Network policy:設置pod進出網絡的策略,k8s本身並不支持,主要靠以下網絡插件來支持。
- calico
- Romana
- Weave
network policy 策略模型
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
上述規則意思如下:
入站
- default namespace下含有label role=db的pod,不滿足ingress和exgress的網絡訪問(出去,進入)都會被拒絕
- default namespace下含有label role=db的pod,172.17.0.0/16(除去172.17.1.0/24)的網絡可以訪問,其他的都被拒絕
- default namespace下含有label role=db的pod,在label爲project=myproject的namespace下都能訪問到
+default namespace下含有label role=db的pod,在default namespace下只有label爲role=frontend的pod能訪問 - ports 爲只能訪問的port,不寫所有ports都能訪問
出站
- default namespace下含label爲role=db的pod,只能訪問10.0.0.0/24 ,對應port的目標
典型規則的配置
1.同namespace的pod,入站規則爲全部禁止
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
2.同namespace的pod,入站規則爲全部開放:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
3.同namespace的pod,出站規則爲全部禁止
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Egress
4.同namespace的pod,出站規則爲全部開放
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress