はじめに
NetworkPolicyは比較的複雑で設定する方法を調べるのに多少時間がかかります。
今回は、実際のユースケースを想像しながらNetworkPolicyを設定する方法を解説して行きます。
前回、Kubernertes 1.11 + Calico 3.1 の環境を作成しました。
こちらの環境を使用していきます。
概要
2個のNamespaceを作成し、以下の観点でNetworkPolicyの動作を確認します
- demo1 Namespace と demo2 Namespace 間の疎通
- demo1 Namespace 内部の疎通
構成図
環境準備
Namespace作成
NetworkPolicyでNamespaceを指定する際に、Labelが必要なので、各Namespaceには付与します。任意のLabelで構いません
cat <<'EOF' > /root/manifests/namespace-demo1.yaml
apiVersion: v1
kind: Namespace
metadata:
name: demo1
labels:
nsname: demo1
EOF
cat <<'EOF' > /root/manifests/namespace-demo2.yaml
apiVersion: v1
kind: Namespace
metadata:
name: demo2
labels:
nsname: demo2
EOF
kubectl apply -f /root/manifests/namespace-demo1.yaml
kubectl apply -f /root/manifests/namespace-demo2.yaml
demo1とdemo2にそれぞれ、nginx Pod を作成
cat <<'EOF' > /root/manifests/nginx_demo1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-test
namespace: demo1
spec:
selector:
matchLabels:
app: nginx-test
replicas: 2
template:
metadata:
labels:
app: nginx-test
spec:
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: 100m
memory: 100Mi
ports:
- containerPort: 80
restartPolicy: Always
---
kind: Service
apiVersion: v1
metadata:
labels:
app: nginx-test
name: nginx-test
namespace: demo1
spec:
type: NodePort
ports:
- port: 8080
targetPort: 80
nodePort: 32003
selector:
app: nginx-test
EOF
kubectl apply -f /root/manifests/nginx_demo1.yaml
cat <<'EOF' > /root/manifests/nginx_demo2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-test
namespace: demo2
spec:
selector:
matchLabels:
app: nginx-test
replicas: 2
template:
metadata:
labels:
app: nginx-test
spec:
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: 100m
memory: 100Mi
ports:
- containerPort: 80
restartPolicy: Always
---
kind: Service
apiVersion: v1
metadata:
labels:
app: nginx-test
name: nginx-test
namespace: demo2
spec:
type: NodePort
ports:
- port: 8080
targetPort: 80
nodePort: 32004
selector:
app: nginx-test
EOF
kubectl apply -f /root/manifests/nginx_demo2.yaml
以下のように作成されています
[root@calico-k8s-master01 ~(demo2 kubernetes-admin)]# kubectl get pods -o wide --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE
demo1 nginx-test-5cfdd88d5-4lb7n 1/1 Running 0 1m 10.1.7.4 calico-k8s-node01.maas
demo1 nginx-test-5cfdd88d5-76mbd 1/1 Running 0 1m 10.1.5.3 calico-k8s-node02.maas
demo2 nginx-test-5cfdd88d5-75sn9 1/1 Running 0 24s 10.1.7.5 calico-k8s-node01.maas
demo2 nginx-test-5cfdd88d5-fvtdc 1/1 Running 0 24s 10.1.5.4 calico-k8s-node02.maas
kube-system calico-etcd-jc5st 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system calico-kube-controllers-84fd4db7cd-pxndj 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system calico-node-4wbfq 2/2 Running 0 1d 192.168.204.101 calico-k8s-node01.maas
kube-system calico-node-8zwjd 2/2 Running 0 1d 192.168.204.102 calico-k8s-node02.maas
kube-system calico-node-cqcvb 2/2 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system calicoctl 1/1 Running 0 1d 192.168.204.102 calico-k8s-node02.maas
kube-system coredns-78fcdf6894-5m2qn 1/1 Running 0 1d 10.1.6.64 calico-k8s-master01.maas
kube-system coredns-78fcdf6894-k5tf4 1/1 Running 0 1d 10.1.6.65 calico-k8s-master01.maas
kube-system etcd-calico-k8s-master01.maas 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kube-apiserver-calico-k8s-master01.maas 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kube-controller-manager-calico-k8s-master01.maas 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kube-proxy-mrj59 1/1 Running 0 1d 192.168.204.102 calico-k8s-node02.maas
kube-system kube-proxy-pvnk8 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kube-proxy-rznnx 1/1 Running 0 1d 192.168.204.101 calico-k8s-node01.maas
kube-system kube-scheduler-calico-k8s-master01.maas 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kubernetes-dashboard-6d4bc79449-z6jdg 1/1 Running 0 1d 10.1.7.3 calico-k8s-node01.maas
アクセス確認のため、それぞれのNamespaceでCentOSのPodを建てます (busyboxとかでも良いです)
cat <<'EOF' > /root/manifests/centos_demo1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: centos-deployment
namespace: demo1
spec:
selector:
matchLabels:
app: centos
replicas: 1
template:
metadata:
