catalogue
Write in front
In this article, I will take you to the network strategy experiment in the actual combat demonstration k8s.
Theme of my blog: I hope everyone can make experiments with my blog, first do the experiments, and then understand the technical points in a deeper level in combination with theoretical knowledge, so as to have fun and motivation in learning. Moreover, the content steps of my blog are very complete. I also share the source code and the software used in the experiment. I hope I can make progress with you!
If you have any questions during the actual operation, you can contact me at any time to help you solve the problem for free:
-
Personal wechat QR Code: x2675263825 (shede), qq: 2675263825.
-
Personal blog address: www.onlyonexl.cn
-
Personal WeChat official account: cloud native architect real battle
-
Personal csdn
https://blog.csdn.net/weixin_39246554?spm=1010.2135.3001.5421
Basic knowledge
Experimental environment
Experimental environment: 1,win10,vmwrokstation Virtual machine; 2,k8s Cluster: 3 sets centos7.6 1810 Virtual machine, 1 master node,2 individual node node k8s version: v1.21 CONTAINER-RUNTIME: docker://20.10.7
Original courseware content
Network strategy: case Case 1: reject other namespaces Pod visit Case 2: restricted access between applications in the same namespace Case 3: only applications in the specified namespace are allowed to access Attachment: quick commands for preparing environment kubectl run busybox --image=busybox -n test -- sleep 12h kubectl run web --image=nginx -n test kubectl exec busybox -n test -- ping 10.244.169.135
1. Case 1: deny access to other namespace pods
Case 1: reject other namespaces Pod visit
Requirements: test All under namespace pod You can access each other or other users
Name space Pod,But other namespaces cannot be accessed test Namespace Pod.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-namespaces
namespace: test
spec:
podSelector: {} # Not configured, matching all pod s in this namespace
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {} # Not configured, matching all pod s in this namespace
#explain
In general, we configure ingress There will be more rules, but there will be more rules egress Rarely configured;
Prepare the test environment:
First create the following test namespace:
[root@k8s-master ~]#kubectl create ns test namespace/test created
Create two more pod s:
[root@k8s-master np]#kubectl run web --image=nginx -n test pod/web created [root@k8s-master ~]#kubectl run busybox --image=busybox -n test -- sleep 24h pod/busybox created #see [root@k8s-master ~]#kubectl get pod -n test NAME READY STATUS RESTARTS AGE busybox 1/1 Running 0 9s web-96d5df5c8-7r6w6 1/1 Running 0 3m11s [root@k8s-master ~]#kubectl get pod -n test -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES busybox 1/1 Running 0 21h 10.244.169.148 k8s-node2 <none> <none> web 1/1 Running 0 7h26m 10.244.169.151 k8s-node2 <none> <none> #By default, the ` Kubernetes cluster network has no network restrictions, and the Pod can communicate with any other Pod` [root@k8s-master ~]#kubectl exec busybox -n test -- ping 10.244.169.151 PING 10.244.169.151 (10.244.169.151): 56 data bytes 64 bytes from 10.244.169.151: seq=0 ttl=63 time=0.283 ms 64 bytes from 10.244.169.151: seq=1 ttl=63 time=0.126 ms ^C [root@k8s-master ~]#
Once again, we create a pod in the default namespace and test whether pods in different namespaces can communicate: = > Yes.
[root@k8s-master ~]#kubectl run busybox --image=busybox -- sleep 24h [root@k8s-master ~]#kubectl get pod -o wide [root@k8s-master ~]#kubectl get pod -o wide -n test [root@k8s-master ~]#kubectl exec busybox -- ping 10.244.169.157
Now limit according to the subject requirements:
Deny access to other namespace pods
Requirement: all pods in the test namespace can access each other or other namespace pods, but other namespaces cannot access the test namespace pod.
Create np Directory:
[root@k8s-master ~]#mkdir np
[root@k8s-master ~]#cd np/
[root@k8s-master np]#vim deny-all-namespaces.yaml #Configure yaml, which is the so-called white list
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-namespaces
namespace: test
spec:
podSelector: {} # Not configured, matching all pod s in this namespace
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {} # Not configured, matching all pod s in this namespace
apply and test the effect: = > it fully meets the expected effect.
