Nānā. unuhi.: ʻO ka mea kākau o ka ʻatikala, ʻo Reuven Harrison, ua ʻoi aku ma mua o 20 mau makahiki o ka ʻike i ka hoʻomohala ʻana i nā polokalamu, a i kēia lā ʻo CTO a me ka hoʻokumu pū ʻana o Tufin, kahi hui e hoʻokumu i nā hoʻoponopono hoʻokele kulekele palekana. ʻOiai ke nānā nei ʻo ia i nā kulekele ʻoihana Kubernetes ma ke ʻano he mea hana ikaika loa no ka hoʻokaʻawale ʻana i ka pūnaewele i loko o kahi pūʻulu, manaʻoʻiʻo ʻo ia ʻaʻole maʻalahi ia e hoʻokō i ka hana. Hoʻolālā ʻia kēia mea (nui loa) e hoʻomaikaʻi i ka ʻike o nā loea i kēia pilikia a kōkua iā lākou e hana i nā hoʻonohonoho pono.
I kēia lā, nui nā ʻoihana e koho i nā Kubernetes e holo i kā lākou mau noi. He kiʻekiʻe loa ka hoihoi i kēia polokalamu no laila ke kapa nei kekahi iā Kubernetes "ka ʻōnaehana hana hou no ke kikowaena data." Hoʻomaka e ʻike ʻia ʻo Kubernetes (a i ʻole k8s) he ʻāpana koʻikoʻi o ka ʻoihana, e koi ana i ka hoʻonohonoho ʻana i nā kaʻina hana ʻoihana makua, me ka palekana pūnaewele.
No nā poʻe ʻoihana palekana e hopohopo nei i ka hana ʻana me Kubernetes, ʻo ka hōʻike maoli paha ke kulekele paʻamau o ka platform: ʻae i nā mea āpau.
E kōkua kēia alakaʻi iā ʻoe e hoʻomaopopo i ke ʻano o loko o nā kulekele pūnaewele; e hoʻomaopopo i ka ʻokoʻa o lākou mai nā lula no nā pā ahi maʻamau. E uhi pū ia i kekahi mau pitfalls a hāʻawi i nā ʻōlelo paipai e kōkua i ka hoʻopaʻa ʻana i nā noi ma Kubernetes.
Nā kulekele pūnaewele Kubernetes
ʻO ka ʻōnaehana kulekele ʻoihana Kubernetes e ʻae iā ʻoe e hoʻokele i ka launa ʻana o nā noi i kau ʻia ma ka paepae ma ka papa pūnaewele (ke kolu o ka hoʻohālike OSI). Loaʻa i nā kulekele pūnaewele kekahi o nā hiʻohiʻona holomua o nā pā ahi o kēia wā, e like me ka OSI Layer 7 hoʻokō a me ka ʻike hoʻoweliweli, akā hāʻawi lākou i kahi pae kumu o ka palekana pūnaewele he wahi hoʻomaka maikaʻi.
Mālama nā kulekele pūnaewele i nā kamaʻilio ma waena o nā pods
Hoʻokaʻawale ʻia nā haʻahaʻa hana ma nā Kubernetes ma waena o nā pods, aia i hoʻokahi a ʻoi aku paha nā ipu i hoʻonohonoho pū ʻia. Hāʻawi ʻo Kubernetes i kēlā me kēia pod i kahi leka uila i hiki ke loaʻa mai nā pods ʻē aʻe. Hoʻonohonoho nā kulekele pūnaewele Kubernetes i nā kuleana komo no nā pūʻulu o nā pods e like me ka hoʻohana ʻia ʻana o nā pūʻulu palekana i ke ao e hoʻomalu i ke komo ʻana i nā manawa mīkini virtual.