labels:
app: centos
spec:
containers:
- name: centos
image: centos:latest
command: [ "sleep", "360000000" ]
EOF
kubectl apply -f /root/manifests/centos_demo1.yaml
cat <<'EOF' > /root/manifests/centos_demo2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: centos-deployment
namespace: demo2
spec:
selector:
matchLabels:
app: centos
replicas: 1
template:
metadata:
labels:
app: centos
spec:
containers:
- name: centos
image: centos:latest
command: [ "sleep", "360000000" ]
EOF
kubectl apply -f /root/manifests/centos_demo2.yaml
以下のPodが作成されています
[root@calico-k8s-master01 manifests(demo2 kubernetes-admin)]# kubectl get pods -o wide --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE
demo1 centos-deployment-7d7d7bcb56-thjvk 1/1 Running 0 23s 10.1.5.5 calico-k8s-node02.maas
demo1 nginx-test-5cfdd88d5-4lb7n 1/1 Running 0 5m 10.1.7.4 calico-k8s-node01.maas
demo1 nginx-test-5cfdd88d5-76mbd 1/1 Running 0 5m 10.1.5.3 calico-k8s-node02.maas
demo2 centos-deployment-7d7d7bcb56-c57br 1/1 Running 0 6s 10.1.7.6 calico-k8s-node01.maas
demo2 nginx-test-5cfdd88d5-75sn9 1/1 Running 0 4m 10.1.7.5 calico-k8s-node01.maas
demo2 nginx-test-5cfdd88d5-fvtdc 1/1 Running 0 4m 10.1.5.4 calico-k8s-node02.maas
kube-system calico-etcd-jc5st 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system calico-kube-controllers-84fd4db7cd-pxndj 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system calico-node-4wbfq 2/2 Running 0 1d 192.168.204.101 calico-k8s-node01.maas
kube-system calico-node-8zwjd 2/2 Running 0 1d 192.168.204.102 calico-k8s-node02.maas
kube-system calico-node-cqcvb 2/2 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system calicoctl 1/1 Running 0 1d 192.168.204.102 calico-k8s-node02.maas
kube-system coredns-78fcdf6894-5m2qn 1/1 Running 0 1d 10.1.6.64 calico-k8s-master01.maas
kube-system coredns-78fcdf6894-k5tf4 1/1 Running 0 1d 10.1.6.65 calico-k8s-master01.maas
kube-system etcd-calico-k8s-master01.maas 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kube-apiserver-calico-k8s-master01.maas 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kube-controller-manager-calico-k8s-master01.maas 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kube-proxy-mrj59 1/1 Running 0 1d 192.168.204.102 calico-k8s-node02.maas
kube-system kube-proxy-pvnk8 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kube-proxy-rznnx 1/1 Running 0 1d 192.168.204.101 calico-k8s-node01.maas
kube-system kube-scheduler-calico-k8s-master01.maas 1/1 Running 0 1d 192.168.204.100 calico-k8s-master01.maas
kube-system kubernetes-dashboard-6d4bc79449-z6jdg 1/1 Running 0 1d 10.1.7.3 calico-k8s-node01.maas
memo 各nginxpodに入り、Welcomeページを適宜書き換えます。
どのNamaspaceのpodへアクセスしているかわかるように。 body に from demo01-01 といった文字を追加します
cat <<'EOF' > /usr/share/nginx/html/index.html
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
EOF
初期状態確認
demo1のCentOSから疎通確認
DefaultはすべてのNamespaceのPod間で通信可能です。
同一Namespaceへの通信(demo1 → demo1)
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.7.7/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.5.6/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-2</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
異なるNamespaceへ通信(demo1 → demo2)
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.7.5/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]#
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.5.4/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-2</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
同一NamespaceのNodePortをClusterIPとして通信(demo1 → demo1)
[root@centos-deployment-7d7d7bcb56-thjvk /]# curl http://10.1.3.63:8080/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-2</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
異なるNamespaceのNodePortをClusterIPとして通信(demo1 → demo2)
[root@centos-deployment-7d7d7bcb56-thjvk /]# curl http://10.1.0.92:8080/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
NetworkPolicyの設定
DefaultNetworkPolicyの設定
Namespaceを作成した直後は、以下のように NetworkPolicy が何も設定されていない状態です
以下の例は demo1 Namespace で実行しています。prompt に Namespace名を表示させています
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl get networkpolicies
No resources found.
