kubernetes之network policy

Network policy：設置pod進出網絡的策略，k8s本身並不支持，主要靠以下網絡插件來支持。

• calico
• Romana
• Weave

network policy 策略模型

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978

 

上述規則意思如下：

入站

• default namespace下含有label role=db的pod，不滿足ingress和exgress的網絡訪問（出去，進入）都會被拒絕
• default namespace下含有label role=db的pod，172.17.0.0/16(除去172.17.1.0/24)的網絡可以訪問，其他的都被拒絕
• default namespace下含有label role=db的pod，在label爲project=myproject的namespace下都能訪問到
  +default namespace下含有label role=db的pod，在default namespace下只有label爲role=frontend的pod能訪問
• ports 爲只能訪問的port，不寫所有ports都能訪問

出站

• default namespace下含label爲role=db的pod，只能訪問10.0.0.0/24 ，對應port的目標

典型規則的配置

1.同namespace的pod，入站規則爲全部禁止

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress

2.同namespace的pod，入站規則爲全部開放：

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all
spec:
  podSelector: {}
  ingress:
  - {}

3.同namespace的pod，出站規則爲全部禁止

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Egress

4.同namespace的pod，出站規則爲全部開放

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all
spec:
  podSelector: {}
  egress:
  - {}
  policyTypes:
  - Egress