在尝试生产需求之前,我首先测试了Kubernetes网络策略,但不幸的是,我还无法使其发挥作用,正在寻找解决方案。
我的测试环境是WSL上的Kind k8集群。
尝试命名空间"中的所有内容;networkpolicy":
→ kubectl -n networkpolicy get ns networkpolicy
NAME STATUS AGE
networkpolicy Active 174m
在该命名空间中运行的两个pod:
→ kubectl -n networkpolicy get pods --show-labels -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
np-busybox 1/1 Running 0 151m 10.244.0.11 selfie-control-plane <none> <none> app=client
np-nginx 1/1 Running 0 9m52s 10.244.0.12 selfie-control-plane <none> <none> app=nginx
你可以看到吊舱";np nginx";具有标签";app=nginx";
用podSelector创建的网络策略";app:nginx;
→ kubectl -n networkpolicy describe networkpolicy
Name: my-networkpolicy
Namespace: networkpolicy
Created on: 2022-10-08 21:49:16 +0530 IST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=nginx
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Ingress, Egress
所以我认为,在没有明确指定任何规则的情况下指定策略类型Ingress和Egress,意味着它默认拒绝任何连接。这是正确的吗?
我试图从busybox客户端pod中卷曲Nginx pod IP,即使网络策略到位,它也能很好地连接。
→ kubectl -n networkpolicy exec np-busybox -- curl -s 10.244.0.12 | html2text
****** Welcome to nginx! ******
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.
Thank you for using nginx.
我试过的东西有什么问题吗?
好吧,我现在已经找到了解决方案。
KIND附带了一个简单的网络实现kindnet,它似乎不支持networkpolicy。
您可以将Kind集群上的CNI更改为Calico(它确实支持网络策略(,如下所示:
你可以看到kindnet和没有印花布存在:
~ → kubectl -n kube-system get all | grep calico
~ →
~ → kubectl -n kube-system get all | grep kindnet
pod/kindnet-mmlgj 1/1 Running 4 (2d1h ago) 2d21h
daemonset.apps/kindnet 1 1 1 1 1 <none> 2d21h
进入码头集装箱:
~ → docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1beac63b6221 kindest/node:v1.25.2 "/usr/local/bin/entr…" 2 days ago Up 2 days 127.0.0.1:34235->6443/tcp selfie-control-plane
~ → docker exec -it 1beac63b6221 bash
root@selfie-control-plane:/#
使用选项"创建以下yaml文件;disableDefaultCNI";禁用Kind集群的默认kindnet:
root@selfie-control-plane:/# cat <<EOF >/etc/kubernetes/manifests/kind-calico.yaml
kind: Cluster
apiVersion: kind.sigs.k8s.io/v1alpha3
networking:
disableDefaultCNI: true # disable kindnet
EOF
root@selfie-control-plane:/# exit
exit
从容器中退出,然后停止并启动种类集群docker容器
~ → docker stop selfie-control-plane
selfie-control-plane
~ → docker start selfie-control-plane
selfie-control-plane
~ → docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1beac63b6221 kindest/node:v1.25.2 "/usr/local/bin/entr…" 2 days ago Up 7 seconds 127.0.0.1:34235->6443/tcp selfie-control-plane
~ →
立即安装calico CNI插件:
~ → kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
poddisruptionbudget.policy/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
serviceaccount/calico-node created
configmap/calico-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/caliconodestatuses.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipreservations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-node created
daemonset.apps/calico-node created
deployment.apps/calico-kube-controllers created
现在你不能卷曲它,等待很长时间后它就会超时:
→ kubectl -n networkpolicy exec np-busybox -- curl -s 10.244.100.66
.
.
.