</span><<span class="token operator">/</span>p> <p><span class="token keyword">For</span> online documentation and support please refer to <a href=<span class="token string">"http://nginx.org/"</span>>nginx<span class="token punctuation">.</span>org<<span class="token operator">/</span>a><span class="token punctuation">.</span><br/> Commercial support is available at <a href=<span class="token string">"http://nginx.com/"</span>>nginx<span class="token punctuation">.</span>com<<span class="token operator">/</span>a><span class="token punctuation">.</span><<span class="token operator">/</span>p> <p><em>Thank you <span class="token keyword">for</span> <span class="token keyword">using</span> nginx<span class="token punctuation">.</span><<span class="token operator">/</span>em><<span class="token operator">/</span>p> <<span class="token operator">/</span>body> <<span class="token operator">/</span>html> <span class="token comment">#尝试访问其他端口 因为没有添加策略所以无法访问</span> root@prod-deploy-7559496b85-8frb9:<span class="token operator">/</span><span class="token comment"># curl 10.244.169.162:8080</span> curl: <span class="token punctuation">(</span>28<span class="token punctuation">)</span> Failed to connect to 10<span class="token punctuation">.</span>244<span class="token punctuation">.</span>169<span class="token punctuation">.</span>162 port 8080: Connection timed out <div class="hljs-button signin active" data-title="登录复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><div class="hide-preCode-box"><span class="hide-preCode-bt" data-report-view="{"spm":"1001.2101.3001.7365"}"><img class="look-more-preCode contentImg-no-view" src="https://1000bd.com/contentImg/2022/06/27/191644837.png" alt="" title=""></span></div><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li><li style="color: rgb(153, 153, 153);">5</li><li style="color: rgb(153, 153, 153);">6</li><li style="color: rgb(153, 153, 153);">7</li><li style="color: rgb(153, 153, 153);">8</li><li style="color: rgb(153, 153, 153);">9</li><li style="color: rgb(153, 153, 153);">10</li><li style="color: rgb(153, 153, 153);">11</li><li style="color: rgb(153, 153, 153);">12</li><li style="color: rgb(153, 153, 153);">13</li><li style="color: rgb(153, 153, 153);">14</li><li style="color: rgb(153, 153, 153);">15</li><li style="color: rgb(153, 153, 153);">16</li><li style="color: rgb(153, 153, 153);">17</li><li style="color: rgb(153, 153, 153);">18</li><li style="color: rgb(153, 153, 153);">19</li><li style="color: rgb(153, 153, 153);">20</li><li style="color: rgb(153, 153, 153);">21</li><li style="color: rgb(153, 153, 153);">22</li><li style="color: rgb(153, 153, 153);">23</li><li style="color: rgb(153, 153, 153);">24</li><li style="color: rgb(153, 153, 153);">25</li><li style="color: rgb(153, 153, 153);">26</li><li style="color: rgb(153, 153, 153);">27</li><li style="color: rgb(153, 153, 153);">28</li><li style="color: rgb(153, 153, 153);">29</li><li style="color: rgb(153, 153, 153);">30</li><li style="color: rgb(153, 153, 153);">31</li><li style="color: rgb(153, 153, 153);">32</li><li style="color: rgb(153, 153, 153);">33</li><li style="color: rgb(153, 153, 153);">34</li></ul></pre> </div> </div> </li> <li class="list-group-item ul-li"> <b>相关阅读:</b><br> <nobr> <a href="/Article/Index/867824">springboot基于BS结构的企业人事管理系统的设计与实现毕业设计源码121727</a> <br /> <a href="/Article/Index/815600">从零编写linux0.11 - 第八章 软盘操作</a> <br /> <a href="/Article/Index/1332889">Qt的QObject类</a> <br /> <a href="/Article/Index/821974">若依(ruoyi)之thymeleaf与jsp共存解决方案</a> <br /> <a href="/Article/Index/1276951">docker