k8s Network Policy 시작 정보
4955 단어 Kubernetestech
Network Policy 란 무엇입니까?
EKS의 Network Policy
Calico
Ref: https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/calico.html
캘리코를 설치하기 위한 선언문
kube-system
namespace에서 DaemonSetk apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.5/config/v1.5/calico.yaml
k get daemonset calico-node --namespace kube-system
k get daemonset calico-node --namespace kube-system
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
calico-node 2 2 2 2 2 beta.kubernetes.io/os=linux 41s
Network Policy 검증
프로비저닝
NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-layer1
namespace: layer1
spec:
# podSelecorに空の指定をすることで、NetworkPolicyが存在するnamespace内の全てのPodを対象とする
podSelector: {}
policyTypes:
- Ingress
- Egress
# namespace内の通信を許可する為に、layer1 namespaceからのtrafficをallow
ingress:
- from:
# layer1からのtraficをallow
- namespaceSelector:
matchLabels:
role: layer1
# egressに空の指定をすることで全てのtrafficをallow
egress:
- {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-layer2
namespace: layer2
spec:
# podSelecorに空の指定をすることで、NetworkPolicyが存在するnamespace内の全てのPodを対象とする
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
# layer1からのtraficをallow
- namespaceSelector:
matchExpressions:
- key: role
operator: In
values: [layer1,layer2]
# layer3へのtrafficをallow
egress:
- {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np-layer3
namespace: layer3
spec:
# podSelecorに空の指定をすることで、NetworkPolicyが存在するnamespace内の全てのPodを対象とする
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
# layer1,2からのtraficをallow
- namespaceSelector:
matchExpressions:
- key: role
operator: In
values: [layer1,layer2]
# egressを指定しないことで、全てのtrafficをdeny
동작 검증
wget --server-response http://nginx1.layer1 -q -O -
wget --server-response http://nginx1.layer1 -q -O -
HTTP/1.1 200 OK
Server: nginx/1.17.9
wget --server-response http://nginx2.layer2 -q -O -
HTTP/1.1 200 OK
Server: nginx/1.17.9
wget --server-response http://nginx3.layer3 -q -O -
HTTP/1.1 200 OK
Server: nginx/1.17.9
wget --server-response http://nginx1.layer1 -q -O -
# NG
wget --server-response http://nginx2.layer2 -q -O -
HTTP/1.1 200 OK
Server: nginx/1.17.9
wget --server-response http://nginx3.layer3 -q -O -
HTTP/1.1 200 OK
Server: nginx/1.17.9
wget --server-response http://nginx1.layer1 -q -O -
# NG
wget --server-response http://nginx2.layer2 -q -O -
HTTP/1.1 200 OK
Server: nginx/1.17.9
wget --server-response http://nginx3.layer3 -q -O -
HTTP/1.1 200 OK
Server: nginx/1.17.9
알아차리다
Reference
이 문제에 관하여(k8s Network Policy 시작 정보), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://zenn.dev/kennygt51/articles/0042b693c14d60텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)