Lura. fassara: Marubucin labarin, Reuven Harrison, yana da fiye da shekaru 20 na gogewa a cikin haɓaka software, kuma a yau shine CTO kuma mai haɗin gwiwa na Tufin, kamfani wanda ke haifar da hanyoyin sarrafa manufofin tsaro. Yayin da yake kallon manufofin hanyar sadarwa na Kubernetes a matsayin kayan aiki mai ƙarfi don rarraba cibiyar sadarwa a cikin tari, ya kuma yi imanin cewa ba su da sauƙin aiwatarwa a aikace. Wannan abu (mai yawan gaske) an yi niyya ne don haɓaka wayewar ƙwararru game da wannan batu kuma ya taimaka musu ƙirƙirar ƙa'idodin da suka dace.
A yau, kamfanoni da yawa suna ƙara zaɓar Kubernetes don gudanar da aikace-aikacen su. Sha'awar wannan software tana da yawa har wasu suna kiran Kubernetes "sabon tsarin aiki don cibiyar bayanai." A hankali, Kubernetes (ko k8s) an fara fahimtar su azaman muhimmin sashi na kasuwanci, wanda ke buƙatar tsara tsarin tafiyar da kasuwanci, gami da tsaro na cibiyar sadarwa.
Ga ƙwararrun tsaro waɗanda ke da ruɗani ta hanyar aiki tare da Kubernetes, ainihin wahayin na iya zama tushen tsarin dandamali: ƙyale komai.
Wannan jagorar zai taimaka muku fahimtar tsarin ciki na manufofin cibiyar sadarwa; fahimci yadda suka bambanta da ka'idoji don firewalls na yau da kullum. Hakanan zai rufe wasu ramuka kuma ya ba da shawarwari don taimakawa amintattun aikace-aikace akan Kubernetes.
Manufofin sadarwar Kubernetes
Tsarin manufofin cibiyar sadarwa na Kubernetes yana ba ku damar gudanar da hulɗar aikace-aikacen da aka tura akan dandamali a layin cibiyar sadarwa (na uku a cikin ƙirar OSI). Manufofin cibiyar sadarwa sun rasa wasu abubuwan ci gaba na firewalls na zamani, irin su OSI Layer 7 tilastawa da gano barazanar, amma suna samar da ainihin matakin tsaro na cibiyar sadarwa wanda shine kyakkyawan farawa.
Manufofin hanyar sadarwa suna sarrafa sadarwa tsakanin kwasfan fayiloli
Ana rarraba kayan aiki a cikin Kubernetes a cikin kwasfa, wanda ya ƙunshi kwantena ɗaya ko fiye da aka tura tare. Kubernetes yana ba kowane kwafsa adireshin IP wanda ke samun dama daga sauran kwasfan fayiloli. Manufofin hanyar sadarwa na Kubernetes suna saita haƙƙin samun dama ga ƙungiyoyin kwasfan fayiloli kamar yadda ake amfani da ƙungiyoyin tsaro a cikin gajimare don sarrafa damar yin amfani da misalan na'ura.
Ma'anar Manufofin Sadarwa
Kamar sauran albarkatun Kubernetes, an ƙayyade manufofin cibiyar sadarwa a cikin YAML. A cikin misalin da ke ƙasa, aikace-aikacen balance damar zuwa postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Lura. fassara: wannan hoton hoton, kamar duk masu kama da juna, an ƙirƙira su ba ta amfani da kayan aikin Kubernetes na asali ba, amma ta amfani da kayan aikin Tufin Orca, wanda kamfanin marubucin labarin ya haɓaka kuma wanda aka ambata a ƙarshen kayan.)
Don ayyana manufofin hanyar sadarwar ku, kuna buƙatar ainihin ilimin YAML. Wannan yare ya dogara ne akan shigar ciki (wanda aka ƙayyade ta sarari maimakon shafuka). Ƙaƙƙarfan ɓangarori na nasa ne mafi kusa da abin da ke sama da shi. Wani sabon jigon lissafin yana farawa da saƙa, duk sauran abubuwa suna da tsari key-darajar.