compose 搭建分片集群</a> <br /> <a href="/Article/Index/1414370">postgis ST_CoverageInvalidEdges用法</a> <br /> <a href="/Article/Index/1057084">element-ui upload图片上传组件使用</a> <br /> <a href="/Article/Index/1327995">【内网穿透】在Ubuntu搭建Web小游戏网站,并将其发布到公网访问</a> <br /> <a href="/Article/Index/859223">关于 ‘cosylocal‘ 进程占满内存的问题</a> <br /> <a href="/Article/Index/931415">kubernetes之基于ServiceAccount拉取私有镜像</a> <br /> </nobr> </li> <li class="list-group-item from-a mb-2"> 原文地址:https://blog.csdn.net/weixin_51882166/article/details/134081796 </li> </ul> </div> <div class="col-lg-4 col-sm-12"> <ul class="list-group" style="word-break:break-all;"> <li class="list-group-item ul-li-bg" aria-current="true"> 最新文章 </li> <li class="list-group-item ul-li"> <nobr> <a href="/Article/Index/1484446">攻防演习之三天拿下官网站群</a> <br /> <a href="/Article/Index/1515268">数据安全治理学习——前期安全规划和安全管理体系建设</a> <br /> <a href="/Article/Index/1759065">企业安全 | 企业内一次钓鱼演练准备过程</a> <br /> <a href="/Article/Index/1485036">内网渗透测试 | Kerberos协议及其部分攻击手法</a> <br /> <a href="/Article/Index/1877332">0day的产生 | 不懂代码的"代码审计"</a> <br /> <a href="/Article/Index/1887576">安装scrcpy-client模块av模块异常,环境问题解决方案</a> <br /> <a href="/Article/Index/1887578">leetcode hot100【LeetCode 279. 完全平方数】java实现</a> <br /> <a href="/Article/Index/1887512">OpenWrt下安装Mosquitto</a> <br /> <a href="/Article/Index/1887520">AnatoMask论文汇总</a> <br /> <a href="/Article/Index/1887496">【AI日记】24.11.01 LangChain、openai api和github copilot</a> <br /> </nobr> </li> </ul> <ul class="list-group pt-2" style="word-break:break-all;"> <li class="list-group-item ul-li-bg" aria-current="true"> 热门文章 </li> <li class="list-group-item ul-li"> <nobr> <a href="/Article/Index/888177">十款代码表白小特效 一个比一个浪漫 赶紧收藏起来吧!!!</a> <br /> <a href="/Article/Index/797680">奉劝各位学弟学妹们,该打造你的技术影响力了!</a> <br /> <a href="/Article/Index/888183">五年了,我在 CSDN 的两个一百万。</a> <br /> <a href="/Article/Index/888179">Java俄罗斯方块,老程序员花了一个周末,连接中学年代!</a> <br /> <a href="/Article/Index/797730">面试官都震惊,你这网络基础可以啊!</a> <br /> <a href="/Article/Index/797725">你真的会用百度吗?我不信 — 那些不为人知的搜索引擎语法</a> <br /> <a href="/Article/Index/797702">心情不好的时候,用 Python 画棵樱花树送给自己吧</a> <br /> <a href="/Article/Index/797709">通宵一晚做出来的一款类似CS的第一人称射击游戏Demo!原来做游戏也不是很难,连憨憨学妹都学会了!</a> <br /> <a href="/Article/Index/797716">13 万字 C 语言从入门到精通保姆级教程2021 年版</a> <br /> <a href="/Article/Index/888192">10行代码集2000张美女图,Python爬虫120例,再上征途</a> <br /> </nobr> </li> </ul> </div> </div> </div> <!-- 主体 --> <!--body结束--> <!--这里是footer模板--> <!--footer--> <nav class="navbar navbar-inverse navbar-fixed-bottom"> <div class="container"> <div class="row"> <div class="col-md-12"> <div class="text-muted center foot-height"> Copyright © 2022 侵权请联系<a href="mailto:2656653265@qq.com">2656653265@qq.com</a> <a href="https://beian.miit.gov.cn/" target="_blank">京ICP备2022015340号-1</a> </div> <div style="width:300px;margin:0 auto; padding:0px 5px;"> <a href="/regex.html">正则表达式工具</a> <a href="/cron.html">cron表达式工具</a> <a href="/pwdcreator.html">密码生成工具</a> </div> <div style="width:300px;margin:0 auto; padding:5px 0;"> <a target="_blank" href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=11010502049817" style="display:inline-block;text-decoration:none;height:20px;line-height:20px;"> <img src="" style="float:left;" /><p style="float:left;height:20px;line-height:20px;margin: 0px 0px 0px 5px; color:#939393;">京公网安备 11010502049817号</p></a> </div> </div> </div> </div> </nav> <!--footer--> <!--footer模板结束--> <script src="/js/plugins/jquery/jquery.js"></script> <script src="/js/bootstrap.min.js"></script> <!--这里是scripts模板--> <!--scripts模板结束--> </body> </html>
