kubernetes学习笔记之十三：基于calico的网络策略入门

一、.安装calico

[root@k8s-master01 ~]# kubectl apply -f  https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
clusterrole.rbac.authorization.k8s.io "calico" created
clusterrole.rbac.authorization.k8s.io "flannel" configured
clusterrolebinding.rbac.authorization.k8s.io "canal-flannel" created
clusterrolebinding.rbac.authorization.k8s.io "canal-calico" created
[root@k8s-master01 ~]# kubectl apply -f  https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml
configmap "canal-config" created
daemonset.extensions "canal" created
serviceaccount "canal" created
customresourcedefinition.apiextensions.k8s.io "felixconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "bgpconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "ippools.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "hostendpoints.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "clusterinformations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworkpolicies.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworksets.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "networkpolicies.crd.projectcalico.org" created
[root@k8s-master01 ~]# kubectl get pods -n kube-system
NAME                                    READY     STATUS              RESTARTS   AGE
canal-888kk                             0/3       ContainerCreating   0          1m
canal-9rk4k                             0/3       ContainerCreating   0          1m
canal-xxvrz                             0/3       ContainerCreating   0          1m

二、基于calico设置网络策略

1.查看配置帮助

[root@k8s-master01 ~]# kubectl explain networkpolicy
[root@k8s-master01 ~]# kubectl explain networkpolicy.spec
egress             <[]Object>  #定义出栈规则
ingress            <[]Object>  #定义入栈规则
podSelector    <Object> -required-   #选择将规则应用至哪些pod上
policyTypes    <[]string>   #策略类型，如果没有指定规则，同时egress或者ingress规则存在，那么都会生效，
[root@k8s-master01 ~]# kubectl explain networkpolicy.spec.egress
ports     <[]Object>  #目标端口(客户端)，可以有多个端口，也可以知道端口的协议
to        <[]Object>  #目标地址，可以是一个IP段，名称空间或者一组pod，可以同时都选择，但是需要注意的是，k8s将取其中的交集，如无必要，尽量不要配置
[root@k8s-master01 ~]# kubectl explain networkpolicy.spec.ingress
from     <[]Object>  #目标地址，与egress相同
ports    <[]Object>  #目标端口(本地端口)，注意和egress的区别

2.创建一个ingress默认拒绝的示例

[root@k8s-master01 networkpolicy]# kubectl create namespace dev
[root@k8s-master01 networkpolicy]# kubectl create namespace prod
[root@k8s-master01 networkpolicy]# vim ingress-def.yaml
apiVersion: networking.k8s.io/v1  #注意资源版本号，extensions/v1beta1在1.9中已经被废弃
kind: NetworkPolicy
metadata:
  name: deng-all-ingress
spec:
  podSelector: {}  #{}表示选择所有pod，即整个名称空间
  olicyTypes:
  - Ingress          #选择ingress规则，当前没有定义具体的ingress规则，则表示使用默认规则，默认规则为拒绝，没有包含egress规则，则表示默认egress放行，注意其中默认规则的区别，被选择的规则默认规则为拒绝，没有被选择的默认规则为允许
[root@k8s-master01 networkpolicy]# kubectl apply -f ingress-def.yaml -n dev
[root@k8s-master01 networkpolicy]# kubectl get networkpolicy -n dev
NAME               POD-SELECTOR   AGE
deng-all-ingress   <none>         53s

验证

[root@k8s-master01 networkpolicy]# cat pod_demo.yaml 
kind: Pod
apiVersion: v1
metadata:
  name: task-pv-pod   #为了能在多个名称空间创建，不要添加namespace
spec:
  containers:
  - name: nginx
    image: ikubernetes/myapp:v1
    ports:
     - containerPort: 80
       name: www
[root@k8s-master01 networkpolicy]# kubectl apply -f pod_demo.yaml -n dev  #在名称为dev的名称空间中创建一个pod
pod "task-pv-pod" created
[root@k8s-master01 networkpolicy]# kubectl get pod -n dev -o wide  #查看pod的IP地址
NAME          READY     STATUS    RESTARTS   AGE       IP           NODE
task-pv-pod   1/1       Running   0          20s       10.244.1.2   k8s-node01
[root@k8s-master01 networkpolicy]# curl 10.244.1.2  #访问这个地址，可以发现无法访问
^C
[root@k8s-master01 networkpolicy]# kubectl apply -f pod_demo.yaml -n prod #在名称为prod的名称空间中创建一个pod
pod "task-pv-pod" created
[root@k8s-master01 networkpolicy]# kubectl get pod -n prod -o wide #获取pod的IP地址
NAME          READY     STATUS    RESTARTS   AGE       IP           NODE
task-pv-pod   1/1       Running   0          7s        10.244.1.3   k8s-node01
[root@k8s-master01 networkpolicy]# curl 10.244.1.3  #访问，可以正常访问
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>

3.显示定义一个ingress规则，允许访问dev名称空间中的pod

[root@k8s-master01 networkpolicy]# cat allow-netpol.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: all-myapp-ingress
spec: 
  podSelector:
    matchLabels:
      app: myapp
  ingress:
  - from:
    - ipBlock:
        cidr: 10.244.0.0/16
        except:
        - 10.244.1.2/32
    ports:
    - protocol: TCP
      port: 80
    - protocol: TCP
      port: 443
[root@k8s-master01 networkpolicy]# kubectl apply -f allow-netpol.yaml -n dev
networkpolicy.networking.k8s.io "all-myapp-ingress" created
[root@k8s-master01 networkpolicy]# kubectl get networkpolicy -n dev
NAME                POD-SELECTOR   AGE
all-myapp-ingress   app=myapp      54s
deng-all-ingress    <none>         32m

验证：

[root@k8s-master01 networkpolicy]# curl 10.244.1.2
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master01 networkpolicy]# curl 10.244.1.2:443
curl: (7) Failed connect to 10.244.1.2:443; 拒绝连接 
[root@k8s-master01 networkpolicy]# curl 10.244.1.2:6443  #注意6443和443的区别
^C

4.egress默认拒绝(验证步骤忽略)

[root@k8s-master01 networkpolicy]# cat egress-def.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deng-all-egress
spec: 
  podSelector: {}
  policyTypes:
  - Egress

官方文档：https://docs.projectcalico.org/v3.3/introduction/

基于k8s安装文档：https://docs.projectcalico.org/v3.3/getting-started/kubernetes/