Bayan da aka bayyana manufofin a cikin YAML, yi amfani don ƙirƙirar shi a cikin gungu:
kubectl create -f policy.yamlƘayyadaddun manufofin hanyar sadarwa
Ƙayyadaddun manufofin hanyar sadarwa na Kubernetes ya ƙunshi abubuwa huɗu:
-
podSelector: ya bayyana kwas ɗin da wannan manufar ya shafa (manufa) - buƙata; -
policyTypes: yana nuna nau'ikan manufofin da aka haɗa a cikin wannan: ingress da / ko egress - na zaɓi, amma ina ba da shawarar bayyana shi a sarari a duk lokuta; -
ingress: bayyana yarda mai shigowa zirga-zirga zuwa kwas ɗin da aka yi niyya zaɓi ne; -
egress: bayyana yarda mai fita zirga-zirga daga kwas ɗin da aka yi niyya zaɓi ne.
Misali da aka ɗauka daga gidan yanar gizon Kubernetes (Na maye gurbin role a kan app), yana nuna yadda ake amfani da dukkan abubuwa huɗu:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Lura cewa duka abubuwa huɗu ba dole ba ne a haɗa su. Wajibi ne kawai podSelector, za a iya amfani da wasu sigogi kamar yadda ake so.
Idan ka tsallake policyTypes, za a fassara manufofin kamar haka:
- Ta hanyar tsoho, ana ɗauka cewa yana bayyana ɓangaren ingress. Idan manufar ba ta bayyana wannan a sarari ba, tsarin zai ɗauka cewa an hana duk zirga-zirga.
- Halin da ke gefen egress za a ƙayyade ta kasancewar ko rashi na ma'aunin egress daidai.
Don guje wa kuskure ina ba da shawarar ko da yaushe yi shi a bayyane policyTypes.
Bisa ga dabaru na sama, idan sigogi ingress da / ko egress ƙetare, manufar za ta hana duk zirga-zirgar ababen hawa (duba "Dokar Tsagewa" a ƙasa).
An ba da izinin tsarin tsoho
Idan babu manufofin da aka ayyana, Kubernetes yana ba da damar duk zirga-zirga ta tsohuwa. Duk kwas ɗin suna iya musayar bayanai cikin yardar kaina. Wannan na iya zama kamar rashin fahimta ta fuskar tsaro, amma ku tuna cewa masu haɓakawa ne suka tsara Kubernetes don ba da damar hulɗar aikace-aikacen. An ƙara manufofin hanyar sadarwa daga baya.
Wuraren suna
Wuraren suna shine tsarin haɗin gwiwar Kubernetes. An tsara su don ware mahalli masu ma'ana daga juna, yayin da sadarwa tsakanin sarari ke ba da izini ta tsohuwa.
Kamar yawancin abubuwan Kubernetes, manufofin cibiyar sadarwa suna rayuwa a cikin takamaiman sunan suna. A cikin toshe metadata za ku iya tantance ko wane sarari manufofin ke cikin:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Idan ba a bayyana sunan sararin samaniya a cikin metadata ba, tsarin zai yi amfani da sunan da aka ƙayyade a kubectl (ta tsohuwa. namespace=default):
kubectl apply -n my-namespace -f namespace.yamlina bada shawara saka sararin suna a sarari, sai dai idan kuna rubuta wata manufar da ta shafi wuraren sunaye da yawa lokaci guda.
Babban kashi podSelector a cikin manufofin za a zaɓi kwasfan fayiloli daga filin suna wanda manufar ta ke (an hana shi samun damar yin amfani da kwasfan fayiloli daga wani wurin suna).
Hakazalika, podSelectors a cikin ingress da egress tubalan za su iya zaɓar kwas ɗin kwas ɗin daga cikin sunan nasu, sai dai idan kun haɗa su da su namespaceSelector (za'a tattauna wannan a cikin sashin "Tace ta wuraren suna da kwasfa").
Dokokin Sunayen Siyasa
Sunayen siyasa na musamman ne a cikin sararin suna iri ɗaya. Ba za a iya samun manufofi guda biyu masu suna iri ɗaya a sarari ɗaya ba, amma ana iya samun manufofi masu suna iri ɗaya a wurare daban-daban. Wannan yana da amfani lokacin da kake son sake aiwatar da manufofin iri ɗaya a cikin wurare da yawa.
