Actual combat: network strategy experiment in k8s (success test - blog output) - 20211005

catalogue

Write in front

In this article, I will take you to the network strategy experiment in the actual combat demonstration k8s.

Theme of my blog: I hope everyone can make experiments with my blog, first do the experiments, and then understand the technical points in a deeper level in combination with theoretical knowledge, so as to have fun and motivation in learning. Moreover, the content steps of my blog are very complete. I also share the source code and the software used in the experiment. I hope I can make progress with you!

If you have any questions during the actual operation, you can contact me at any time to help you solve the problem for free:

  1. Personal wechat QR Code: x2675263825 (shede), qq: 2675263825.

  2. Personal blog address: www.onlyonexl.cn

  3. Personal WeChat official account: cloud native architect real battle

  4. Personal csdn

    https://blog.csdn.net/weixin_39246554?spm=1010.2135.3001.5421

Basic knowledge

Experimental environment

Experimental environment:
1,win10,vmwrokstation Virtual machine;
2,k8s Cluster: 3 sets centos7.6 1810 Virtual machine, 1 master node,2 individual node node
   k8s version: v1.21
   CONTAINER-RUNTIME: docker://20.10.7

Original courseware content

Network strategy: case

Case 1: reject other namespaces Pod visit
 Case 2: restricted access between applications in the same namespace
 Case 3: only applications in the specified namespace are allowed to access

Attachment: quick commands for preparing environment
kubectl run busybox --image=busybox -n test -- sleep 12h
kubectl run web --image=nginx -n test
kubectl exec busybox -n test -- ping 10.244.169.135

1. Case 1: deny access to other namespace pods

Case 1: reject other namespaces Pod visit

Requirements: test All under namespace pod You can access each other or other users
 Name space Pod,But other namespaces cannot be accessed test Namespace Pod. 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-namespaces 
  namespace: test
spec:
  podSelector: {} # Not configured, matching all pod s in this namespace
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector: {} # Not configured, matching all pod s in this namespace
    
#explain
 In general, we configure ingress There will be more rules, but there will be more rules egress Rarely configured;

Prepare the test environment:

First create the following test namespace:

[root@k8s-master ~]#kubectl create ns test
namespace/test created

Create two more pod s:

[root@k8s-master np]#kubectl run web --image=nginx -n test
pod/web created
[root@k8s-master ~]#kubectl run busybox --image=busybox -n test -- sleep 24h
pod/busybox created

#see
[root@k8s-master ~]#kubectl get pod -n test
NAME                  READY   STATUS    RESTARTS   AGE
busybox               1/1     Running   0          9s
web-96d5df5c8-7r6w6   1/1     Running   0          3m11s
[root@k8s-master ~]#kubectl get pod -n test -o wide
NAME      READY   STATUS    RESTARTS   AGE     IP               NODE        NOMINATED NODE   READINESS GATES
busybox   1/1     Running   0          21h     10.244.169.148   k8s-node2   <none>           <none>
web       1/1     Running   0          7h26m   10.244.169.151   k8s-node2   <none>           <none>

#By default, the ` Kubernetes cluster network has no network restrictions, and the Pod can communicate with any other Pod`
[root@k8s-master ~]#kubectl exec busybox -n test -- ping 10.244.169.151
PING 10.244.169.151 (10.244.169.151): 56 data bytes
64 bytes from 10.244.169.151: seq=0 ttl=63 time=0.283 ms
64 bytes from 10.244.169.151: seq=1 ttl=63 time=0.126 ms
^C
[root@k8s-master ~]#

Once again, we create a pod in the default namespace and test whether pods in different namespaces can communicate: = > Yes.

[root@k8s-master ~]#kubectl run busybox --image=busybox -- sleep 24h

[root@k8s-master ~]#kubectl get pod -o wide
[root@k8s-master ~]#kubectl get pod -o wide -n test
[root@k8s-master ~]#kubectl exec busybox -- ping 10.244.169.157

Now limit according to the subject requirements:

Deny access to other namespace pods
Requirement: all pods in the test namespace can access each other or other namespace pods, but other namespaces cannot access the test namespace pod.
Create np Directory:

[root@k8s-master ~]#mkdir np
[root@k8s-master ~]#cd np/
[root@k8s-master np]#vim deny-all-namespaces.yaml #Configure yaml, which is the so-called white list
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-namespaces 
  namespace: test
spec:
  podSelector: {} # Not configured, matching all pod s in this namespace
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector: {} # Not configured, matching all pod s in this namespace

apply and test the effect: = > it fully meets the expected effect.