Ka wehewehe ʻana i nā kulekele pūnaewele
E like me nā kumuwaiwai Kubernetes ʻē aʻe, ua kuhikuhi ʻia nā kulekele pūnaewele ma YAML. Ma ka laʻana ma lalo nei, ka noi balance komo i postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Nānā. unuhi.: ʻO kēia kiʻi kiʻi, e like me nā mea like like ʻole, ua hana ʻia ʻaʻole me ka hoʻohana ʻana i nā mea hana Kubernetes maoli, akā me ka hoʻohana ʻana i ka hāmeʻa Tufin Orca, i kūkulu ʻia e ka hui o ka mea kākau o ka ʻatikala kumu a i ʻōlelo ʻia ma ka hope o ka mea.)
No ka wehewehe ʻana i kāu kulekele pūnaewele ponoʻī, pono ʻoe i ka ʻike kumu o YAML. Hoʻokumu ʻia kēia ʻōlelo ma ka indentation (i kuhikuhi ʻia e nā hakahaka ma mua o nā tab). ʻO kahi mea i hoʻokomo ʻia no ka mea i hoʻopaʻa ʻia ma luna. Hoʻomaka kahi mea papa inoa hou me kahi hyphen, loaʻa ke ʻano nā mea ʻē aʻe a pau waiwai kī.
Ma hope o ka wehewehe ʻana i ke kulekele ma YAML, hoʻohana e hana ia i loko o ka pūʻulu:
kubectl create -f policy.yamlʻIkepili Kulekele Pūnaewele
ʻEhā mau mea i loko o ka ʻōlelo kikoʻī o ke kulekele pūnaewele Kubernetes:
-
podSelector: wehewehe i nā pods i hoʻopili ʻia e kēia kulekele (nā pahuhopu) - pono; -
policyTypes: hōʻike i ke ʻano o nā kulekele i hoʻokomo ʻia i loko o kēia: komo a / a i ʻole puka - koho, akā makemake wau e wehewehe pono i nā hihia āpau; -
ingress: wehewehe i ʻae ʻia ke komo ʻana kaʻa kaʻa i nā pods - koho; -
egress: wehewehe i ʻae ʻia hele aku ʻO ka hele ʻana mai nā pods i hoʻopaʻa ʻia he koho.
Hoʻohālike i lawe ʻia mai ka pūnaewele Kubernetes (ua hoʻololi au role maluna o app), hōʻike i ka hoʻohana ʻia ʻana o nā mea ʻehā:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
E ʻoluʻolu, ʻaʻole pono e hoʻokomo ʻia nā mea ʻehā. Pono wale ia podSelector, hiki ke hoʻohana ʻia nā ʻāpana ʻē aʻe e like me ka makemake.
Inā mākou e haʻalele policyTypes, e wehewehe ʻia ke kulekele penei:
- Ma ka maʻamau, ua manaʻo ʻia ʻo ia ka wehewehe ʻana i ka ʻaoʻao ingress. Inā ʻaʻole i hōʻike maopopo ke kulekele i kēia, manaʻo ka ʻōnaehana ua pāpā ʻia nā kaʻa a pau.
- E hoʻoholo ʻia ke ʻano ma ka ʻaoʻao puka e ka hele ʻana a i ʻole ka loaʻa ʻole o ka ʻāpana egress pili.
No ka pale ʻana i nā hewa ke paipai nei au e hoomaopopo mau policyTypes.
E like me ka loiloi luna, inā nā ʻāpana ingress a me / egress ʻaʻole i waiho ʻia, e hōʻole ke kulekele i nā kaʻa āpau (e ʻike i ka "Stripping Rule" ma lalo).
ʻO ke kulekele paʻamau ka ʻae
Inā ʻaʻole i wehewehe ʻia nā kulekele, ʻae ʻo Kubernetes i nā kaʻa āpau ma ke ʻano paʻamau. Hiki i nā pods a pau ke hoʻololi manuahi i ka ʻike ma waena o lākou iho. Me he mea lā he kūʻē paha kēia mai kahi hiʻohiʻona palekana, akā e hoʻomanaʻo ua hoʻolālā mua ʻia ʻo Kubernetes e nā mea hoʻomohala e hiki ai ke hoʻopili i nā noi. Ua hoʻohui ʻia nā kulekele pūnaewele ma hope.
