calico下的网络策略测试
环境说明
[root@liran-test-1.novalocal 19:06 ~]
# calicoctl get node -o wide
NAME ASN IPV4 IPV6
liran-test-1.novalocal (63400) 10.0.7.68/24
liran-test-2.novalocal (63400) 10.0.7.73/24
liran-test-3.novalocal (63400) 10.0.7.78/24网络策略
配置说明
示例:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978说明
- apiVserions: api版本
- kind: api类型
- metadata:元数据
- spec:属性定义
- spec.podSelector:pod选择器,定义这个策略作用于那个pod
- spec.policyTypes:策略类型。ingress为入口策略,egress为出口策略
- spec.ingress:定义了入口策略。from下面的ipBlock是ip黑名单,namespaceSelector定义哪些命名空间,podselector定义哪些pod可以访问这个策略定义的pod。ports定义了端口
- spec.egress:to定义了出口策略。ipblock是黑名单。ports定义了端口
上述示例定义的规则:
ingress规则:
- default命令空间下的role=frontend的pod可以访问default下面role=db的pod的6379端口
- myproject命名空间下的所有的pod可以访问default下面的role=db的pod的6379端口
- ip地址:172.17.0.0/16中,除了172.17.1.0/24网段,其他都可以访问default下面的role=db的pod的6379端口
egress规则:
- defalut下面role=db的pod不能访问10.0.0.0/24网段的5978端口实验
生成nginx的pod配置
[root@liran-test-1.novalocal 19:02 ~/calico-policy-test]
# cat net-policy.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-same-namespace
namespace: default
spec:
podSelector:
matchLabels:
name: nginx
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: centos
ports:
- port: 80
#kubectl apply -f nginx-deploymetn.yml
[root@liran-test-1.novalocal 19:02 ~/calico-policy-test]
# cat nginx-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: ca1-nginx-svc
labels:
name: nginx
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx
#kubectl apply -f nginx-svc.yml生成测试用pod
[root@liran-test-1.novalocal 19:03 ~]
# cat test-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
spec:
replicas: 2
selector:
matchLabels:
app: centos
template:
metadata:
labels:
app: centos
spec:
containers:
- name: centos
image: centos:test-1
command: ["bash", "-c", "sleep 6000"]查看网络连通性
[root@liran-test-1.novalocal 18:42 ~/calico-policy-test]
# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ca1-nginx-65d7b99f6b-qgfm6 1/1 Running 0 48m 172.200.188.140 liran-test-3.novalocal <none> <none>
ca1-nginx-65d7b99f6b-tv69c 1/1 Running 0 48m 172.200.174.135 liran-test-2.novalocal <none> <none>
test-deployment-9c498b79c-99r7h 1/1 Running 1 3h6m 172.200.188.139 liran-test-3.novalocal <none> <none>
test-deployment-9c498b79c-smf9b 1/1 Running 1 3h6m 172.200.174.134 liran-test-2.novalocal <none> <none>
[root@liran-test-1.novalocal 18:42 ~/calico-policy-test]
# kubectl exec -it test-deployment-9c498b79c-smf9b /bin/bash
[root@test-deployment-9c498b79c-smf9b /]# ping 172.200.188.140
PING 172.200.188.140 (172.200.188.140) 56(84) bytes of data.
64 bytes from 172.200.188.140: icmp_seq=1 ttl=62 time=0.926 ms
^C
--- 172.200.188.140 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.926/0.926/0.926/0.000 ms
[root@test-deployment-9c498b79c-smf9b /]# ping 172.200.174.135
PING 172.200.174.135 (172.200.174.135) 56(84) bytes of data.
64 bytes from 172.200.174.135: icmp_seq=1 ttl=63 time=0.295 ms
^C
--- 172.200.174.135 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.295/0.295/0.295/0.000 ms
[root@test-deployment-9c498b79c-smf9b /]# ping 172.200.174.134
PING 172.200.174.134 (172.200.174.134) 56(84) bytes of data.
64 bytes from 172.200.174.134: icmp_seq=1 ttl=64 time=0.188 ms
64 bytes from 172.200.174.134: icmp_seq=2 ttl=64 time=0.063 ms
^X64 bytes from 172.200.174.134: icmp_seq=3 ttl=64 time=0.115 ms生成网络策略。不允许访问nginx的80端口
[root@liran-test-1.novalocal 18:44 ~/calico-policy-test]
# cat net-policy.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-same-namespace
namespace: default
spec:
podSelector:
matchLabels:
name: nginx
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: centos
ports:
- port: 80
[root@liran-test-1.novalocal 18:44 ~/calico-policy-test]
# kubectl apply -f net-policy.yaml
networkpolicy.networking.k8s.io/allow-same-namespace created测试连通性
[root@liran-test-1.novalocal 18:45 ~/calico-policy-test]
# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ca1-nginx-65d7b99f6b-qgfm6 1/1 Running 0 51m 172.200.188.140 liran-test-3.novalocal <none> <none>
ca1-nginx-65d7b99f6b-tv69c 1/1 Running 0 51m 172.200.174.135 liran-test-2.novalocal <none> <none>
test-deployment-9c498b79c-99r7h 1/1 Running 1 3h9m 172.200.188.139 liran-test-3.novalocal <none> <none>
test-deployment-9c498b79c-smf9b 1/1 Running 1 3h9m 172.200.174.134 liran-test-2.novalocal <none> <none>
[root@liran-test-1.novalocal 18:45 ~/calico-policy-test]
# kubectl exec -it test-deployment-9c498b79c-smf9b /bin/bash
[root@test-deployment-9c498b79c-smf9b /]# ping 172.200.188.140
PING 172.200.188.140 (172.200.188.140) 56(84) bytes of data.
^C
--- 172.200.188.140 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
[root@test-deployment-9c498b79c-smf9b /]# ping 172.200.174.135
PING 172.200.174.135 (172.200.174.135) 56(84) bytes of data.
^C
--- 172.200.174.135 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1003ms
[root@test-deployment-9c498b79c-smf9b /]# ping 172.200.188.139
PING 172.200.188.139 (172.200.188.139) 56(84) bytes of data.
64 bytes from 172.200.188.139: icmp_seq=1 ttl=62 time=1.01 ms
^C
--- 172.200.188.139 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.017/1.017/1.017/0.000 ms可以看到我们测试的centos的pod已经无法访问到nginx的80端口了。