k8s Networkpolicy 多规则ipblock+port同时匹配测试
与egress为例,我们想要测试的是172.17.197.252网段的1234 TCP端口通以及172.16.247.58/24段的80TCP端口可以出去,其它不通测试的目的:1、验证是否ipblock+port同时满足时,才通。2、可以在networkpolicy中添加多条egress的ipblock+port区段,且不会聚合,即不会说172.17.197.252网段的80 TCP端口也可...
·
与egress为例,我们想要测试的是172.17.197.252网段的1234 TCP端口通以及172.16.247.58/24段的80TCP端口可以出去,其它不通
测试的目的:
1、验证是否ipblock+port同时满足时,才通。
2、可以在networkpolicy中添加多条egress的ipblock+port区段,且不会聚合,即不会说172.17.197.252网段的80 TCP端口也可以通
或者说172.16.247.58/24段的1234的TCP端口可以通。只能在我们写的网络策略中的才通就能说明测试成功。
测试结果如下:
-[appuser@chenqiang-dev ~]$ kubectl -n chenqiang1 exec -it tcp-udp-deployment-6d4c485fb-5t44n bash
root@tcp-udp-deployment-6d4c485fb-5t44n:/# </dev/tcp/172.16.247.58/1234
^Cbash: connect: Interrupted system call
bash: /dev/tcp/172.16.247.58/1234: Interrupted system call
root@tcp-udp-deployment-6d4c485fb-5t44n:/# </dev/tcp/172.16.247.58/80
root@tcp-udp-deployment-6d4c485fb-5t44n:/# </dev/tcp/172.17.197.252/1234
root@tcp-udp-deployment-6d4c485fb-5t44n:/# </dev/tcp/172.17.197.252/80
^Cbash: connect: Interrupted system call
bash: /dev/tcp/172.17.197.252/80: Interrupted system call
具体测试步骤如下:
1、先创建两个networkpolicy,一个拒绝所有pod,一个允许填写规则的。如下
-[appuser@chenqiang-dev tcp-udp]$ kubectl -n chenqiang1 get networkpolicy
NAME POD-SELECTOR AGE
allow-egress <none> 42m
default-deny-egress <none> 45m
2、被测试pod在如下两个ns中:
-[appuser@chenqiang-dev tcp-udp]$ kubectl -n chenqiang1 get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
tcp-udp-deployment-6d4c485fb-5t44n 1/1 Running 0 50m 172.19.22.102 10.130.33.28 <none>
tcp-udp-deployment-6d4c485fb-fg4kp 1/1 Running 0 50m 172.17.197.252 10.130.33.25 <none>
tcp-udp-deployment-6d4c485fb-jm99f 1/1 Running 0 50m 172.16.247.41 10.130.33.26 <none>
tcp-udp-deployment-6d4c485fb-kp446 1/1 Running 0 50m 172.17.36.60 10.130.33.22 <none>
-[appuser@chenqiang-dev tcp-udp]$ kubectl -n helloworld1 get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
nginx-hello-deployment-b5b7bf4f5-7d9mf 1/1 Running 0 1h 172.16.247.58 10.130.33.26 <none>
nginx-hello-deployment-b5b7bf4f5-f5n52 1/1 Running 0 1h 172.17.197.241 10.130.33.25 <none>
nginx-hello-deployment-b5b7bf4f5-lskff 1/1 Running 0 1h 172.19.22.66 10.130.33.28 <none>
nginx-hello-deployment-b5b7bf4f5-lvxc8 1/1 Running 0 1h 172.17.36.25 10.130.33.22 <none>
具体创建的网络策略如下:
1、拒绝egress到所有pod
-[appuser@chenqiang-dev tcp-udp]$ cat default-deny-chenqiang1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: chenqiang1
name: default-deny-egress
spec:
podSelector: {}
policyTypes:
- Egress
2、允许egress到特定子网的特定端口
-[appuser@chenqiang-dev tcp-udp]$ cat allow-chenqiang1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: chenqiang1
name: allow-egress
spec:
egress:
- to:
- ipBlock:
cidr: 172.17.197.252/24
ports:
- protocol: TCP
port: 1234
- to:
- ipBlock:
cidr: 172.16.247.58/24
ports:
- protocol: TCP
port: 80
podSelector: {}
policyTypes:
- Egress
用到的测试pod如下:
-[appuser@chenqiang-dev tcp-udp]$ cat chenqiang1-tcp-udp.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: chenqiang1
---
apiVersion: v1
kind: Secret
metadata:
name: regcred
namespace: chenqiang1
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSJkb2NrZXItcmVnaXN0cnkuc2FpY3N0YWNrLmNvbSI6IHsKCQkJImF1dGgiOiAiWTJobGJuRnBZVzVuT2xCaGMzTjNNSEprIgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xNy4xMi4xLWNlIChsaW51eCkiCgl9Cn0=
type: kubernetes.io/dockerconfigjson
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tcp-udp-deployment
namespace: chenqiang1
labels:
app: tcp-udp
spec:
replicas: 4
selector:
matchLabels:
app: tcp-udp
template:
metadata:
labels:
app: tcp-udp
spec:
containers:
- name: tcp-udp
image: ksdn117/tcp-udp-test:latest
ports:
- name: 1234tcp-1212342
containerPort: 1234
protocol: TCP
- name: 5678udp-1256782
containerPort: 5678
protocol: UDP
imagePullSecrets:
- name: regcred
---
kind: Service
apiVersion: v1
metadata:
name: tcp-udp-service
namespace: chenqiang1
labels:
ns: chenqiang1
spec:
selector:
app: tcp-udp
ports:
- protocol: TCP
port: 1234
name: 1234tcp
targetPort: 1234
- protocol: TCP
port: 5678
name: 5678udp
targetPort: 5678
更多推荐
已为社区贡献11条内容
所有评论(0)