Actual combat: network strategy experiment in k8s (success test - blog output) - 20211005

catalogue ...
catalogue
Write in front
Basic knowledge
Experimental environment
Original courseware content
1. Case 1: deny access to other namespace pods
2. Case 2: restricted access between applications in the same namespace
3. Case 3: only applications in the specified namespace are allowed to access
summary

catalogue

Write in front

In this article, I will take you to the network strategy experiment in the actual combat demonstration k8s.

Theme of my blog: I hope everyone can make experiments with my blog, first do the experiments, and then understand the technical points in a deeper level in combination with theoretical knowledge, so as to have fun and motivation in learning. Moreover, the content steps of my blog are very complete. I also share the source code and the software used in the experiment. I hope I can make progress with you!

If you have any questions during the actual operation, you can contact me at any time to help you solve the problem for free:

  1. Personal wechat QR Code: x2675263825 (shede), qq: 2675263825.

  2. Personal blog address: www.onlyonexl.cn

  3. Personal WeChat official account: cloud native architect real battle

  4. Personal csdn

    https://blog.csdn.net/weixin_39246554?spm=1010.2135.3001.5421

Basic knowledge

Experimental environment

Experimental environment: 1,win10,vmwrokstation Virtual machine; 2,k8s Cluster: 3 sets centos7.6 1810 Virtual machine, 1 master node,2 individual node node k8s version: v1.21 CONTAINER-RUNTIME: docker://20.10.7

Original courseware content

Network strategy: case Case 1: reject other namespaces Pod visit Case 2: restricted access between applications in the same namespace Case 3: only applications in the specified namespace are allowed to access Attachment: quick commands for preparing environment kubectl run busybox --image=busybox -n test -- sleep 12h kubectl run web --image=nginx -n test kubectl exec busybox -n test -- ping 10.244.169.135

1. Case 1: deny access to other namespace pods

Case 1: reject other namespaces Pod visit Requirements: test All under namespace pod You can access each other or other users Name space Pod,But other namespaces cannot be accessed test Namespace Pod. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-namespaces namespace: test spec: podSelector: {} # Not configured, matching all pod s in this namespace policyTypes: - Ingress ingress: - from: - podSelector: {} # Not configured, matching all pod s in this namespace #explain In general, we configure ingress There will be more rules, but there will be more rules egress Rarely configured;

Prepare the test environment:

First create the following test namespace:

[root@k8s-master ~]#kubectl create ns test namespace/test created

Create two more pod s:

[root@k8s-master np]#kubectl run web --image=nginx -n test pod/web created [root@k8s-master ~]#kubectl run busybox --image=busybox -n test -- sleep 24h pod/busybox created #see [root@k8s-master ~]#kubectl get pod -n test NAME READY STATUS RESTARTS AGE busybox 1/1 Running 0 9s web-96d5df5c8-7r6w6 1/1 Running 0 3m11s [root@k8s-master ~]#kubectl get pod -n test -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES busybox 1/1 Running 0 21h 10.244.169.148 k8s-node2 <none> <none> web 1/1 Running 0 7h26m 10.244.169.151 k8s-node2 <none> <none> #By default, the ` Kubernetes cluster network has no network restrictions, and the Pod can communicate with any other Pod` [root@k8s-master ~]#kubectl exec busybox -n test -- ping 10.244.169.151 PING 10.244.169.151 (10.244.169.151): 56 data bytes 64 bytes from 10.244.169.151: seq=0 ttl=63 time=0.283 ms 64 bytes from 10.244.169.151: seq=1 ttl=63 time=0.126 ms ^C [root@k8s-master ~]#

Once again, we create a pod in the default namespace and test whether pods in different namespaces can communicate: = > Yes.

[root@k8s-master ~]#kubectl run busybox --image=busybox -- sleep 24h [root@k8s-master ~]#kubectl get pod -o wide [root@k8s-master ~]#kubectl get pod -o wide -n test [root@k8s-master ~]#kubectl exec busybox -- ping 10.244.169.157

Now limit according to the subject requirements:

Deny access to other namespace pods
Requirement: all pods in the test namespace can access each other or other namespace pods, but other namespaces cannot access the test namespace pod.
Create np Directory:

[root@k8s-master ~]#mkdir np [root@k8s-master ~]#cd np/ [root@k8s-master np]#vim deny-all-namespaces.yaml #Configure yaml, which is the so-called white list apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-namespaces namespace: test spec: podSelector: {} # Not configured, matching all pod s in this namespace policyTypes: - Ingress ingress: - from: - podSelector: {} # Not configured, matching all pod s in this namespace

apply and test the effect: = > it fully meets the expected effect.

