Help us understand the problem. What is going on with this article?

GKEでネットワークポリシーのon/offを比較してみた

はじめに

Istioをドキュメントを読んでEgress GatewaysをGKEで試そうとしたところ、ネットワークポリシーによる通信制御が機能しませんでした。クラスター作成時にオプションを指定する必要があったことを思い出し、オプションの有無(ネットワークポリシーのon/off)で何が変わるのか比較してみました。

環境

Kubernetes 1.13.10-gke.0

ネットワークポリシー off

クラスターを作成します。

gcloud container clusters create istio --num-nodes 4

kube-systemのPodを表示します。

$ kubectl get pods -n kube-system
NAME                                              READY   STATUS    RESTARTS   AGE
event-exporter-v0.2.4-5f88c66fb7-zfhvc            2/2     Running   0          2m25s
fluentd-gcp-scaler-59b7b75cd7-52xq5               1/1     Running   0          2m14s
fluentd-gcp-v3.2.0-rrfr8                          2/2     Running   0          111s
fluentd-gcp-v3.2.0-s8srv                          2/2     Running   0          111s
fluentd-gcp-v3.2.0-tv7qn                          2/2     Running   0          110s
fluentd-gcp-v3.2.0-vkr7g                          2/2     Running   0          110s
heapster-v1.6.1-5b8d76f85b-2cg78                  3/3     Running   0          91s
kube-dns-79868f54c5-snr6h                         4/4     Running   0          2m25s
kube-dns-79868f54c5-zlnbl                         4/4     Running   0          112s
kube-dns-autoscaler-bb58c6784-zwhjx               1/1     Running   0          2m4s
kube-proxy-gke-istio-default-pool-b3957c51-18m9   1/1     Running   0          2m10s
kube-proxy-gke-istio-default-pool-b3957c51-4qc4   1/1     Running   0          2m9s
kube-proxy-gke-istio-default-pool-b3957c51-990r   1/1     Running   0          2m5s
kube-proxy-gke-istio-default-pool-b3957c51-pkk9   1/1     Running   0          2m9s
l7-default-backend-fd59995cd-xqlkq                1/1     Running   0          2m25s
metrics-server-v0.3.1-57c75779f-jbpv8             2/2     Running   0          119s
prometheus-to-sd-6pfvm                            1/1     Running   0          2m9s
prometheus-to-sd-bbzsk                            1/1     Running   0          2m9s
prometheus-to-sd-cvjtr                            1/1     Running   0          2m9s
prometheus-to-sd-mjmck                            1/1     Running   0          2m10s

ネットワークポリシー on

ネットワークポリシーを有効化します。

gcloud container clusters update istio --update-addons=NetworkPolicy=ENABLED
gcloud container clusters update istio --enable-network-policy

kube-systemのPodを表示します。

NAME                                                  READY   STATUS    RESTARTS   AGE
calico-node-vertical-autoscaler-579467d76c-mm8jx      1/1     Running   0          73s
calico-typha-65bfd5544b-6gpxm                         1/1     Running   0          71s
calico-typha-horizontal-autoscaler-847fc7bc8d-nq2k8   1/1     Running   0          73s
calico-typha-vertical-autoscaler-dc95cc498-vgpfd      1/1     Running   0          73s
event-exporter-v0.2.4-5f88c66fb7-zfhvc                2/2     Running   0          10m
fluentd-gcp-scaler-59b7b75cd7-52xq5                   1/1     Running   0          10m
fluentd-gcp-v3.2.0-rrfr8                              2/2     Running   0          9m41s
fluentd-gcp-v3.2.0-s8srv                              2/2     Running   0          9m41s
fluentd-gcp-v3.2.0-tv7qn                              2/2     Running   0          9m40s
fluentd-gcp-v3.2.0-vkr7g                              2/2     Running   0          9m40s
heapster-v1.6.1-5b8d76f85b-2cg78                      3/3     Running   0          9m21s
kube-dns-79868f54c5-snr6h                             4/4     Running   0          10m
kube-dns-79868f54c5-zlnbl                             4/4     Running   0          9m42s
kube-dns-autoscaler-bb58c6784-zwhjx                   1/1     Running   0          9m54s
kube-proxy-gke-istio-default-pool-b3957c51-18m9       1/1     Running   0          10m
kube-proxy-gke-istio-default-pool-b3957c51-4qc4       1/1     Running   0          9m59s
kube-proxy-gke-istio-default-pool-b3957c51-990r       1/1     Running   0          9m55s
kube-proxy-gke-istio-default-pool-b3957c51-pkk9       1/1     Running   0          9m59s
l7-default-backend-fd59995cd-xqlkq                    1/1     Running   0          10m
metrics-server-v0.3.1-57c75779f-jbpv8                 2/2     Running   0          9m49s
prometheus-to-sd-6pfvm                                1/1     Running   0          9m59s
prometheus-to-sd-bbzsk                                1/1     Running   0          9m59s
prometheus-to-sd-cvjtr                                1/1     Running   0          9m59s
prometheus-to-sd-mjmck                                1/1     Running   0          10m

比較

眺めるだけで十分把握できますが、Pod名の差分をとってみます。

diff -up <(cat off.txt | awk '{print $1}') <(cat on.txt | awk '{print $1}')
--- /dev/fd/12  2019-10-22 08:44:08.000000000 +0900
+++ /dev/fd/13  2019-10-22 08:44:08.000000000 +0900
@@ -1,4 +1,8 @@
 NAME
+calico-node-vertical-autoscaler-579467d76c-mm8jx
+calico-typha-65bfd5544b-6gpxm
+calico-typha-horizontal-autoscaler-847fc7bc8d-nq2k8
+calico-typha-vertical-autoscaler-dc95cc498-vgpfd
 event-exporter-v0.2.4-5f88c66fb7-zfhvc
 fluentd-gcp-scaler-59b7b75cd7-52xq5
 fluentd-gcp-v3.2.0-rrfr8

ネットワークポリシーを有効化するとcalicoが使われることがわかりました。

参考

クラスタ ネットワーク ポリシーの作成

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした