More than 3 years have passed since last update.

calicoでNamespaceごとに通信を遮断する

kubernetes

Posted at 2021-05-23

calicoをデプロイしておく

~/calico ❯ kubectl get daemonsets -n calico-system                                 1540ms  Mon May 24 01:56:17 2021
NAME          DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
calico-node   2         2         2       2            2           kubernetes.io/os=linux   51m
~/calico ❯

動作確認

namespaceを作成

apiVersion: v1
kind: Namespace
metadata:
  name: test1
  labels:
    nsname: test1
---
apiVersion: v1
kind: Namespace
metadata:
  name: test2
  labels:
    nsname: test2

展開

kubectl apply -f namespace.yaml

centos-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: centos-deployment
  namespace: test1
spec:
  selector:
    matchLabels:
      app: centos
  replicas: 1
  template:
    metadata:
      labels:
        app: centos
    spec:
      containers:
      - name: centos
        image: centos:latest
        command: [ "sleep", "360000000" ]
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: centos-deployment
  namespace: test2
spec:
  selector:
    matchLabels:
      app: centos
  replicas: 1
  template:
    metadata:
      labels:
        app: centos
    spec:
      containers:
      - name: centos
        image: centos:latest
        command: [ "sleep", "360000000" ]

展開

kubectl apply -f centos-deployment.yaml

この状態で疎通できることを確認

~ ❯ kubectl describe  pod -n test2 | grep IP:                                        1238ms  Mon May 24 02:01:45 2021
IP:           10.4.11.180
  IP:           10.4.11.180

疎通できる

~ ❯ kubectl -n test1 exec -it centos-deployment-7f77bdc564-84745 -- ping 10.4.11.180 1512ms  Mon May 24 02:03:19 2021
PING 10.4.11.180 (10.4.11.180) 56(84) bytes of data.
64 bytes from 10.4.11.180: icmp_seq=1 ttl=254 time=0.114 ms
64 bytes from 10.4.11.180: icmp_seq=2 ttl=254 time=0.061 ms
64 bytes from 10.4.11.180: icmp_seq=3 ttl=254 time=0.058 ms
64 bytes from 10.4.11.180: icmp_seq=4 ttl=254 time=0.071 ms
64 bytes from 10.4.11.180: icmp_seq=5 ttl=254 time=0.078 ms
^C
--- 10.4.11.180 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 83ms
rtt min/avg/max/mdev = 0.058/0.076/0.114/0.021 ms
~

NetworkPolicyを作成する

Ingressの設定
namespaceSelectorが利用できるようになるので、ラベルを指定して許可するラベルのみを指定する

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-test1
  namespace: test1
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          nsname: test1
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-test2
  namespace: test2
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          nsname: test2

kubectl apply -f namespace-isolation.yaml

疎通できなくなっていることを確認

~ ❯ kubectl -n test1 exec -it centos-deployment-7f77bdc564-84745 -- ping 10.4.11.180     6s  Mon May 24 02:03:25 2021
PING 10.4.11.180 (10.4.11.180) 56(84) bytes of data.
^C
--- 10.4.11.180 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 217ms

command terminated with exit code 1
~

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up