Ina son ɗayan hanyoyin suna musamman. Ya ƙunshi haɗa sunan sararin samaniya tare da kwas ɗin manufa. Misali:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Lakabi
Kuna iya haɗa lakabin al'ada zuwa abubuwan Kubernetes, kamar kwasfa da wuraren suna. Lakabi (alamu - tags) suna daidai da tags a cikin gajimare. Manufofin hanyar sadarwa na Kubernetes suna amfani da lakabi don zaɓar kwasfawanda suke nema:
podSelector:
matchLabels:
role: db… ko wuraren sunawanda suke nema. Wannan misalin yana zaɓar duk kwas ɗin da ke cikin wuraren suna tare da takalmi masu dacewa:
namespaceSelector:
matchLabels:
project: myproject
Tsanaki ɗaya: lokacin amfani namespaceSelector ka tabbata wuraren sunaye da ka zaɓa sun ƙunshi madaidaicin lakabin. Ku sani cewa ginannen wuraren suna kamar default и kube-system, ta tsohuwa ba ta ƙunshi lakabi ba.
Kuna iya ƙara lakabin zuwa sarari kamar haka:
kubectl label namespace default namespace=default
A lokaci guda, sunaye a cikin sashin metadata yakamata a koma ga ainihin sunan sarari, ba lakabin:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Tushen da kuma manufa
Manufofin Firewall sun ƙunshi dokoki tare da tushe da wuraren zuwa. An ayyana manufofin hanyar sadarwar Kubernetes don manufa - saitin kwas ɗin da suke amfani da su - sannan saita ƙa'idodi don zirga-zirgar shigowa da/ko egress. A cikin misalinmu, manufar manufar za ta kasance duk kwas ɗin da ke cikin sararin suna default tare da lakabin maɓalli app da ma'ana db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Karamin sashe ingress a cikin wannan manufar, yana buɗe zirga-zirgar ababen hawa masu shigowa zuwa kwas ɗin da aka yi niyya. Ma'ana, shiga ita ce tushe kuma manufa ita ce madaidaicin manufa. Haka nan mafari ita ce manufa kuma manufa ita ce tushenta.
Wannan yayi daidai da dokokin wuta guda biyu: Ingress → Target; Manufar → Ci gaba.
Egress da DNS (mahimmanci!)
Ta hanyar iyakance zirga-zirgar ababen hawa, kula musamman ga DNS - Kubernetes yana amfani da wannan sabis ɗin don taswirar sabis zuwa adiresoshin IP. Misali, manufofin da ke gaba ba za su yi aiki ba saboda ba ku yarda da aikace-aikacen ba balance shiga DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
Kuna iya gyara shi ta buɗe damar zuwa sabis na DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Abu na ƙarshe to fanko ne, sabili da haka a kaikaice ya zaba duk kwasfa a cikin duk wuraren suna, yarda balance aika tambayoyin DNS zuwa sabis na Kubernetes da ya dace (yawanci yana gudana a cikin sarari kube-system).
Wannan tsarin yana aiki, duk da haka wuce gona da iri da rashin tsaro, saboda yana ba da damar yin amfani da tambayoyin DNS a wajen gungu.
Kuna iya inganta shi a matakai uku masu jere.
1. Bada izinin tambayoyin DNS kawai a ciki tari ta ƙara namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Bada izinin tambayoyin DNS a cikin sararin suna kawai kube-system.
Don yin wannan kuna buƙatar ƙara lakabi zuwa sararin suna kube-system: kubectl label namespace kube-system namespace=kube-system - kuma rubuta shi a cikin tsarin amfani namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Paranoid mutane iya ci gaba har ma da iyakance DNS queries zuwa wani takamaiman DNS sabis a kube-system. Sashen "Tace ta wuraren suna da kwasfa" zai gaya muku yadda ake cimma wannan.
Wani zaɓi shine don warware DNS a matakin suna. A wannan yanayin, ba zai buƙaci buɗewa ga kowane sabis ba:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Babu komai podSelector yana zaɓar duk kwas ɗin da ke cikin sarari suna.
Wasan farko da tsari na doka
A cikin Firewalls na al'ada, aikin (Ba da izini ko Ƙi) akan fakiti an ƙaddara ta hanyar doka ta farko da ta gamsar. A cikin Kubernetes, tsarin manufofin ba shi da mahimmanci.