Nā inoa inoa
ʻO nā namespaces ke ʻano hana hui like ʻo Kubernetes. Hoʻolālā ʻia lākou e hoʻokaʻawale i nā kaiapuni kūpono mai kekahi i kekahi, ʻoiai ʻae ʻia ke kamaʻilio ma waena o nā hakahaka.
E like me ka hapa nui o nā ʻāpana Kubernetes, noho nā kulekele pūnaewele i kahi inoa inoa kikoʻī. Ma ka poloka metadata hiki iā ʻoe ke hoʻomaopopo i kahi e pili ana i ke kulekele:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Inā ʻaʻole i hōʻike maopopo ʻia ka inoa inoa ma ka metadata, e hoʻohana ka ʻōnaehana i ka inoa inoa i kuhikuhi ʻia ma kubectl (ma ka paʻamau namespace=default):
kubectl apply -n my-namespace -f namespace.yamlPaipai au e wehewehe pono i ka inoa, ke ʻole ʻoe e kākau i kahi kulekele e hoʻopaʻa i nā inoa inoa he nui i ka manawa hoʻokahi.
Main wae podSelector i loko o ke kulekele e koho i nā pods mai ka namespace nona ke kulekele (ua hōʻole ʻia ke komo ʻana i nā pods mai kahi inoa inoa ʻē aʻe).
Pēlā nō, podSelectors ma nā poloka komo a puka Hiki iā ʻoe ke koho i nā pods mai ko lākou inoa ponoʻī, ke ʻole ʻoe e hui pū me lākou namespaceSelector (e kūkākūkā ʻia kēia ma ka ʻāpana "Kāna ma nā inoa inoa a me nā pods").
Nā Rula Kapa inoa
He ʻokoʻa nā inoa kulekele i loko o ka inoa inoa like. ʻAʻole hiki ke loaʻa nā kulekele ʻelua me ka inoa hoʻokahi ma kahi ākea, akā hiki ke loaʻa nā kulekele me ka inoa like ma nā wahi like ʻole. Pono kēia inā makemake ʻoe e hoʻopili hou i ke kulekele like ma nā wahi he nui.
Makemake au i kekahi o nā ʻano inoa inoa. Aia ia i ka hoʻohui ʻana i ka inoa inoa inoa me nā pods target. ʻo kahi laʻana:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Lepili
Hiki iā ʻoe ke hoʻopili i nā lepili maʻamau i nā mea Kubernetes, e like me nā pods a me nā papa inoa. Lepili (nā lepili - tags) ʻo ia ka like o nā hōʻailona ma ke ao. Hoʻohana nā kulekele pūnaewele Kubernetes i nā lepili e koho ai nā ʻōpalakahi e pili ai lākou:
podSelector:
matchLabels:
role: db… a i ʻole nā papa inoakahi e pili ai. Ke koho nei kēia laʻana i nā pods a pau ma nā wahi inoa me nā lepili e pili ana:
namespaceSelector:
matchLabels:
project: myproject
Hoʻokahi akahele: i ka wā e hoʻohana ai namespaceSelector e hōʻoia i ka lepili pololei i nā inoa inoa āu e koho ai. E hoʻomaopopo i nā papa inoa i kūkulu ʻia e like me default и kube-system, ma ka paʻamau, ʻaʻole i loaʻa nā lepili.
