1. pod间通信

2. 网络解决方案

CNI(container network interface) CNCF下的一个项目,由coreOS提出
通过插件的方式统一配置
flannel—基于overlay 不支持网络策略
calico—基于BGP 支持网络策略
canal 支持网络策略

3. 各种解决方案的对比

不管哪种解决方案,每个pod都有独立IP,可以直接通信,只是性能及配置的难易及是否支持网络策略

4. 网络策略

只允许特定的客户端能访问,其他客户端不能访问
1.此网络策略要保护谁
2.指定入口流量还是出口流量
3.具体的规则

4.1 查看集群是否有网络策略

1
kubectl get networkpolicies

4.2 创建策略

只允指定网络能访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy1
namespace: chap10-net
spec:
podSelector:
matchLabels:
run: pod1
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.10.0/24
# except:
# - 172.17.1.0/24
#- namespaceSelector:
# matchLabels:
# project: myproject
#- podSelector:
# matchLabels:
# role: frontend
ports:
- protocol: TCP
port: 80

4.3 特定标签能访问

只能是相同名称空间,指定标签

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy1
namespace: chap10-net
spec:
podSelector:
matchLabels:
run: pod1
policyTypes:
- Ingress
ingress:
- from:
#- ipBlock:
# cidr: 192.168.10.0/24
# except:
# - 172.17.1.0/24
#- namespaceSelector:
# matchLabels:
# project: myproject
- podSelector:
matchLabels:
xx: xx
ports:
- protocol: TCP
port: 80

4.4 指定名称空间可访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy1
namespace: chap10-net
spec:
podSelector:
matchLabels:
run: pod1
policyTypes:
- Ingress
ingress:
- from:
#- ipBlock:
# cidr: 192.168.10.0/24
# except:
# - 172.17.1.0/24
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: default
#- podSelector:
# matchLabels:
# xx: xx
ports:
- protocol: TCP
port: 80

4.5 指定名称空间特定标签

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy1
namespace: chap10-net
spec:
podSelector:
matchLabels:
run: pod1
policyTypes:
- Ingress
ingress:
- from:
#- ipBlock:
# cidr: 192.168.10.0/24
# except:
# - 172.17.1.0/24
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: default
podSelector:
matchLabels:
xx: xx
#- podSelector:
# matchLabels:
# xx: xx
ports:
- protocol: TCP

5. 出栈规则

5.1 只允许到pod2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: epolicy1
namespace: chap10-net
spec:
podSelector:
matchLabels:
run: pod1
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
run: pod2
ports:
- protocol: TCP
port: 80
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53

6. 拒绝所有入流量

1
2
3
4
5
6
7
8
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress

7。 允许所有入流量

1
2
3
4
5
6
7
8
9
10
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress

如果没有策略,则允许所有数据包通过
如果定义了一个策略,但是没有任何规则,则是拒绝所有的
所有的协议(icmp,tcp,udp)及所有的客户端全部拒绝了