Ta hanyar tsoho, lokacin da ba a saita manufofin ba, ana ba da izinin sadarwa tsakanin kwas ɗin kuma za su iya musayar bayanai kyauta. Da zarar ka fara tsara manufofi, kowane kwas ɗin da aƙalla ɗaya daga cikinsu ya shafa ya zama keɓe bisa ga rarrabuwa (ma'ana OR) na duk manufofin da suka zaɓa. Pods ɗin da kowace manufa ta shafa suna buɗewa.
Kuna iya canza wannan hali ta amfani da dokar tsigewa.
Ka'idar cirewa ("Karya")
Manufofin Firewall yawanci suna ƙin duk wani zirga-zirgar da ba a ba da izini ba.
Babu musun mataki a cikin Kubernetes, duk da haka, ana iya samun irin wannan tasiri tare da manufa na yau da kullum (mai halatta) ta zaɓin rukunin fanko na tushen tushe (shiga):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Wannan manufar tana zaɓar duk kwas ɗin da ke cikin sarari suna kuma yana barin shiga ba tare da fayyace ba, yana ƙin duk zirga-zirgar da ke shigowa.
Hakazalika, zaku iya taƙaita duk zirga-zirgar zirga-zirgar da ke fita daga filin suna:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Lura cewa duk wani ƙarin manufofin da ke ba da izinin zirga-zirga zuwa faifai a cikin sararin suna zai ɗauki fifiko akan wannan doka (kamar ƙara ƙa'idar izini kafin dokar hanawa a cikin saitin bangon wuta).
Izinin komai (Kowane-Kowane-Kowane-Izinin)
Don ƙirƙirar tsarin Bada Duk, kuna buƙatar ƙara manufar hanawa a sama tare da komai mara komai ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
Yana ba da damar shiga daga duk kwasfan fayiloli a cikin duk wuraren suna (da duk IPs) zuwa kowane kwasfa a cikin sarari suna default. Ana kunna wannan hali ta tsohuwa, don haka yawanci baya buƙatar ƙarin fayyace shi. Koyaya, wani lokacin kuna iya buƙatar kashe wasu takamaiman izini na ɗan lokaci don gano matsalar.
Ana iya rage ƙa'idar don ba da damar shiga kawai takamaiman saitin kwasfa (app:balance) a cikin sunan default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Manufofin da ke gaba suna ba da damar duk zirga-zirgar shiga da fita, gami da samun dama ga kowane IP a wajen tari:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Haɗa Manufofi da yawa
Ana haɗa manufofi ta amfani da ma'ana KO a matakai uku; An saita kowane izini na kwas ɗin daidai da rarrabuwar duk manufofin da suka shafe ta:
1. A cikin filayen from и to Ana iya bayyana nau'ikan abubuwa uku (duk an haɗa su ta amfani da OR):
-
namespaceSelector- yana zaɓar duk filin suna; -
podSelector- zabar kwasfa; -
ipBlock- yana zaɓar gidan yanar gizo.
Bugu da ƙari, adadin abubuwan (ko da iri ɗaya) a cikin ƙananan sassan from/to ba iyaka. Dukkansu za a haɗa su ta hanyar ma'ana ta OR.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. Ciki cikin sashin manufofin ingress zai iya samun abubuwa da yawa from (haɗe da ma'ana OR). Hakazalika, sashe egress na iya haɗawa da abubuwa da yawa to (haka kuma ta hanyar rarrabawa):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Manufofi daban-daban kuma an haɗa su tare da OR mai ma'ana
Amma idan aka haɗa su, akwai iyaka ɗaya akan wanda : Kubernetes na iya haɗa manufofin kawai tare da daban-daban policyTypes (Ingress ko Egress). Manufofin da ke bayyana shiga (ko egress) za su sake rubuta juna.
Dangantaka tsakanin wuraren suna
Ta hanyar tsoho, ana ba da izinin raba bayanai tsakanin wuraren suna. Ana iya canza wannan ta amfani da manufar ƙin yarda da za ta hana zirga-zirga mai fita da/ko shigowa cikin sararin sunan (duba "Dokar Tsige" a sama).
Da zarar kun toshe damar shiga filin suna (duba "Dokar Stripping" a sama), zaku iya keɓance manufar ƙin yarda ta hanyar ba da damar haɗi daga takamaiman wurin suna ta amfani da namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
A sakamakon haka, duk kwasfan fayiloli a cikin sunan sarari default za su sami damar zuwa kwasfa postgres cikin suna database. Amma idan kuna son buɗe damar zuwa postgres kawai takamaiman kwasfan fayiloli a cikin sararin suna default?