Hiki iā ʻoe ke hoʻohui i kahi lepili i kahi hakahaka e like me kēia:
kubectl label namespace default namespace=default
I ka manawa like, namespace ma ka ʻāpana metadata e kuhikuhi i ka inoa kikowaena maoli, ʻaʻole ka lepili:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Puna a me kahi e hele ai
Aia nā kulekele pā ahi i nā lula me nā kumu a me nā wahi. Ua wehewehe ʻia nā kulekele pūnaewele ʻo Kubernetes no kahi pahuhopu - kahi pūʻulu o nā pods i hoʻopili ʻia - a laila hoʻonohonoho i nā lula no ka hoʻokomo a/a i ʻole ka puka ʻana. I kā mākou hiʻohiʻona, ʻo ka pahuhopu o ke kulekele ʻo nā pods āpau i ka inoa inoa default me ka lepili me ke kī app a me ke ano db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Māhele ʻāpana ingress i loko o kēia kulekele, wehe i nā kaʻa komo i nā pods i manaʻo ʻia. I nā huaʻōlelo ʻē aʻe, ʻo ka ingress ke kumu a ʻo ka pahuhopu ka wahi kūpono. Pēlā nō, ʻo egress ka wahi e hele ai a ʻo ka pahuhopu ke kumu.
Ua like kēia me nā lula ahi ʻelua: Ingress → Target; Pahuhopu → Puka.
Egress a me DNS (mea nui!)
Ma ka hoʻopaʻa ʻana i nā kaʻa i waho, e nānā pono iā DNS - Hoʻohana ʻo Kubernetes i kēia lawelawe e palapala i nā lawelawe i nā helu IP. No ka laʻana, ʻaʻole e holo ka kulekele aʻe no ka mea ʻaʻole ʻoe i ʻae i ka noi balance komo i ka DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
Hiki iā ʻoe ke hoʻoponopono iā ia ma ka wehe ʻana i ke komo i ka lawelawe DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
ʻElemu hope to he hakahaka, a no laila ke koho pono ole ia nā pods a pau ma nā papa inoa āpau, e ae ana balance e hoʻouna i nā nīnau DNS i ka lawelawe Kubernetes kūpono (e holo mau ana ma ka hakahaka kube-system).
Ke hana nei kēia ala, akā naʻe ʻae loa a palekana, no ka mea hiki iā ia ke kuhikuhi i nā nīnau DNS ma waho o ka pūʻulu.
Hiki iā ʻoe ke hoʻomaikaʻi i ʻekolu mau ʻanuʻu.
1. ʻAe wale i nā nīnau DNS loko pūʻulu ma ka hoʻohui ʻana namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. E ʻae i nā nīnau DNS ma loko o ka inoa inoa wale nō kube-system.
No ka hana ʻana i kēia, pono ʻoe e hoʻohui i kahi lepili i ka inoa inoa kube-system: kubectl label namespace kube-system namespace=kube-system - a kākau iā ia ma ke kulekele hoʻohana namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Hiki i nā poʻe Paranoid ke hele hou aku a kaupalena i nā nīnau DNS i kahi lawelawe DNS kikoʻī ma kube-system. ʻO ka ʻāpana "Kāna ma nā inoa inoa AND pods" e haʻi iā ʻoe pehea e hoʻokō ai i kēia.
ʻO kahi koho ʻē aʻe e hoʻoholo i ka DNS ma ka pae inoa inoa. I kēia hihia, ʻaʻole pono e wehe ʻia no kēlā me kēia lawelawe:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Haʻahaʻa podSelector koho i nā pods a pau i ka namespace.
ʻO ka pāʻani mua a me ke kauoha lula
Ma nā pā ahi maʻamau, hoʻoholo ʻia ka hana (Allow or Deny) ma kahi ʻeke e ka lula mua i hoʻokō ʻia. Ma Kubernetes, ʻaʻole pili ka hoʻonohonoho o nā kulekele.
Ma ka maʻamau, inā ʻaʻohe kulekele i hoʻonohonoho ʻia, ʻae ʻia nā kamaʻilio ma waena o nā pods a hiki iā lākou ke hoʻololi manuahi i ka ʻike. Ke hoʻomaka ʻoe e hoʻokumu i nā kulekele, e hoʻokaʻawale ʻia kēlā me kēia pod i hoʻopili ʻia e kekahi o lākou e like me ka disjunction (logical OR) o nā kulekele āpau i koho ai. E wehe ʻia nā pods ʻaʻole i pili i kekahi kulekele.