Namespace 内になんらかのNetworkPolicyを作成したタイミングで、作成したNetworkPolicyに該当しないパケットはすべて遮断されます。
言い換えると、Namespace内に一番初めに作成したポリシーがDefaultPolicyという考え方になると思います。
今回は、全て遮断する All Deny ポリシー(何のパケットルールも付与しない)を作成します。
- spec.podSelector : {} を指定することにより、全てのPodが該当する
- spec.policyTypes.Ingress : 何もルールを指定しないので、このNetworkPolicyのTypeを指定します。何もルールが存在しないため、全てのパケットがルールに合致しない結果、Ingress方向(外側 to Pod)への通信が全て遮断される。なお、Egress側は何も指定していないので、all allow の状態となっている。
cat <<'EOF' > /root/manifests/default-deny-demo1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: demo1
spec:
podSelector: {}
policyTypes:
- Ingress
EOF
kubectl apply -f /root/manifests/default-deny-demo1.yaml
以下のように作成されたことを確認できます
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl get networkpolicies
NAME POD-SELECTOR AGE
default-deny <none> 11s
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]#
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl get networkpolicies -o wide
NAME POD-SELECTOR AGE
default-deny <none> 30s
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl describe networkpolicies default-deny
Name: default-deny
Namespace: demo1
Created on: 2018-07-15 18:51:58 +0900 JST
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"default-deny","namespace":"demo1"},"spec":{"podSelecto...
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Ingress
疎通確認
DefaultはすべてのNamespaceのPod間で通信可能です。
同一Namespaceへの通信(demo1 → demo1)
疎通できません。curlコマンドが通信出来ないため、Ctrl + C で SIGINTシグナル を出して止めています
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.7.7/
^Ccommand terminated with exit code 130
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.5.6/
^Ccommand terminated with exit code 130
異なるNamespaceへ通信(demo1 → demo2)
demo2 側は、NetworkPolicyを設定していないため、引き続きアクセス可能です
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.7.5/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.5.4/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-2</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
同一NamespaceのNodePortをClusterIPとして通信(demo1 → demo1)
こちらもdemo1は通信できません
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.3.63:8080/
^Ccommand terminated with exit code 130
異なるNamespaceのNodePortをClusterIPとして通信(demo1 → demo2)
こちらもdemo2側は通信可能です
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.0.92:8080/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
demo1 Namespace のCentOSのみ許可設定
- spec.podSelector.matchLabels : ここで指定するLabelに該当するPodが、このNetworkPolicyの設定の対象となる
- spec.policyTypes : IngressのTypeと指定 (Podの外側 to 該当Podへの通信)
- spec.ingress.from : fromの条件を指定。app=centos ラベルが該当しているPodが、TCP80の通信を許可する。なお、ここのTCPポートの番号は、Deploymentを作成した時に指定したPod側のcontainerPortを指定する。ClusterIPやNodePortのPortではない。
- spec.ingress.from.namespaceSelector : この値を指定していないので、demo1 のNamespaceが指定されるように自動認識される (と思う)
cat <<'EOF' > /root/manifests/default-allowcentos-demo1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-centos
namespace: demo1
spec:
podSelector:
matchLabels:
app: nginx-test
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: centos
ports:
- protocol: TCP
port: 80
EOF
kubectl apply -f /root/manifests/default-allowcentos-demo1.yaml
確認
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl describe networkpolicies allow-centos
Name: allow-centos
Namespace: demo1
Created on: 2018-07-15 19:22:03 +0900 JST
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"allow-centos","namespace":"demo1"},"spec":{"ingress":[...