Tace da wuraren suna da kwasfa
Kubernetes version 1.11 kuma mafi girma yana ba ku damar haɗa masu aiki namespaceSelector и podSelector ta amfani da ma'ana AND. Yana kama da haka:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Me yasa aka fassara wannan a matsayin AND maimakon saba KO?
lura da cewa podSelector baya farawa da saƙa. A cikin YAML wannan yana nufin haka podSelector kuma yana tsaye a gabansa namespaceSelector koma zuwa kashi iri ɗaya. Saboda haka, an haɗa su da ma'ana AND.
Ƙara laƙabi kafin podSelector zai haifar da fitowar sabon nau'in jeri, wanda za a haɗa shi da na baya namespaceSelector ta amfani da ma'ana OR.
Don zaɓar kwasfan fayiloli tare da takamaiman lakabin a duk wuraren suna, shigar da komai namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Ƙungiyoyin lakabi da yawa tare da I
Dokokin bangon wuta tare da abubuwa da yawa ( runduna, cibiyoyin sadarwa, ƙungiyoyi) ana haɗa su ta amfani da OR mai ma'ana. Doka mai zuwa za ta yi aiki idan tushen fakitin ya yi daidai Host_1 OR Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
Akasin haka, a cikin Kubernetes alamun daban-daban a ciki podSelector ko namespaceSelector An haɗe su da ma'ana AND. Misali, doka mai zuwa za ta zaɓi kwas ɗin da ke da alamomin biyu, role=db И version=v2:
podSelector:
matchLabels:
role: db
version: v2Irin wannan dabarar ta shafi kowane nau'in masu aiki: masu zaɓin manufa, masu zaɓen kwas, da masu zaɓen sarari suna.
Rukunin sadarwa da adiresoshin IP (IPBlocks)
Firewalls suna amfani da VLANs, adiresoshin IP, da kuma cibiyoyin sadarwa don raba hanyar sadarwa.
A cikin Kubernetes, ana sanya adiresoshin IP zuwa kwasfan fayiloli ta atomatik kuma suna iya canzawa akai-akai, don haka ana amfani da lakabin don zaɓar kwasfan fayiloli da wuraren suna a cikin manufofin cibiyar sadarwa.
Subnets (ipBlocks) ana amfani dashi lokacin gudanar da haɗin kai (shiga) ko masu fita (egress) na waje (Arewa-Kudu). Misali, wannan manufar tana buɗewa ga duk kwas ɗin daga sararin suna default samun damar zuwa sabis na DNS na Google:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
Mai zaɓin kwafsa mara komai a cikin wannan misalin yana nufin "zaɓi duk kwas ɗin da ke cikin sarari suna."
Wannan manufar kawai tana ba da damar samun dama ga 8.8.8.8; An hana samun damar shiga kowane IP. Don haka, a zahiri, kun toshe damar shiga sabis ɗin Kubernetes DNS na ciki. Idan har yanzu kuna son buɗe shi, nuna wannan a sarari.
Yawancin lokaci ipBlocks и podSelectors sun keɓanta juna, tunda ba a amfani da adiresoshin IP na ciki na kwasfan fayiloli a ciki ipBlocks. Ta hanyar nunawa na ciki IP pods, hakika za ku ba da damar haɗi zuwa / daga kwasfan fayiloli tare da waɗannan adiresoshin. A aikace, ba za ku san adireshin IP ɗin da za ku yi amfani da shi ba, wanda shine dalilin da ya sa bai kamata a yi amfani da su ba don zaɓar pods.