Hiki iā ʻoe ke hoʻololi i kēia ʻano me ka hoʻohana ʻana i kahi lula wehe.
Rula wehe ʻana ("Hoʻole")
Hōʻole maʻamau nā kulekele pā ahi i nā kaʻa i ʻae ʻole ʻia.
ʻAʻohe hana hōʻole ma Kubernetes, akā naʻe, hiki ke hoʻokō ʻia kahi hopena like me kahi kulekele maʻamau (ʻae) ma ke koho ʻana i kahi pūʻulu manuahi o nā kumu puna (ingress):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Ke koho nei kēia kulekele i nā pods a pau i ka namespace a waiho i ka komo ʻana me ka wehewehe ʻole ʻia, e hōʻole ana i nā kaʻa komo mai.
Ma ke ʻano like, hiki iā ʻoe ke hoʻopaʻa i nā kaʻa puka a pau mai kahi inoa inoa:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Eʻoluʻolu ʻO nā kulekele ʻē aʻe e ʻae ana i ke kaʻa ʻana i nā pods ma ka namespace e ʻoi aku ma mua o kēia lula (e like me ka hoʻohui ʻana i ka lula ʻae ma mua o ke kānāwai hōʻole i kahi hoʻonohonoho pā ahi).
ʻAe i nā mea a pau (Any-Any-Any-Allow)
No ka hana ʻana i kahi kulekele Allow All, pono ʻoe e hoʻohui i ke kulekele hōʻole ma luna me kahi mea ʻole ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
Hiki ke komo mai nā pods a pau i nā inoa inoa āpau (a me nā IP āpau) i kekahi pod i loko o ka namespace default. Hoʻohana ʻia kēia ʻano ma ka paʻamau, no laila ʻaʻole pono e wehewehe hou. Eia nō naʻe, i kekahi manawa pono ʻoe e hoʻopau i kekahi mau ʻae kikoʻī e ʻike i ka pilikia.
Hiki ke hōʻemi ʻia ka lula no ka ʻae ʻana i ke komo wale kahi kikoʻī o nā pods (app:balance) ma ka papa inoa default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
ʻAe ke kulekele ma lalo nei i nā kaʻa komo a me ka puka waho, me ke komo ʻana i kekahi IP ma waho o ka pūʻulu:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Hoʻohui ʻana i nā Kūlana Nui
Hoʻohui ʻia nā kulekele me ka hoʻohana ʻana i ka logical OR ma ʻekolu pae; Hoʻonohonoho ʻia nā ʻae o kēlā me kēia pod e like me ka wehe ʻana o nā kulekele āpau e pili ana iā ia:
1. Ma na kula from и to Hiki ke wehewehe ʻia nā ʻano mea ʻekolu (ua hui pū ʻia me ka hoʻohana ʻana iā OR):
-
namespaceSelector- koho i ka inoa inoa holoʻokoʻa; -
podSelector- koho i nā pods; -
ipBlock— koho i kahi subnet.
Eia kekahi, ʻo ka helu o nā mea (ʻo nā mea like) i nā ʻāpana from/to ʻaʻole i kaupalena ʻia. E hui pū ʻia lākou a pau e ka logical OR.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. Ma loko o ka māhele kulekele ingress hiki ke loaʻa nā mea he nui from (hui pū ʻia me ka logical OR). Likelike, pauku egress hiki ke komo i nā mea he nui to (i hui pū ʻia me ka hoʻokaʻawale):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Hoʻohui pū ʻia nā kulekele ʻokoʻa me OR logical
Akā i ka hoʻohui ʻana iā lākou, aia hoʻokahi palena : Hiki i nā Kubernetes ke hoʻohui wale i nā kulekele me nā ʻokoʻa policyTypes (Ingress ai ole ia, Egress). ʻO nā kulekele e wehewehe ana i ka komo ʻana (a i ʻole egress) e hoʻopau i kekahi i kekahi.