#Under apply [root@k8s-master np]#kubectl apply -f deny-all-namespaces.yaml networkpolicy.networking.k8s.io/deny-all-namespaces created #Verification effect [root@k8s-master np]#kubectl exec busybox -- ping 10.244.169.157 #After network policy restrictions are made, the web pod under the test namespace cannot be ping ed from the default namespace. ^C #However, different pod s can still be accessed under test [root@k8s-master np]#kubectl exec busybox -n test -- ping 10.244.169.157 PING 10.244.169.157 (10.244.169.157): 56 data bytes 64 bytes from 10.244.169.157: seq=0 ttl=63 time=0.245 ms 64 bytes from 10.244.169.157: seq=1 ttl=63 time=0.307 ms ^C #The external network can also be accessed directly under the test namespace; [root@k8s-master np]#kubectl exec busybox -n test -- ping www.baidu.com PING www.baidu.com (180.101.49.11): 56 data bytes 64 bytes from 180.101.49.11: seq=0 ttl=127 time=12.591 ms 64 bytes from 180.101.49.11: seq=1 ttl=127 time=9.736 ms ^C [root@k8s-master np]# #So far, the test of case 1 is successful!
2. Case 2: restricted access between applications in the same namespace
Case 2: restricted access between applications in the same namespace
Requirements: will test Namespace carrying run=web Tagged Pod Isolation, only allowed test
Namespace carrying run=client1 Tagged Pod Access port 80.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-to-app
namespace: test
spec:
podSelector:
matchLabels:
run: web
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
run: client1
ports:
- protocol: TCP
port: 80
When we do the test here, first delete the above network policy rules:
[root@k8s-master ~]#cd np [root@k8s-master np]#kubectl delete -f deny-all-namespaces.yaml networkpolicy.networking.k8s.io "deny-all-namespaces" deleted [root@k8s-master np]#
Create test pod s of different label s under two test namespaces:
[root@k8s-master np]#kubectl get pod -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS busybox 1/1 Running 1 22h run=busybox web 1/1 Running 1 8h run=web [root@k8s-master np]#kubectl run client1 -l run=client1 --image=busybox -n test -- sleep 12h pod/client1 created [root@k8s-master np]#kubectl run client2 -l run=client2 --image=busybox -n test -- sleep 12h pod/client2 created [root@k8s-master np]#kubectl get pod -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS busybox 1/1 Running 1 22h run=busybox client1 1/1 Running 0 33s run=client1 client2 1/1 Running 0 20s run=client2 web 1/1 Running 1 8h run=web [root@k8s-master np]#
Test before configuration: by default, all pod s in the same namespace can be accessed directly:
Now start configuring the network policy:
[root@k8s-master np]#vim app-to-app.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-to-app
namespace: test
spec:
podSelector:
matchLabels:
run: web
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
run: client1
ports:
- protocol: TCP
port: 80
[root@k8s-master np]#kubectl apply -f app-to-app.yaml
networkpolicy.networking.k8s.io/app-to-app created
Test failure effect: = > as expected.
So far, the experiment of case 2 is completed.
3. Case 3: only applications in the specified namespace are allowed to access
Case 3: only applications in the specified namespace are allowed to access Demand: only allowed dev In namespace Pod visit test In namespace pod 80 port Namespace tagging: kubectl label namespace dev name=dev
Delete the original network policy:
[root@k8s-master np]#kubectl delete -f app-to-app.yaml networkpolicy.networking.k8s.io "app-to-app" deleted
Create dev namespace:
[root@k8s-master np]#kubectl create ns dev namespace/dev created
Create a test pod in the dev namespace:
[root@k8s-master np]#kubectl run busybox --image=busybox -n dev -- sleep 12h pod/busybox created [root@k8s-master np]#
label the namespace:
[root@k8s-master np]#kubectl label namespaces dev name=dev namespace/dev labeled [root@k8s-master np]#kubectl get ns --show-labels NAME STATUS AGE LABELS default Active 34d <none> dev Active 3m25s name=dev kube-node-lease Active 34d <none> kube-public Active 34d <none> kube-system Active 34d <none> kubernetes-dashboard Active 33d <none> test Active 23h <none> [root@k8s-master np]#
Configure network policy:
[root@k8s-master np]#vim allow-port-from-namespace.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-from-namespace
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector: # Match namespace Tags
matchLabels:
name: dev
ports:
- protocol: TCP
port: 80
[root@k8s-master np]#kubectl apply -f allow-port-from-namespace.yaml
networkpolicy.networking.k8s.io/allow-port-from-namespace created
[root@k8s-master np]#
Test effect: = > meets the expected effect.
summary
Well, that's all for the network strategy experiment in k8s. Thank you for reading. Finally, I'll post my US dollar photo. I wish you a happy life and a meaningful life every day. See you next time!