A matsayin misali na gaba, manufofin da ke gaba sun haɗa da duk IPs don haka yana ba da damar shiga duk sauran kwasfan fayiloli:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Kuna iya buɗe dama ga IPs na waje kawai, ban da adiresoshin IP na ciki na kwas ɗin. Misali, idan subnet ɗin kwaf ɗin ku shine 10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Tashoshi da ladabi
Yawanci, kwas ɗin suna sauraron tashar jiragen ruwa ɗaya. Wannan yana nufin cewa ba za ku iya kawai saka lambobin tashar jiragen ruwa a cikin manufofin ba kuma ku bar komai a matsayin tsoho. Duk da haka, ana ba da shawarar yin manufofi kamar yadda zai yiwu, don haka a wasu lokuta har yanzu kuna iya ƙayyade tashar jiragen ruwa:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Lura cewa mai zaɓe ports ya shafi duk abubuwan da ke cikin toshe to ko from, wanda ya ƙunshi. Don tantance tashoshin jiragen ruwa daban-daban don nau'ikan abubuwa daban-daban, raba ingress ko egress cikin sassa da yawa tare da to ko from kuma a kowace rajistar tashoshin jiragen ruwa:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Tsohuwar aikin tashar jiragen ruwa:
- Idan kun bar ma'anar tashar jiragen ruwa gaba ɗaya (
ports), wannan yana nufin duk yarjejeniya da duk tashar jiragen ruwa; - Idan kun bar ma'anar yarjejeniya (
protocol), wannan yana nufin TCP; - Idan kun bar ma'anar tashar jiragen ruwa (
port), wannan yana nufin duk tashar jiragen ruwa.
Mafi kyawun aiki: Kada ka dogara ga tsoffin ƙima, ƙididdige abin da kake buƙata a sarari.
Lura cewa dole ne ka yi amfani da tashoshin jiragen ruwa, ba tashoshin sabis ba (ƙari akan wannan a cikin sakin layi na gaba).
An ayyana manufofi don kwasfa ko ayyuka?
Yawanci, kwasfan fayiloli a Kubernetes suna samun damar juna ta hanyar sabis - ma'auni mai ɗaukar nauyi mai kama-da-wane wanda ke karkatar da zirga-zirga zuwa kwas ɗin da ke aiwatar da sabis ɗin. Kuna iya tunanin cewa manufofin cibiyar sadarwa suna sarrafa damar yin amfani da sabis, amma ba haka lamarin yake ba. Manufofin hanyar sadarwa na Kubernetes suna aiki akan tashoshin jiragen ruwa, ba tashoshin sabis ba.
Misali, idan sabis ya saurari tashar jiragen ruwa 80, amma yana tura zirga-zirga zuwa tashar jiragen ruwa 8080 na kwafsa, daidai 8080 dole ne a ƙayyade a cikin manufofin hanyar sadarwa.
Irin wannan tsarin ya kamata a yi la'akari da shi mafi ƙanƙanta: idan tsarin ciki na sabis (tashoshin ruwan da ke saurare) ya canza, dole ne a sabunta manufofin cibiyar sadarwa.
Sabuwar tsarin gine-gine ta amfani da Sabis Mesh (misali, duba game da Istio a ƙasa - kusan transl.) ba ka damar jimre wa wannan matsala.
Shin wajibi ne a yi rajista duka Ingress da Egress?
Amsar gajeriyar ita ce e, domin pod A don sadarwa tare da pod B, dole ne a bar shi don ƙirƙirar haɗin da ke fita (don wannan kuna buƙatar saita manufofin egress), kuma pod B dole ne ya iya karɓar haɗin mai shigowa ( don wannan, saboda haka, kuna buƙatar manufofin shiga).
Koyaya, a aikace, zaku iya dogara ga tsohuwar manufar don ba da damar haɗi a ɗayan ko duka biyun.
Idan wani abu -source za a zaba ta daya ko fiye misali-'Yan siyasa, takunkumin da aka sanya a kansa za'a tabbatar da rashin jituwarsu. A wannan yanayin, kuna buƙatar ba da izinin haɗi kai tsaye zuwa pod -ga adireshi. Idan ba a zaɓi faifan ta kowace manufa ba, ana barin zirga-zirgar sa ta fita (egress) ta tsohuwa.
Hakazalika, makomar kwafsa ita ceaddressee, wanda aka zaɓa ta ɗaya ko fiye ingress- ’yan siyasa, za a tantance su ta hanyar karkatar da su. A wannan yanayin, dole ne ka ƙyale shi a sarari don karɓar zirga-zirga daga faifan tushe. Idan ba a zaɓi kwas ɗin ta kowace manufa ba, duk zirga-zirgar shigowar sa ana ba da izini ta tsohuwa.
Duba Jiha ko Mara Jiha a ƙasa.
Logs
Manufofin cibiyar sadarwar Kubernetes ba za su iya shiga zirga-zirga ba. Wannan yana sa yana da wahala a tantance ko manufar tana aiki kamar yadda aka yi niyya kuma tana dagula binciken tsaro sosai.