Ka pilina ma waena o nā papa inoa
Ma ka paʻamau, ʻae ʻia ka kaʻana like ʻana o ka ʻike ma waena o nā inoa. Hiki ke hoʻololi ʻia kēia me ka hoʻohana ʻana i kahi kulekele hōʻole e kaohi i ka hele ʻana a/a i ʻole ke komo ʻana i loko o ka inoa inoa (e nānā i ka "Stripping Rule" ma luna).
Ke ālai ʻoe i ke komo ʻana i kahi inoa inoa (e ʻike i ka "Stripping Rule" ma luna), hiki iā ʻoe ke hana i nā ʻokoʻa i ke kulekele hōʻole ma ka ʻae ʻana i nā pilina mai kahi inoa inoa kikoʻī me ka hoʻohana ʻana. namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
ʻO ka hopena, nā pods a pau i ka namespace default e loaʻa i nā pods postgres ma ka papa inoa database. Akā he aha inā makemake ʻoe e wehe i ke ala i postgres ʻO nā pod kikoʻī wale nō i ka namespace default?
E kānana ma nā inoa inoa a me nā pods
Hiki iā Kubernetes version 1.11 a kiʻekiʻe ke hoʻohui i nā mea hoʻohana namespaceSelector и podSelector me ka hoʻohana ʻana i ka logical AND. Ua like ia me kēia:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
No ke aha i unuhi ʻia ai kēia ma ke ʻano he AND ma kahi o ka OR maʻamau?
kahakaha i podSelector ʻaʻole hoʻomaka me ka hyphen. Ma YAML ke ʻano o kēia podSelector a ku ana i mua ona namespaceSelector e nānā i ka mea papa inoa like. No laila, ua hui pū ʻia lākou me ka logical AND.
Hoʻohui i kahi hyphen ma mua podSelector e hopena i ka puka ʻana mai o kahi mea papa inoa hou, e hui pū ʻia me ka mea ma mua namespaceSelector me ka hoʻohana ʻana i ka loiloi OR.
No ke koho ʻana i nā pods me kahi lepili kikoʻī ma nā inoa inoa a pau, hoʻokomo blank namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Hui pū nā lepili lehulehu me I
Hoʻohui ʻia nā lula no ka pā ahi me nā mea he nui (nā pūʻali, nā pūnaewele, nā hui) me ka hoʻohana ʻana i ka OR. E hana ana ka lula ma lalo nei inā pili ke kumu packet Host_1 OR Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
Ma ka ʻokoʻa, ma Kubernetes nā lepili like ʻole podSelector ai ole ia, namespaceSelector ua hui pū ʻia me logical AND. No ka laʻana, e koho ka lula ma lalo nei i nā pods i loaʻa nā lepili ʻelua, role=db И version=v2:
podSelector:
matchLabels:
role: db
version: v2Pili ka loina like i nā ʻano mea hoʻohana a pau: nā mea koho i nā kulekele, nā koho pod, a me nā mea koho inoa.
Nā subnet a me nā helu IP (IPBlocks)
Hoʻohana nā pā ahi i nā VLAN, nā IP address, a me nā subnets e hoʻokaʻawale i kahi pūnaewele.
Ma nā Kubernetes, hāʻawi ʻia nā leka IP i nā pods a hiki ke loli pinepine, no laila hoʻohana ʻia nā lepili e koho i nā pods a me nā inoa inoa i nā kulekele pūnaewele.
Nā ʻupena lalo (ipBlocks) hoʻohana ʻia i ka wā e hoʻokele ai i nā pilina komo (ingress) a i waho (egress) waho (North-South). No ka laʻana, wehe kēia kulekele i nā pods a pau mai ka namespace default komo i ka lawelawe DNS Google:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
ʻO ke ʻano o ka mea koho pahu hakahaka i kēia hiʻohiʻona "koho i nā pods āpau i ka inoa inoa."