Spec:
PodSelector: app=nginx-test
Allowing ingress traffic:
To Port: 80/TCP
From:
PodSelector: app=centos
Allowing egress traffic:
<none> (Selected pods are isolated for egress connectivity)
Policy Types: Ingress
疎通確認
同一Namespaceへの通信(demo1 → demo1)
通信を許可したため、接続出来るようになりました
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.7.7/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.5.6/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-2</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
異なるNamespaceへ通信(demo1 → demo2)
demo2 側への通信は、NetworkPolicyを設定していないため、引き続きアクセス可能です
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.7.5/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.5.4/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-2</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
同一NamespaceのNodePortをClusterIPとして通信(demo1 → demo1)
通信を許可したため、接続出来るようになりました
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.3.63:8080/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
異なるNamespaceのNodePortをClusterIPとして通信(demo1 → demo2)
こちらもdemo2側へは通信可能です
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.0.92:8080/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
異なるNamespaceから通信(demo2 → demo1)
demo2側のcentosのpodは Label に app=centos が設定されていますが、Namespaceが違うので通信することが出来ません
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -n demo2 -it centos-deployment-7d7d7bcb56-c57br curl http://10.1.7.7/
^Ccommand terminated with exit code 130
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -n demo2 -it centos-deployment-7d7d7bcb56-c57br curl http://10.1.5.6/
^Ccommand terminated with exit code 130
demo2 Namespace のCentOSを許可設定
cat <<'EOF' > /root/manifests/default-allowcentos-demo2.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-demo2-centos
namespace: demo1
spec:
podSelector:
matchLabels:
app: nginx-test
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: centos
- namespaceSelector:
matchLabels:
nsname: demo2
ports:
- protocol: TCP
port: 80
EOF
kubectl apply -f /root/manifests/default-allowcentos-demo2.yaml
疎通確認
異なるNamespaceから通信(demo2 → demo1)
demo2から通信できるように変更したため、通信が出来ます
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -n demo2 -it centos-deployment-7d7d7bcb56-c57br curl http://10.1.7.7/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -n demo2 -it centos-deployment-7d7d7bcb56-c57br curl http://10.1.5.6/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-2</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
一度 NetworkPolicyを全削除
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl get networkpolicies
NAME POD-SELECTOR AGE
allow-centos app=nginx-test 40m
allow-from-demo2-centos app=nginx-test 2m
default-deny <none> 1h
kubectl delete networkpolicies allow-centos allow-from-demo2-centos default-deny
NamespaceごとのNetworkPolicy通信設定
設定
今までのPolicy設定は、PodのLabel毎に allow を付与していくので、割と面倒な設定となります。
また、複雑になるので、運用を考えると厳しい部分もあるかもしれません。
1個の設定でNamespace間の通信を全て遮断する設定を確認して行きます
cat <<'EOF' > /root/manifests/deny-between-namespaces-demo1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-between-namespaces-demo1
namespace: demo1
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
nsname: demo1
EOF
kubectl apply -f /root/manifests/deny-between-namespaces-demo1.yaml
cat <<'EOF' > /root/manifests/deny-between-namespaces-demo2.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-between-namespaces-demo2
namespace: demo2
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
nsname: demo2
EOF
kubectl apply -f /root/manifests/deny-between-namespaces-demo2.yaml
疎通確認
同一Namespaceへの通信(demo1 → demo1)
同一 namespace へのアクセスは全て許可しているので、正常にアクセスできます
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.7.7/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.5.6/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo01-2</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
異なるNamespaceから通信(demo2 → demo1)
異なるNamespaceから通信を行うことが出来ません
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -n demo2 -it centos-deployment-7d7d7bcb56-c57br curl http://10.1.7.7/
^Ccommand terminated with exit code 130
[root@calico-k8s-master01 manifests(demo1 kubernetes-admin)]# kubectl exec -n demo2 -it centos-deployment-7d7d7bcb56-c57br curl http://10.1.5.6/
^Ccommand terminated with exit code 130
同一のNamespaceへ通信(demo2→demo2)
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -n demo2 -it centos-deployment-7d7d7bcb56-c57br curl http://10.1.7.5/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-1</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -n demo2 -it centos-deployment-7d7d7bcb56-c57br curl http://10.1.5.4/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx! from demo02-2</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
異なるNamespaceへ通信(demo1 → demo2)
異なるNamespaceから通信を行うことが出来ません
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -n demo1 -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.7.5/
^Ccommand terminated with exit code 130
[root@calico-k8s-master01 ~(demo1 kubernetes-admin)]# kubectl exec -n demo1 -it centos-deployment-7d7d7bcb56-thjvk curl http://10.1.5.4/
^Ccommand terminated with exit code 130
この設定であれば、楽に設定・把握できるので、良いかもしれません
外部公開用のNetworkPolicy設定
単純にNamespace内のみ許可すると、NodePortなどのServiceを使用してアクセスすることが出来ません。
公開する必要のあるPodのみ、外部公開するようにしましょう
- ingress.from.ports とのみ指定しているので、どこからでも80Portへアクセス可能です
cat <<'EOF' > /root/manifests/allow-demo1-nodeport.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-demo1-nodeport
namespace: demo1
spec:
podSelector:
matchLabels:
app: nginx-test
policyTypes:
- Ingress
ingress:
- from:
ports:
- protocol: TCP
port: 80
EOF
kubectl apply -f /root/manifests/allow-demo1-nodeport.yaml
参考URL
Kubernetes.io
https://kubernetes.io/docs/concepts/services-networking/network-policies/
https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/
Calico公式
https://docs.projectcalico.org/v3.1/reference/calicoctl/resources/globalnetworkpolicy
https://docs.projectcalico.org/v3.1/reference/calicoctl/resources/networkpolicy
https://docs.projectcalico.org/v3.1/getting-started/kubernetes/tutorials/simple-policy
https://dev-project-calico.pantheonsite.io/calico-network-policy-comes-to-kubernetes/
https://www.projectcalico.org/securing-namespaces-and-services-in-kubernetes/
日本語情報
https://www.n-novice.com/entry/2018/05/09/215831
https://qiita.com/hirsim/items/972d12c2f7b0f5b6652d