Sarrafa zirga-zirga zuwa sabis na waje
Manufofin cibiyar sadarwar Kubernetes ba su ƙyale ka ka saka sunan yanki mai cikakken ƙware (DNS) a cikin sassan egress. Wannan gaskiyar tana haifar da babban rashin jin daɗi yayin ƙoƙarin taƙaita zirga-zirga zuwa wuraren waje waɗanda ba su da ingantaccen adireshin IP (kamar aws.com).
Duban Siyasa
Firewalls za su gargaɗe ku ko ma ƙin yarda da manufofin da ba daidai ba. Kubernetes kuma yana yin wasu tabbaci. Lokacin saita manufofin hanyar sadarwa ta kubectl, Kubernetes na iya ayyana cewa ba daidai bane kuma ya ƙi karɓa. A wasu lokuta, Kubernetes zai ɗauki manufofin kuma ya cika shi tare da bayanan da suka ɓace. Ana iya ganin su ta amfani da umarnin:
kubernetes get networkpolicy <policy-name> -o yamlKa tuna cewa tsarin tabbatarwa na Kubernetes ba ma'asumi bane kuma yana iya rasa wasu nau'ikan kurakurai.
Kisa
Kubernetes baya aiwatar da manufofin hanyar sadarwa da kanta, amma ƙofa ce kawai ta API wanda ke ba da nauyin sarrafawa zuwa tsarin da ake kira Container Networking Interface (CNI). Saita manufofi akan gungu na Kubernetes ba tare da sanya CNI da suka dace daidai da ƙirƙirar manufofi akan uwar garken sarrafa wuta ba tare da sanya su akan wuta ba. Ya rage naku don tabbatar da cewa kuna da ingantaccen CNI ko, a cikin yanayin dandamali na Kubernetes, wanda aka shirya a cikin gajimare. (zaka iya ganin jerin masu samarwa - kimanin. trans.), ba da damar manufofin cibiyar sadarwa waɗanda za su saita CNI a gare ku.
Lura cewa Kubernetes ba zai gargaɗe ku ba idan kun saita manufofin hanyar sadarwa ba tare da CNI mai taimako mai dacewa ba.
Mai Jiha ko Mara Jiha?
Duk Kubernetes CNIs da na ci karo da su suna da tsari (misali, Calico yana amfani da haɗin gwiwar Linux). Wannan yana bawa kwaf ɗin damar karɓar amsoshi akan haɗin TCP da ya fara ba tare da sake kafa shi ba. Koyaya, ban san ma'aunin Kubernetes ba wanda zai ba da garantin gaskiya.
Babban Gudanar da Manufofin Tsaro
Ga wasu hanyoyi don inganta aiwatar da manufofin tsaro a Kubernetes:
- Tsarin gine-ginen Sabis na Mesh yana amfani da kwantena na gefen mota don samar da cikakkun na'urori da sarrafa zirga-zirga a matakin sabis. A matsayin misali za mu iya ɗauka .
- Wasu daga cikin masu siyar da CNI sun tsawaita kayan aikin su don wuce manufofin cibiyar sadarwar Kubernetes.
- Yana ba da gani da aiki da kai na manufofin cibiyar sadarwar Kubernetes.
Kunshin Tufin Orca yana kula da manufofin cibiyar sadarwar Kubernetes (kuma shine tushen hotunan hotunan da ke sama).
ƙarin bayani
- ;
- ;
- ;
- .
ƙarshe
Manufofin hanyar sadarwa na Kubernetes suna ba da kyakkyawan tsarin kayan aiki don rarraba gungu, amma ba su da hankali kuma suna da dabaru da yawa. Saboda wannan sarkakiyar, na yi imani da yawa manufofin tari da ake da su suna da wahala. Matsalolin da za a iya magance wannan matsalar sun haɗa da sarrafa ma'anar manufofi ta atomatik ko amfani da wasu kayan aikin rarraba.
Ina fatan wannan jagorar ta taimaka wajen warware wasu tambayoyi da warware matsalolin da kuke iya fuskanta.
PS daga mai fassara
Karanta kuma a kan shafinmu:
- "Komawa zuwa microservices tare da Istio": , , ;
- "Jagorar da aka kwatanta don Sadarwar Sadarwar a Kubernetes": , ;
- «";
- «";
- «".
source: www.habr.com