置顶信息:Networkpolicy的实现
前置工作:密码统一设置为:appuser2022@devA
1)创建集群
2)创建专有网络
3)在开通一个ECS用来管理集群(安全组需要放行端口22)
后续工作:资源释放
1)释放ACK集群(关闭集群保护设置/节点池/节点)
2)释放ECS实例(安全组)
3)负载均衡
4)文件存储NAS
5)NAT网关(专有网络/交换机/路由表)
注意:先删除交换机再删除专有网络VPC,关联的路由表会自动删除
部署准备工作:
1、安全组开通22端口,登陆ECS,安装K8S源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
setenforce 02、通过集群的配置信息通过ECS连接集群(通过复制集群实例中的“应用管理、集群信息、连接信息”中的公钥)
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# mkdir .kube[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# vim config3、获取namenode与pod信息
[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl get no
NAME STATUS ROLES AGE VERSION
cn-beijing.192.168.0.252 Ready <none> 55m v1.28.3-aliyun.1[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
arms-prom arms-prometheus-ack-arms-prometheus-78c6c57f55-9hq95 1/1 Running 0 59m
arms-prom kube-state-metrics-bfbd58989-f85gv 1/1 Running 0 59m
arms-prom node-exporter-9mnws 2/2 Running 0 58m
kube-system ack-node-local-dns-admission-controller-6fc7b4f7fd-p6vqw 1/1 Running 0 59m
kube-system ack-node-local-dns-admission-controller-6fc7b4f7fd-qt492 0/1 Pending 0 59m
kube-system ack-node-problem-detector-daemonset-62p2d 1/1 Running 0 58m
kube-system ack-node-problem-detector-eventer-796cdd687d-ncfpr 1/1 Running 0 59m
kube-system alibaba-log-controller-55ccbf49bc-6pm9c 1/1 Running 1 (56m ago) 60m
kube-system alicloud-monitor-controller-69fffd4b95-j6tvl 1/1 Running 0 60m
kube-system coredns-868bc5d7df-42ktc 0/1 Pending 0 60m
kube-system coredns-868bc5d7df-zs5hx 1/1 Running 0 60m
kube-system csi-plugin-vmc6z 4/4 Running 0 58m
kube-system csi-provisioner-698c78f7d5-pnbtz 9/9 Running 0 60m
kube-system csi-provisioner-698c78f7d5-zd4fk 9/9 Running 0 60m
kube-system kube-eventer-init-v1.7-48a2acc-aliyun-1.2.18-ssvpg 0/1 Completed 0 59m
kube-system kube-proxy-worker-ght8q 1/1 Running 0 58m
kube-system logtail-ds-ddrzw 1/1 Running 0 58m
kube-system metrics-server-6f47fb46bd-qdrdd 1/1 Running 0 60m
kube-system nginx-ingress-controller-76f9dcd7-7nj94 0/1 Pending 0 60m
kube-system nginx-ingress-controller-76f9dcd7-kg2t6 1/1 Running 0 60m
kube-system node-local-dns-5fnmc 1/1 Running 0 58m
kube-system security-inspector-7f6f98b55f-t4dv2 1/1 Running 0 59m
kube-system storage-auto-expander-658f5656bc-bmdx8 1/1 Running 0 56m
kube-system storage-cnfs-587b9b6545-284kq 1/1 Running 0 56m
kube-system storage-monitor-84d944bf67-tvmjx 1/1 Running 0 56m
kube-system storage-operator-68cc694c68-hhct2 1/1 Running 0 60m
kube-system terway-eniip-xxnq2 2/2 Running 0 58m容器网络验证:NetworkPolicy的实现(此部分只是演示了暴露容器80端口且可以正常访问)
1、创建一个应用:以nginx为例
[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl run nginx --image=nginx
pod/nginx created[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl get po
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 37s[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl describe po nginx注意:此处可列出po的具体信息(副本若为1可通过“节点池”扩容为3个副本)
[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl get po
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 6m26s
[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl get no
NAME STATUS ROLES AGE VERSION
cn-beijing.192.168.0.19 Ready <none> 3m7s v1.28.3-aliyun.1
cn-beijing.192.168.0.20 Ready <none> 3m8s v1.28.3-aliyun.1
cn-beijing.192.168.0.252 Ready <none> 69m v1.28.3-aliyun.12、暴露pod的端口为80并且显示svc
[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl expose pod nginx --port=80
service/nginx exposed
[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 172.16.0.1 <none> 443/TCP 76m
nginx ClusterIP 172.16.129.23 <none> 80/TCP 37s3、通过运行容器来验证网络
[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl run busybox --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ #
/ #
/ # wget nginx
Connecting to nginx (172.16.129.23:80)
saving to 'index.html'
index.html 100% |******************************************************************************************************************************************************************************************| 615 0:00:00 ETA
'index.html' saved
/ #
/ # exit
Session ended, resume using 'kubectl attach busybox -c busybox -i -t' command when the pod is running
pod "busybox" deleted注意:-ti 开启终端 /bin/sh 直接登陆
容器网络验证:NetworkPolicy的实现(此部分演示部署网络策略)
一、添加网络策略:只允许带有特定标签的pod才能访问到刚才的nginx
1、查看pod
[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl get po
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 17m
[root@iZ2ze0kfiafjt0m6py5npqZ .kube]# kubectl get po --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx 1/1 Running 0 18m run=nginx2、解析networkpolicy的用法
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl explain networkpolicy
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl explain networkpolicy.spec
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl explain networkpolicy.spec.ingress
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl explain networkpolicy.spec.ingress.from3、在家目录下创建policy的yaml文件
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# vim policy.yaml具体内容如下:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: "true"解析:匹配“access:“true””的标签可以访问,有-是或的意思没有是且的意思
4、运行policy.yaml文件
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl apply -f policy.yaml
networkpolicy.networking.k8s.io/access-nginx created5、查看已创建的policy
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl get networkpolicy
NAME POD-SELECTOR AGE
access-nginx run=nginx 33s[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl describe networkpolicy access-nginx6、通过容器访问网络
root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl run busybox --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ #
/ #
/ # wget nginx
Connecting to nginx (172.16.129.23:80)解析:因为创建了需要匹配的标签所以无法访问
7、通过加入匹配的标签实(--label="access=true")现对网络的访问
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl run busybox --labels="access=true" --rm -ti --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ #
/ #
/ # wget nginx
Connecting to nginx (172.16.129.23:80)
saving to 'index.html'
index.html 100% |******************************************************************************************************************************************************************************************| 615 0:00:00 ETA
'index.html' saved总结:通过对标签实现了对pod的控制
二、通过网络策略限制一个pod只能访问指定的地址(e.g.创建一个pod只能访问特定的网站,公司内部网站的管理)
1、解析域名(未安装dig所以需要先安装)
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# dig +short www.baidu.com
-bash: dig: command not found通过如下如下方法可以确定哪些命令提供dig的用法
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# yum provides dig确认哪些命令提供dig的用法,最后发现是bind-utils
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# yum install bind-utils -y[root@iZ2ze0kfiafjt0m6py5npqZ ~]# dig +short www.aliyun.com
www-jp-de-intl-adns.aliyun.com.
