网络策略-------理解为防火墙
代码语言:javascript复制[root@vms61 chap10-net]# kubectl run pod1 --image=nginx --image-pull-policy=IfNotPresent --labels="name=pod1"
pod/pod1 created
[root@vms61 chap10-net]# kubectl run pod2 --image=nginx --image-pull-policy=IfNotPresent --labels="name=pod2"
pod/pod2 created
[root@vms61 chap10-net]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod1 1/1 Running 0 16s
pod2 1/1 Running 0 6s
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod1 1/1 Running 0 21s name=pod1
pod2 1/1 Running 0 11s name=pod2
代码语言:javascript复制[root@vms61 chap10-net]# kubectl expose --name=svc1 pod pod1 --port=80 --type=NodePort
service/svc1 exposed
[root@vms61 chap10-net]# kubectl expose --name=svc2 pod pod2 --port=80 --type=NodePort
service/svc2 exposed
[root@vms61 chap10-net]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc1 NodePort 10.110.91.208 <none> 80:32614/TCP 11s
svc2 NodePort 10.97.135.59 <none> 80:31706/TCP 4s
代码语言:javascript复制[root@vms61 chap10-net]# kubectl run pod-test --image=nginx --image-pull-policy=IfNotPresent
pod/pod-test created
[root@vms61 chap10-net]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-test 1/1 Running 0 3s
pod1 1/1 Running 0 5m33s
pod2 1/1 Running 0 5m23s
[root@vms61 chap10-net]# kubectl exec -it pod1 -- bash
root@pod1:/# echo 11111 > /usr/share/nginx/html/index.html
root@pod1:/# exit
exit
[root@vms61 chap10-net]# kubectl exec -it pod2 -- bash
root@pod2:/# echo 22222 > /usr/share/nginx/html/index.html
root@pod2:/# exit
exit
[root@vms61 chap10-net]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc1 NodePort 10.110.91.208 <none> 80:32614/TCP 6m33s
svc2 NodePort 10.97.135.59 <none> 80:31706/TCP 6m26s
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curs -s svc1
bash: curs: command not found
root@pod-test:/# curl -s svc1
11111
root@pod-test:/# curl -s svc2
22222
代码语言:javascript复制[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
name: pod1
policyTypes:
- Ingress
ingress:
- from:
# - ipBlock:
# cidr: 172.17.0.0/16
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy created
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 51m run=pod-test
pod1 1/1 Running 0 57m name=pod1
pod2 1/1 Running 0 57m name=pod2
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc2
22222
root@pod-test:/# curl -s svc1
^C
root@pod-test:/# exit
代码语言:javascript复制[root@vms61 chap10-net]# kubectl label pod pod-test role=frontend
pod/pod-test labeled
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 54m role=frontend,run=pod-test
pod1 1/1 Running 0 60m name=pod1
pod2 1/1 Running 0 60m name=pod2
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc1
11111
root@pod-test:/# exit
Exit
代码语言:javascript复制[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
app: xx
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.135.0/24
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
# - podSelector:
# matchLabels:
# role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy unchanged
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 65m run=pod-test
pod1 1/1 Running 0 70m app=xx,name=pod1
pod2 1/1 Running 0 70m app=xx,name=pod2
[root@vms61 chap10-net]# kubectl label pod pod-test role=frontend
pod/pod-test labeled
[root@vms61 chap10-net]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc1 NodePort 10.110.91.208 <none> 80:32614/TCP 68m
svc2 NodePort 10.97.135.59 <none> 80:31706/TCP 68m
代码语言:javascript复制[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 77m run=pod-test
pod1 1/1 Running 0 82m app=xx,name=pod1
pod2 1/1 Running 0 82m app=xx,name=pod2
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
policyTypes:
- Ingress
ingress:
- from:
# - ipBlock:
# cidr: 192.168.135.0/24
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy configured
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc1
^C
root@pod-test:/# curl -s svc2
^C
root@pod-test:/#
如果想要其他例如default命名空间里的pod访问,怎么办?
代码语言:javascript复制[root@vms61 chap10-net]# kubectl run pod-test1 --image=nginx --image-pull-policy=IfNotPresent -n default
pod/pod-test1 created
[root@vms61 chap10-net]# kubectl get pods -n default
NAME READY STATUS RESTARTS AGE
pod-test1 1/1 Running 0 9s
[root@vms61 chap10-net]# kubectl get pods -n default --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test1 1/1 Running 0 17s run=pod-test1
[root@vms61 chap10-net]# kubectl label pod pod-test1 -n default role=frontend
pod/pod-test1 labeled
[root@vms61 chap10-net]# kubectl get pods -n default --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test1 1/1 Running 0 5m30s role=frontend,run=pod-test1
[root@vms61 chap10-net]# kubectl label ns default aa=bb
namespace/default labeled
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
policyTypes:
- Ingress
ingress:
- from:
# - ipBlock:
# cidr: 192.168.135.0/24
# except:
# - 172.17.1.0/24
- namespaceSelector:
matchLabels:
aa: bb
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy configured
[root@vms61 chap10-net]# kubectl exec -it -n default pod-test -- bash
Error from server (NotFound): pods "pod-test" not found
[root@vms61 chap10-net]# kubectl exec -it -n default pod-test1 -- bash
root@pod-test1:/# curl -s svc1
^C
root@pod-test1:/# curl -s svc1.chap10-net
11111
root@pod-test1:/# curl -s svc2.chap10-net
22222