网络策略实战

网络策略

在命名空间 dev 中创建⽹络策略 dev-policy，只允许 命名空间 prod 中的 pod 连上 dev 中 pod 的 80 端⼝，注意:这⾥有 2 个 ns ，⼀个为 dev(⽬标pod的ns)，另外⼀个为prod(访 问源pod的ns)

🔋创建命名空间

首先创建两个命名空间dev和prod：

root@k8s-master:~# kubectl create namespace dev
namespace/dev created
root@k8s-master:~# kubectl create namespace prod
namespace/prod created

#查看已存在的命名空间

root@k8s-master:~# kubectl get namespaces --show-labels
NAME                STATUS   AGE    LABELS
app-team1           Active   673d   kubernetes.io/metadata.name=app-team1
default             Active   688d   kubernetes.io/metadata.name=default
dev                 Active   34m    kubernetes.io/metadata.name=dev
fubar               Active   673d   kubernetes.io/metadata.name=fubar
ing-internal        Active   673d   kubernetes.io/metadata.name=ing-internal
ingress-nginx       Active   672d   app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx,kubernetes.io/metadata.name=ingress-nginx
kube-node-lease     Active   688d   kubernetes.io/metadata.name=kube-node-lease
kube-public         Active   688d   kubernetes.io/metadata.name=kube-public
kube-system         Active   688d   kubernetes.io/metadata.name=kube-system
kubesphere-system   Active   26h    kubernetes.io/metadata.name=kubesphere-system
my-app              Active   673d   kubernetes.io/metadata.name=my-app,name=my-app
prod                Active   34m    kubernetes.io/metadata.name=prod

🔌在两个命名空间生成Pod

这里使用Deployment生成Pod

首先在dev空间生成Pod：

dev-deploy.yml

apiVersion: apps/v1 
kind: Deployment     
metadata:
  name: dev-deploy
  namespace: dev 
spec: 
  replicas: 1
  selector:
    matchLabels:      
      app: dev-pod
  template: 
    metadata:
      labels:
        app: dev-pod
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

root@k8s-master:~# vim dev-depoly.yml
root@k8s-master:~# kubectl apply -f dev-depoly.yml
deployment.apps/dev-deploy created

查看Pod信息：

root@k8s-master:~# kubectl get pod -n dev -o wide
NAME                          READY   STATUS    RESTARTS   AGE   IP               NODE        NOMINATED NODE   READINESS GATES
dev-deploy-6dccc6d68c-rqzrr   1/1     Running   0          39s   10.244.169.162   k8s-node2   <none>           <none>

然后在prod生成Pod：

prod-pod.yml

apiVersion: apps/v1 
kind: Deployment     
metadata:
  name: prod-deploy
  namespace: prod
spec: 
  replicas: 1
  selector:
    matchLabels:      
      app: prod-pod
  template: 
    metadata:
      labels:
        app: prod-pod
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

root@k8s-master:~# vim prod-deploy.yml
root@k8s-master:~# kubectl apply -f prod-deploy.yml
deployment.apps/prod-deploy created

查看Pod信息：

root@k8s-master:~# kubectl get pod -n prod -o wide
NAME                           READY   STATUS    RESTARTS   AGE   IP               NODE        NOMINATED NODE   READINESS GATES
prod-deploy-7559496b85-8frb9   1/1     Running   0          65s   10.244.169.163   k8s-node2   <none>           <none>

🖨️设置网络策略

在命名空间dev中设置网络策略

目标：dev

访问：prod

设置入口隔离规则：

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: dev-policy
  namespace: dev
spec:
  podSelector:
    matchLabels:
      app: dev-pod
  policyTypes:
    - Ingress   #因为是外部访问，所以设置dev的入口隔离
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: prod 
        - podSelector:
            matchLabels: {}  #选择prod所有Pod
      ports:
        - protocol: TCP
          port: 80

设置网络策略：

root@k8s-master:~# vim dev-policy.yml
root@k8s-master:~# kubectl apply -f dev-policy.yml
networkpolicy.networking.k8s.io/dev-policy created

查看网络策略：

root@k8s-master:~# kubectl describe  networkpolicy -n dev
Name:         dev-policy
Namespace:    dev
Created on:   2023-10-27 17:59:26 +0800 CST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     app=dev-pod
  Allowing ingress traffic:
    To Port: 80/TCP
    From:
      NamespaceSelector: kubernetes.io/metadata.name=prod
    From:
      PodSelector: <none>
  Not affecting egress traffic
  Policy Types: Ingress

进入prod的Pod里的容器里：

root@k8s-master:~# kubectl get pod  -n prod --show-labels
NAME                           READY   STATUS    RESTARTS   AGE   LABELS
prod-deploy-7559496b85-8frb9   1/1     Running   0          25m   app=prod-pod,pod-template-hash=7559496b85

root@k8s-master:~# kubectl exec -it prod-deploy-7559496b85-8frb9 -n prod -- /bin/bash
#访问dev-pod的ip 默认80端口
root@prod-deploy-7559496b85-8frb9:/# curl 10.244.169.162
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#尝试访问其他端口 因为没有添加策略所以无法访问
root@prod-deploy-7559496b85-8frb9:/# curl 10.244.169.162:8080
curl: (28) Failed to connect to 10.244.169.162 port 8080: Connection timed out