www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com.
www.aliyun.com.w.cdngslb.com.
47.118.227.112
47.118.227.116
47.118.227.109
47.118.227.107
47.118.227.115
47.118.227.111
47.118.227.108
47.118.227.1132、创建网络策略policy策略
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# vim policy1.yaml内容如下:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: busybox-policy
spec:
podSelector:
matchLabels:
run: busybox
egress:
- to:
- ipBlock:
cidr: 47.118.227.116/32
- ipBlock:
cidr: 47.118.227.112/32
- ipBlock:
cidr: 47.118.227.107/32
- ipBlock:
cidr: 47.118.227.115/32
- ipBlock:
cidr: 47.118.227.116/32
- ipBlock:
cidr: 47.118.227.111/32
- ipBlock:
cidr: 47.118.227.116/32
- ipBlock:
cidr: 47.118.227.119/32
- ipBlock:
cidr: 47.118.227.113/32
- ipBlock:
cidr: 47.118.227.108/32
- to:
- ipBlock:
cidr: 0.0.0.0/0
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53解析:只能匹配访问提供的网址地址
ipBlock[xxx.xxx]为该地址可访问
3、运行policy1.yaml
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl apply -f policy1.yaml
networkpolicy.networking.k8s.io/busybox-policy created4、列出网络策略
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl get networkpolicy
NAME POD-SELECTOR AGE
access-nginx run=nginx 53m
busybox-policy run=busybox 79s5、验证(只有访问阿里云才能访问)
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl run busybox --rm -ti --image=busybox /bin/sh
/ # wget www.baidu.com
Connecting to www.baidu.com (220.181.38.150:80)
^C
/ # wget www.taobao.com
Connecting to www.taobao.com (124.236.60.208:80)
^C
/ # wget www.aliyun.com
Connecting to www.aliyun.com (47.118.227.115:80)
Connecting to www.aliyun.com (47.118.227.107:443)
wget: note: TLS certificate validation not implemented
saving to 'index.html'
index.html 100% |******************************************************************************************************************************************************************************************| 110k 0:00:00 ETA
'index.html' saved三、控制网络策略networkpolicy对公共网络的访问权限
1、创建一个ns
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl create ns test-np
namespace/test-np created2、创建网络策略
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# vim policy2.yaml内容如下:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: test-np
name: deny-public-net
spec:
podSelector: {}
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
egress:
- to:
- ipBlock:
cidr: 192.168.0.0/16
- ipBlock:
cidr: 172.16.0.0/12
- ipBlock:
cidr: 10.0.0.0/8解析:对于入站和出站都做了网络限制,出站只能对接私网访问(本地192.168..)
3、创建
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl apply -f policy2.yaml
networkpolicy.networking.k8s.io/deny-public-net created4、再去创建一个公网policy3.yaml
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# vim policy3.yaml内容如下:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-public-network-for-labels
namespace: test-np
spec:
podSelector:
matchLabels:
public-network: "true"
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
- namespaceSelector:
matchLabels:
ns: kube-system 5、创建
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl apply -f policy3.yaml
networkpolicy.networking.k8s.io/allow-public-network-for-labels created6、验证网络
1)添加标签:
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl run -it --namespace test-np --labels public-network=true --rm --image busybox busybox-internet
If you don't see a command prompt, try pressing enter.
/ #
/ #
/ # wget www.aliyun.com
Connecting to www.aliyun.com (47.118.227.116:80)
Connecting to www.aliyun.com (47.118.227.113:443)
wget: note: TLS certificate validation not implemented
saving to 'index.html'
index.html 100% |******************************************************************************************************************************************************************************************| 110k 0:00:00 ETA
'index.html' saved2)如果不添加标签:
[root@iZ2ze0kfiafjt0m6py5npqZ ~]# kubectl run -it --namespace test-np --rm --image busybox busybox-internet
If you don't see a command prompt, try pressing enter.
/ #
/ #
/ # wget www.aliyun.com
Connecting to www.aliyun.com (47.118.227.116:80)区别:有公网和无公网,私网的访问
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。