Hiki i kēia kulekele ke komo i ka 8.8.8.8; pāpā ʻia ke komo ʻana i kekahi IP ʻē aʻe. No laila, ma ke ʻano, ua pāpā ʻoe i ke komo ʻana i ka lawelawe DNS Kubernetes kūloko. Inā makemake ʻoe e wehe, e hōʻike maopopo i kēia.
ʻO ka mea maʻamau ipBlocks и podSelectors ʻAʻole hoʻohana ʻia nā IP address kūloko o nā pods ipBlocks. Ma ka hoike ana nā IP i loko, e ʻae ʻoe i nā pilina i/mai nā pods me kēia mau ʻōlelo. I ka hoʻomaʻamaʻa, ʻaʻole ʻoe e ʻike i ka IP address e hoʻohana ai, ʻo ia ke kumu e hoʻohana ʻole ai lākou e koho i nā pods.
Ma ke ʻano he laʻana kūʻē, aia kēia kulekele i nā IP āpau a no laila hiki ke komo i nā pods ʻē aʻe:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Hiki iā ʻoe ke wehe i ke komo ʻana i nā IP waho wale nō, me ka ʻole o nā IP address kūloko o nā pods. No ka laʻana, inā he 10.16.0.0/14 ka subnet o kāu pod:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Nā awa a me nā protocols
Hoʻolohe maʻamau nā pods i hoʻokahi awa. ʻO ia ke ʻano ʻaʻole hiki iā ʻoe ke kuhikuhi i nā helu port i nā kulekele a waiho i nā mea āpau ma ke ʻano he paʻamau. Eia nō naʻe, manaʻo ʻia e hana i nā kulekele e like me ka hiki, no laila i kekahi mau hihia hiki iā ʻoe ke kuhikuhi i nā awa:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
E hoʻomaopopo i ka mea koho ports pili i nā mea a pau o ka poloka to ai ole ia, from, aia i loko. No ka wehewehe ʻana i nā awa ʻokoʻa no nā ʻāpana like ʻole, e hoʻokaʻawale ingress ai ole ia, egress i loko o kekahi mau māhele me to ai ole ia, from a i kēlā me kēia hoʻopaʻa inoa i kāu mau awa:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Hana awa paʻamau:
- Inā haʻalele ʻoe i ka wehewehe ʻana o ke awa (
ports), 'o ia ho'i nā protocols a me nā awa a pau; - Inā haʻalele ʻoe i ka wehewehe protocol (
protocol), ʻo ia hoʻi ʻo TCP; - Inā haʻalele ʻoe i ka wehewehe port (
port), ʻo ia hoʻi nā awa a pau.
ʻO ka hoʻomaʻamaʻa maikaʻi loa: Mai hilinaʻi i nā waiwai paʻamau, e wehewehe pono i kāu mea e pono ai.
E ʻoluʻolu, pono ʻoe e hoʻohana i nā awa pod, ʻaʻole nā awa lawelawe (e pili ana i kēia ma ka paukū aʻe).
Ua wehewehe ʻia nā kulekele no nā pods a i ʻole nā lawelawe?
ʻO ka maʻamau, komo nā pods i nā Kubernetes i kekahi i kekahi ma o kahi lawelawe - kahi mea kaulike hoʻoili uila e hoʻihoʻi hou i nā kaʻa i nā pods e hoʻokō i ka lawelawe. Manaʻo paha ʻoe e hoʻomalu nā kulekele pūnaewele i ke komo ʻana i nā lawelawe, akā ʻaʻole kēia ka hihia. Hana nā kulekele pūnaewele Kubernetes ma nā awa pod, ʻaʻole nā awa lawelawe.
No ka laʻana, inā hoʻolohe kahi lawelawe i ke awa 80, akā hoʻihoʻi hou i ke kaʻa i ke awa 8080 o kāna mau pods, pono ʻoe e kuhikuhi pololei i ka 8080 ma ke kulekele pūnaewele.
