k8s-calico-网络验证

k8s和calico已经深度结合,在使用上也很方便。实验内容来自双方的官方文档。
1 默认可以互相访问
比如:

1
2
3
4
5
kubectl run nginx --image=nginx --replicas=2
kubectl expose deployment nginx --port=80 
kubectl run busybox --rm -ti --image=busybox /bin/sh
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.108.104.102:80)

其他namespace也可以访问
kubectl run busybox –rm -ti –image=busybox /bin/sh -n liudz1
/ # wget –spider –timeout=1 nginx.default
Connecting to nginx (10.108.104.102:80)

2 限制访问,只有指定标签才可以访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cat <<EOF > NetworkPolicy.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: access-nginx
spec:
  podSelector:
    matchLabels:
      run: nginx
  ingress:
  - from:
    - podSelector:
        matchLabels:
          access: "true"
EOF

创建策略

1
kubectl create -f NetworkPolicy.yaml

测试

1
2
3
4
kubectl run busybox --rm -ti --image=busybox /bin/sh
/ # wget --spider --timeout=1 nginx 
Connecting to nginx (10.108.104.102:80
wget: download timed out

加上指定标签就可以访问:

1
2
3
kubectl run busybox --rm -ti  --labels="access=true" --image=busybox /bin/sh
/ # wget --spider --timeout=1 nginx 
Connecting to nginx (10.108.104.102:80)

3 给表空间创建默认的禁止规则,隔离baas和用户的网络
3.1 首先为每一个表空间创建隔离策略

1
2
3
4
5
6
7
8
9
10
cat <<EOF > default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
EOF

创建全部拒绝策略

1
kubectl create -f default-deny.yaml -n liudz1

3.2 baas表空间创建的pod全部带上run:baas

1
kubectl run nginx --image=nginx --labels="run=baas"  --replicas=1 -n liudz1

3.2.1 即使在同一个表空间下启动一个busybox,也不可以访问nginx

1
2
3
4
5
6
kubectl run busybox --rm -ti --image=busybox /bin/sh -n liudz1
 
kubectl expose deployment nginx --port=80  -n liudz1
/ #  wget --spider --timeout=1 nginx
Connecting to nginx (10.99.110.2:80)
wget: download timed out

3.3 允许表空间内的的pod访问指定label的pod,其他表空间不能访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx2
  namespace: liudz1
spec:
  podSelector:
    matchLabels:
      run: baas
  ingress:
    - from:
      - podSelector:
          matchLabels: {}
EOF

同一个表空间可以访问:

1
2
3
kubectl run busybox --rm -ti --image=busybox   /bin/sh -n liudz1
/ #  wget --spider --timeout=1 nginx 
Connecting to nginx (10.99.110.2:80)

不同表空间不可以访问:

1
2
3
4
kubectl run busybox --rm -ti --image=busybox   /bin/sh 
/ # wget --spider --timeout=1 nginx.liudz1
Connecting to nginx.liudz1 (10.99.110.2:80)
wget: download timed out

3.4 创建一个允许全部访问的规则,这个规则覆盖掉之前的隔离规则,其他表空间也可以访问liudz1

1
2
3
4
5
6
7
8
9
10
11
12
kubectl create -f - << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all
  namespace: liudz1
spec:
  podSelector: {}
  ingress:
  - {} 
EOF
networkpolicy "allow-all" created

3.5 继续试验
已经启用:default-deny
3.5.1 允许表空间内的的pod互相访问,但其他表空间的pod不能来访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx
  namespace: liudz1
spec:
  podSelector:
    matchLabels: {}
  ingress:
    - from:
      - podSelector:
          matchLabels: {}
EOF
1
2
3
4
root@ubuntubase:~# kubectl run busybox2  --rm -ti --image=busybox   /bin/sh -n liudz1
If you don't see a command prompt, try pressing enter.
/ #  wget --spider --timeout=1 nginx.liudz1
Connecting to nginx.liudz1 (10.99.110.2:80)
1
2
3
4
root@ubuntubase:~# kubectl run busybox2  --rm -ti --image=busybox   /bin/sh  
If you don't see a command prompt, try pressing enter.  
/ #  wget --spider --timeout=1 nginx.liudz1  
wget: download timed out

3.5.2 通过指定labels,并满足在同一个namespace,才能访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx
  namespace: liudz1
spec:
  podSelector:
    matchLabels: {}
  ingress:
    - from:
      - podSelector:
          matchLabels:
            access: ceshi1
EOF

不在同一个namespace,无法访问

1
2
3
4
kubectl run busybox2  --rm -ti --labels="access=ceshi1" --image=busybox   /bin/sh 
 / # wget --spider --timeout=1 nginx.liudz1
Connecting to nginx.liudz1 (10.99.110.2:80)
wget: download timed out

在一个namespace,没有对应的label,无法访问

1
2
3
4
5
root@ubuntubase:~# kubectl run busybox2  --rm -ti --image=busybox   /bin/sh -n liudz1
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx.liudz1
Connecting to nginx.liudz1 (10.99.110.2:80)
wget: download timed out

在一个namespace,有对应的label,可以访问

1
2
3
kubectl run busybox2  --rm -ti --labels="access=ceshi1" --image=busybox   /bin/sh  -n liudz1
/ # wget --spider --timeout=1 nginx.liudz1
Connecting to nginx.liudz1 (10.99.110.2:80)

3.6 试验 允许liudz2 表空间可以访问任何其他表空间
namespace1 namespace2两者的网络策略目前如下:

1
2
3
4
5
6
root@ubuntubase:~# kubectl get netpol -n liudz1
NAME           POD-SELECTOR   AGE
default-deny   <none>         6h
 
root@ubuntubase:~# kubectl get netpol -n liudz2
No resources found.

给liudz2打label

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kubectl label namespace liudz2 name=liudz2
 
 
kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx
  namespace: liudz1
spec:
  podSelector: {}
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: liudz2
EOF

其他表空间不能访问:

1
2
3
4
5
root@ubuntubase:~# kubectl run busybox2  --rm -ti --image=busybox   /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx.liudz1
Connecting to nginx.liudz1 (10.99.110.2:80)
wget: download timed out

具有label的namespace liudz2可以访问:

1
2
3
4
root@ubuntubase:~# kubectl run busybox2  --rm -ti --image=busybox   /bin/sh -n liudz2
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx.liudz1
Connecting to nginx.liudz1 (10.99.110.2:80)

自己namespace也不能访问:

1
2
3
4
5
root@ubuntubase:~# kubectl run busybox2  --rm -ti --image=busybox   /bin/sh -n liudz1
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx.liudz1
Connecting to nginx.liudz1 (10.99.110.2:80)
wget: download timed out

只允许来自label为name: liudz2 和 name: liudz1的访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx
  namespace: liudz1
spec:
  podSelector: {}
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: liudz2
      - namespaceSelector:
          matchLabels:
            name: liudz1
EOF

其他namespace不能访问

1
2
3
4
5
root@ubuntubase:~# kubectl run busybox2  --rm -ti --image=busybox   /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget --spider --timeout=1 nginx.liudz1
Connecting to nginx.liudz1 (10.99.110.2:80)
exwget: download timed out