 #Under apply
 [root@k8s-master np]#kubectl apply -f deny-all-namespaces.yaml
networkpolicy.networking.k8s.io/deny-all-namespaces created

#Verification effect
[root@k8s-master np]#kubectl exec busybox -- ping 10.244.169.157 #After network policy restrictions are made, the web pod under the test namespace cannot be ping ed from the default namespace.
^C

#However, different pod s can still be accessed under test
[root@k8s-master np]#kubectl exec busybox -n test -- ping 10.244.169.157
PING 10.244.169.157 (10.244.169.157): 56 data bytes
64 bytes from 10.244.169.157: seq=0 ttl=63 time=0.245 ms
64 bytes from 10.244.169.157: seq=1 ttl=63 time=0.307 ms
^C

#The external network can also be accessed directly under the test namespace;
[root@k8s-master np]#kubectl exec busybox -n test -- ping www.baidu.com
PING www.baidu.com (180.101.49.11): 56 data bytes
64 bytes from 180.101.49.11: seq=0 ttl=127 time=12.591 ms
64 bytes from 180.101.49.11: seq=1 ttl=127 time=9.736 ms
^C
[root@k8s-master np]#

#So far, the test of case 1 is successful!

2. Case 2: restricted access between applications in the same namespace

Case 2: restricted access between applications in the same namespace

Requirements: will test Namespace carrying run=web Tagged Pod Isolation, only allowed test
 Namespace carrying run=client1 Tagged Pod Access port 80.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-to-app
  namespace: test
spec:
  podSelector:
    matchLabels:
      run: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: client1
    ports:
    - protocol: TCP
      port: 80

When we do the test here, first delete the above network policy rules:

[root@k8s-master ~]#cd np
[root@k8s-master np]#kubectl delete -f deny-all-namespaces.yaml
networkpolicy.networking.k8s.io "deny-all-namespaces" deleted
[root@k8s-master np]#

Create test pod s of different label s under two test namespaces:

[root@k8s-master np]#kubectl get pod -n test --show-labels
NAME      READY   STATUS    RESTARTS   AGE   LABELS
busybox   1/1     Running   1          22h   run=busybox
web       1/1     Running   1          8h    run=web

[root@k8s-master np]#kubectl run  client1 -l run=client1 --image=busybox -n test -- sleep 12h
pod/client1 created
[root@k8s-master np]#kubectl run  client2 -l run=client2 --image=busybox -n test -- sleep 12h
pod/client2 created

[root@k8s-master np]#kubectl get pod -n test --show-labels
NAME      READY   STATUS    RESTARTS   AGE   LABELS
busybox   1/1     Running   1          22h   run=busybox
client1   1/1     Running   0          33s   run=client1
client2   1/1     Running   0          20s   run=client2
web       1/1     Running   1          8h    run=web
[root@k8s-master np]#

Test before configuration: by default, all pod s in the same namespace can be accessed directly:

Now start configuring the network policy:

[root@k8s-master np]#vim app-to-app.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-to-app
  namespace: test
spec:
  podSelector:
    matchLabels:
      run: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: client1
    ports:
    - protocol: TCP
      port: 80
[root@k8s-master np]#kubectl apply -f app-to-app.yaml
networkpolicy.networking.k8s.io/app-to-app created

Test failure effect: = > as expected.

So far, the experiment of case 2 is completed.

3. Case 3: only applications in the specified namespace are allowed to access

Case 3: only applications in the specified namespace are allowed to access

Demand: only allowed dev In namespace Pod visit test In namespace pod 80 port
 Namespace tagging: kubectl label namespace dev name=dev

Delete the original network policy:

[root@k8s-master np]#kubectl delete -f app-to-app.yaml
networkpolicy.networking.k8s.io "app-to-app" deleted

Create dev namespace:

[root@k8s-master np]#kubectl create ns dev
namespace/dev created

Create a test pod in the dev namespace:

[root@k8s-master np]#kubectl run busybox --image=busybox -n dev -- sleep 12h
pod/busybox created
[root@k8s-master np]#

label the namespace:

[root@k8s-master np]#kubectl label namespaces dev name=dev
namespace/dev labeled
[root@k8s-master np]#kubectl get ns --show-labels
NAME                   STATUS   AGE     LABELS
default                Active   34d     <none>
dev                    Active   3m25s   name=dev
kube-node-lease        Active   34d     <none>
kube-public            Active   34d     <none>
kube-system            Active   34d     <none>
kubernetes-dashboard   Active   33d     <none>
test                   Active   23h     <none>
[root@k8s-master np]#

Configure network policy:

[root@k8s-master np]#vim allow-port-from-namespace.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: test
spec:
  podSelector: {} 
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector: # Match namespace Tags
        matchLabels:
          name: dev
    ports:
    - protocol: TCP
      port: 80
      
[root@k8s-master np]#kubectl apply -f allow-port-from-namespace.yaml
networkpolicy.networking.k8s.io/allow-port-from-namespace created
[root@k8s-master np]#

Test effect: = > meets the expected effect.

summary

Well, that's all for the network strategy experiment in k8s. Thank you for reading. Finally, I'll post my US dollar photo. I wish you a happy life and a meaningful life every day. See you next time!

Tags: Operation & Maintenance Kubernetes

Posted on Tue, 05 Oct 2021 17:53:11 -0400 by madmax