calico
calico和flannel一样,都是Kubernetes的CNI网络插件,不过calico比拥有更好的网络传输性能以及灵活的网略策略,但是calico的问题是比flannel复杂一些
使用calico 作为CNI网络插件
使用calico 作为网略策略,flannel作为网络插件
部署calico
部署calico配置网络策略前,最好先将flannel删除掉,不然可能会有问题
# kubectl delete ds kube-flannel-ds-amd64
备份flannel配置文件(所有节点)
# mkdir /root/cni_d
# mv /etc/cni/net.d/* /root/cni_d/
创建calico相关资源
# kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/canal.yaml
检查calico相关pods创建情况
# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
canal-2hshj 3/3 Running 0 4h
canal-7hzfn 3/3 Running 0 4h
canal-sdfw2 3/3 Running 0 4h
...
calico 网络策略
这份清单文件里创建了两个名称空间,dev、prod
其中dev设置了网络策略,Ingress设置为空,意为不允许外部访问,Egress没有指明,意为可以出向访问
最后创建了两个Pods,一个属于dev空间,一个属于prod空间
---
###### NameSpace ######
apiVersion: v1
kind: Namespace
metadata:
name: dev
---
apiVersion: v1
kind: Namespace
metadata:
name: prod
---
###### NetworkPolicy ######
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {}
policyTypes:
- Ingress
---
###### Pods ######
apiVersion: v1
kind: Pod
metadata:
name: pod1
namespace: dev
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
---
apiVersion: v1
kind: Pod
metadata:
name: pod2
namespace: prod
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
创建相关资源
# kubectl apply -f ingress-default-demo.yaml
namespace/dev created
namespace/prod created
networkpolicy.networking.k8s.io/deny-all-ingress created
pod/pod1 created
pod/pod2 created
检查策略创建情况
# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-ingress <none> 5m
# kubectl get netpol -n prod
No resources found.
检查Pods创建情况
# kubectl get pods -o wide -n dev
NAME READY STATUS RESTARTS AGE IP NODE
pod1 1/1 Running 0 9s 10.244.2.6 node003
# kubectl get pods -o wide -n prod
NAME READY STATUS RESTARTS AGE IP NODE
pod2 1/1 Running 0 10s 10.244.1.7 node002
测试网络策略是否生效
# curl --connect-timeout 3 10.244.1.7
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
# curl --connect-timeout 3 10.244.2.6
curl: (28) Connection timed out after 3001 milliseconds
开放名称空间内所有Pods访问
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
namespace: dev
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
开放指定的 Pods的指定端口
通过podSelector选择对应的Pods,来自10.244.0.0/16网段的都可以访问这个Pods的TCP 80端口,除了10.244.1.7这个地址
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-myapp-ingress
spec:
podSelector:
matchLabels:
app: myapp
ingress:
# from: default allow all.
- from:
- ipBlock:
cidr: 10.244.0.0/16
except:
- 10.244.1.7/32
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
先测试宿主机
# curl 10.244.2.6
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
# curl 10.244.1.7
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
在测试被限制的Pods,首先访问自己是没问题,然后访问pod1就出现超时了
/ # ip a s eth0
3: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 1e:54:d8:54:bc:1b brd ff:ff:ff:ff:ff:ff
inet 10.244.1.7/32 scope global eth0
valid_lft forever preferred_lft forever
/ # wget -T 3 -q -O - 10.244.1.7
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
/ # wget -T 3 -q -O - 10.244.2.6
wget: download timed out
参考资料
官方文档:https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/flannel
策略实践
持久化层
- Ingress: 默认禁止所有入站流量,开放同名称空间的访问,用以集群件通信,仅开放特定的客户端访问数据库
- Egress: 默认禁止所有出站流量,仅开放特定的目的地,比如应用服务的Pods等
应用服务层
- Ingress: 默认禁止所有入站流量,开放同名称空间的访问,用以集群件通信,开放特定客户端访问
- Egress: 允许所有出站流量,因为会设计到调用外部资源或者接口
接入层
- Ingress: 允许所有访问
- Egress: 禁止所有出向流量,开放同名称空间的访问,用以集群件通信,仅开放调度内部应用服务访问