#Under apply [root@k8s-master np]#kubectl apply -f deny-all-namespaces.yaml networkpolicy.networking.k8s.io/deny-all-namespaces created #Verification effect [root@k8s-master np]#kubectl exec busybox -- ping 10.244.169.157 #After network policy restrictions are made, the web pod under the test namespace cannot be ping ed from the default namespace. ^C #However, different pod s can still be accessed under test [root@k8s-master np]#kubectl exec busybox -n test -- ping 10.244.169.157 PING 10.244.169.157 (10.244.169.157): 56 data bytes 64 bytes from 10.244.169.157: seq=0 ttl=63 time=0.245 ms 64 bytes from 10.244.169.157: seq=1 ttl=63 time=0.307 ms ^C #The external network can also be accessed directly under the test namespace; [root@k8s-master np]#kubectl exec busybox -n test -- ping www.baidu.com PING www.baidu.com (180.101.49.11): 56 data bytes 64 bytes from 180.101.49.11: seq=0 ttl=127 time=12.591 ms 64 bytes from 180.101.49.11: seq=1 ttl=127 time=9.736 ms ^C [root@k8s-master np]# #So far, the test of case 1 is successful!

2. Case 2: restricted access between applications in the same namespace

Case 2: restricted access between applications in the same namespace Requirements: will test Namespace carrying run=web Tagged Pod Isolation, only allowed test Namespace carrying run=client1 Tagged Pod Access port 80. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: app-to-app namespace: test spec: podSelector: matchLabels: run: web policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: run: client1 ports: - protocol: TCP port: 80

When we do the test here, first delete the above network policy rules:

[root@k8s-master ~]#cd np [root@k8s-master np]#kubectl delete -f deny-all-namespaces.yaml networkpolicy.networking.k8s.io "deny-all-namespaces" deleted [root@k8s-master np]#

Create test pod s of different label s under two test namespaces:

[root@k8s-master np]#kubectl get pod -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS busybox 1/1 Running 1 22h run=busybox web 1/1 Running 1 8h run=web [root@k8s-master np]#kubectl run client1 -l run=client1 --image=busybox -n test -- sleep 12h pod/client1 created [root@k8s-master np]#kubectl run client2 -l run=client2 --image=busybox -n test -- sleep 12h pod/client2 created [root@k8s-master np]#kubectl get pod -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS busybox 1/1 Running 1 22h run=busybox client1 1/1 Running 0 33s run=client1 client2 1/1 Running 0 20s run=client2 web 1/1 Running 1 8h run=web [root@k8s-master np]#

Test before configuration: by default, all pod s in the same namespace can be accessed directly:

Now start configuring the network policy:

[root@k8s-master np]#vim app-to-app.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: app-to-app namespace: test spec: podSelector: matchLabels: run: web policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: run: client1 ports: - protocol: TCP port: 80 [root@k8s-master np]#kubectl apply -f app-to-app.yaml networkpolicy.networking.k8s.io/app-to-app created

Test failure effect: = > as expected.

So far, the experiment of case 2 is completed.

3. Case 3: only applications in the specified namespace are allowed to access

Case 3: only applications in the specified namespace are allowed to access Demand: only allowed dev In namespace Pod visit test In namespace pod 80 port Namespace tagging: kubectl label namespace dev name=dev

Delete the original network policy:

[root@k8s-master np]#kubectl delete -f app-to-app.yaml networkpolicy.networking.k8s.io "app-to-app" deleted

Create dev namespace:

[root@k8s-master np]#kubectl create ns dev namespace/dev created

Create a test pod in the dev namespace:

[root@k8s-master np]#kubectl run busybox --image=busybox -n dev -- sleep 12h pod/busybox created [root@k8s-master np]#

label the namespace:

[root@k8s-master np]#kubectl label namespaces dev name=dev namespace/dev labeled [root@k8s-master np]#kubectl get ns --show-labels NAME STATUS AGE LABELS default Active 34d <none> dev Active 3m25s name=dev kube-node-lease Active 34d <none> kube-public Active 34d <none> kube-system Active 34d <none> kubernetes-dashboard Active 33d <none> test Active 23h <none> [root@k8s-master np]#

Configure network policy:

[root@k8s-master np]#vim allow-port-from-namespace.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: test spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: # Match namespace Tags matchLabels: name: dev ports: - protocol: TCP port: 80 [root@k8s-master np]#kubectl apply -f allow-port-from-namespace.yaml networkpolicy.networking.k8s.io/allow-port-from-namespace created [root@k8s-master np]#

Test effect: = > meets the expected effect.

summary

Well, that's all for the network strategy experiment in k8s. Thank you for reading. Finally, I'll post my US dollar photo. I wish you a happy life and a meaningful life every day. See you next time!

5 October 2021, 17:53 | Views: 1755

Add new comment

For adding a comment, please log in
or create account

0 comments