k8s---calico网络插件、网络策略
建立一个公共仓库calico并上传所需镜像[root@server1 harbor]# docker pull calico/cni[root@server1 harbor]# docker pull calico/kube-controllers[root@server1 harbor]# docker pull calico/node[root@server1 harbor]# docker
·
建立一个公共仓库calico并上传所需镜像
[root@server1 harbor]# docker pull calico/cni
[root@server1 harbor]# docker pull calico/kube-controllers
[root@server1 harbor]# docker pull calico/node
[root@server1 harbor]# docker pull calico/pod2daemon-flexvol
[root@server1 harbor]# docker tag calico/cni:latest reg.westos.org/calico/cni:latest
[root@server1 harbor]# docker tag calico/kube-controllers:latest reg.westos.org/calico/kube-controllers:latest
[root@server1 harbor]# docker tag calico/node:latest reg.westos.org/calico/node:latest
[root@server1 harbor]# docker tag calico/pod2daemon-flexvol:latest reg.westos.org/calico/pod2daemon-flexvol:latest
[root@server1 harbor]# docker push reg.westos.org/calico/cni:latest
[root@server1 harbor]# docker push reg.westos.org/calico/kube-controllers:latest
[root@server1 harbor]# docker push reg.westos.org/calico/node:latest
[root@server1 harbor]# docker push reg.westos.org/calico/pod2daemon-flexvol:latest
实验前删除不用的pod和svc,保持环境纯净
删除flannel插件,防止和calico冲突
[root@server2 ~]# kubectl delete -f kube-flannel.yml
[root@server2 ~]# kubectl -n kube-system get pod
移走每个节点(2、3、4)的残留文件
[root@server2 ~]# mv /etc/cni/net.d/10-flannel.conflist /mnt/
[root@server2 ~]# ps ax | grep flannel
上传部署文件
[root@server2 ~]# mkdir calico
[root@server2 ~]# cd calico/
[root@westos file_recv]# scp calico.yaml root@192.168.3.202:/root/calico
应用
[root@server2 calico]# kubectl apply -f calico.yaml
[root@server2 calico]# kubectl -n kube-system get pod
[root@server2 ingress]# kubectl apply -f nginx-svc.yml
[root@server2 calico]# kubectl get pod -L app
[root@server2 ingress]# kubectl get svc
访问通畅
[root@server2 ingress]# curl 10.99.143.123
[root@server2 ingress]# curl 10.99.143.123/hostname.html
阻止访问带有nginx标签的
[root@server2 calico]# vim deny-nginx.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-nginx
spec:
podSelector:
matchLabels:
app: nginx
应用
[root@server2 calico]# kubectl apply -f deny-nginx.yaml
再次访问会发现访问不了
[root@server2 calico]# curl 10.99.143.123
允许指定pod访问服务
实验内容 :由于之前禁止访问带有nginx标签的容器,所以新建一个带有demo标签的容器可以通过访问
[root@server2 calico]# kubectl run nginx --image=myapp:v2
[root@server2 calico]# kubectl run demo --image=busyboxplus -it
[root@server2 calico]# kubectl get pod -o wide
[root@server2 calico]# kubectl attach demo -it
/ # ping 10.244.22.6
此时ping nginx容器可以通信,因为它没有nginx标签,但ping其他两个会阻止通信
[root@server2 calico]# vim access-demo.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
app: nginx
ingress:
- from:
- podSelector:
matchLabels:
app: demo
加上demo标签,运行策略
[root@server2 calico]# kubectl apply -f access-demo.yaml
[root@server2 calico]# kubectl label pod demo app=demo
[root@server2 calico]# kubectl get pod -L app
查看策略
[root@server2 calico]# kubectl get networkpolicies.
[root@server2 calico]# kubectl attach demo -it
此时去ping带有nginx标签的容器是可以通信的,ping svc也可以通信
禁止namespace中所有pod之间的访问
新建一个名为demo的namespace做实验,禁止pod之间访问
[root@server2 calico]# kubectl create namespace demo
[root@server2 calico]# kubectl get ns
[root@server2 calico]# kubectl run demo1 --image=busyboxplus -it -n demo
[root@server2 calico]# kubectl run demo2 --image=busyboxplus -it -n demo
[root@server2 calico]# kubectl get pod -n demo
[root@server2 calico]# kubectl get pod -n demo --show-labels
[root@server2 calico]# kubectl -n demo get pod -o wide
[root@server2 calico]# kubectl attach demo1 -it -n demo
/ # ping 10.244.22.8
正常情况下是可以通信的
禁止namespace中的通信
[root@server2 calico]# vim deny-pod.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: demo
spec:
podSelector: {}
[root@server2 calico]# kubectl apply -f deny-pod.yaml
[root@server2 calico]# kubectl get networkpolicies. -n demo
[root@server2 calico]# kubectl attach demo1 -it -n demo
运行策略后此时不能通信
禁止其他namespace访问服务
[root@server2 calico]# kubectl get pod -o wide
[root@server2 calico]# kubectl attach demo1 -it -n demo
正常情况下可以访问
禁止访问
[root@server2 calico]# vim deny-ns.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: deny-namespace
spec:
podSelector:
matchLabels:
ingress:
- from:
- podSelector: {}
[root@server2 calico]# kubectl apply -f deny-ns.yaml
[root@server2 calico]# kubectl attach demo1 -it -n demo
/ # curl 10.244.22.6
运行策略后访问不了
只允许指定namespace访问服务
[root@server2 calico]# kubectl create namespace test
[root@server2 calico]# kubectl run demo3 --image=busyboxplus -it -n test
/ # curl 10.244.22.6
正常情况下不能访问
[root@server2 calico]# kubectl label ns test role=prod
[root@server2 calico]# kubectl get ns --show-labels
[root@server2 calico]# kubectl get pod -o wide --show-labels
让test带有prod标签的namespace可以访问nginx
[root@server2 calico]# vim access-ns.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-namespace
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- namespaceSelector:
matchLabels:
role: prod
[root@server2 calico]# kubectl apply -f access-ns.yaml
[root@server2 calico]# kubectl attach demo3 -it -n test
/ # ping 10.244.22.6
运行策略后可以访问
允许外网访问服务
[root@server2 calico]# kubectl get ingress
[root@server2 calico]# kubectl -n ingress-nginx get svc
[root@server2 calico]# vim access-ex.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: web-allow-external
spec:
podSelector:
matchLabels:
app: nginx
ingress:
- ports:
- port: 80
from: []
[root@server2 calico]# kubectl apply -f access-ex.yaml
[root@westos ~]# curl www1.westos.org
可以访问
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献4条内容
所有评论(0)