Pono e noʻonoʻo ʻia kēlā ʻano hana suboptimal: inā hoʻololi ke ʻano o loko o ka lawelawe (nā awa o nā pods e hoʻolohe ai), pono e hoʻonui ʻia nā kulekele ʻoihana.
ʻO ke ala hoʻolālā hou e hoʻohana ana i ka Service Mesh (no ka laʻana, e ʻike e pili ana iā Istio ma lalo - ma kahi o transl.) hiki iā ʻoe ke hoʻoponopono i kēia pilikia.
Pono anei e hoʻopaʻa inoa iā Ingress a me Egress?
ʻO ka pane pōkole he ʻae, i mea e kamaʻilio ai ka pod A me ka pod B, pono e ʻae ʻia e hana i kahi pilina i waho (no kēia pono ʻoe e hoʻonohonoho i kahi kulekele egress), a pono ʻo pod B hiki ke ʻae i kahi pilina e komo mai ( no kēia, no laila, pono ʻoe i kahi kulekele komo).
Eia naʻe, ma ka hoʻomaʻamaʻa, hiki iā ʻoe ke hilinaʻi i ke kulekele paʻamau e ʻae i nā pilina ma hoʻokahi a i ʻole nā ʻaoʻao ʻelua.
Ina kekahi po-kumu e koho ʻia e kekahi a ʻoi aku paha hele i waho-ka poʻe kālai'āina, e hoʻoholo ʻia nā kapu i kau ʻia ma luna o lākou e ko lākou hoʻokaʻawale ʻana. I kēia hihia, pono ʻoe e ʻae i ka pilina me ka pod -i ka mea haiolelo. Inā ʻaʻole koho ʻia kahi pod e kekahi kulekele, ua ʻae ʻia kāna huakaʻi puka (egress) ma ke ʻano paʻamau.
Pēlā nō, ka hopena o ka podmea hoʻopuka, koho ʻia e kekahi a ʻoi aku paha hoʻokomo- ka poʻe kālai'āina, e hoʻoholo ʻia e ko lākou disjunction. I kēia hihia, pono ʻoe e ʻae i ka loaʻa ʻana o ke kaʻa mai ka pod kumu. Inā ʻaʻole i koho ʻia kahi pod e kekahi kulekele, ʻae ʻia nā kaʻa komo āpau no ia mea ma ka paʻamau.
E nānā Stateful a Mokuʻāina ʻole ma lalo.
Nā lāʻau lāʻau
ʻAʻole hiki ke hoʻopaʻa inoa nā kulekele pūnaewele Kubernetes. He mea paʻakikī kēia e hoʻoholo ai inā e hana ana kahi kulekele e like me ka mea i manaʻo ʻia a paʻakikī loa i ka nānā ʻana i ka palekana.
Ka mālama ʻana i nā kaʻa i nā lawelawe o waho
ʻAʻole ʻae nā kulekele ʻoihana Kubernetes iā ʻoe e kuhikuhi i kahi inoa kikowaena kūpono piha (DNS) ma nā ʻāpana puka. Ke alakaʻi nei kēia ʻoiaʻiʻo i ka pilikia nui i ka wā e hoʻāʻo ai e kaupalena i ke kaʻa i nā wahi i waho i loaʻa ʻole kahi leka uila IP paʻa (e like me aws.com).
Nānā Kulekele
E aʻo aku nā pā ahi iā ʻoe a hōʻole paha i ka ʻae ʻana i ke kulekele hewa. Hana ʻo Kubernetes i kekahi hōʻoia. Ke hoʻonohonoho ʻana i kahi kulekele pūnaewele ma o kubectl, hiki i nā Kubernetes ke haʻi aku he hewa ia a hōʻole ʻole e ʻae. Ma nā hihia ʻē aʻe, e lawe ʻo Kubernetes i ke kulekele a hoʻopiha iā ia me nā kikoʻī i nalowale. Hiki ke ʻike ʻia lākou me ka hoʻohana ʻana i ke kauoha:
kubernetes get networkpolicy <policy-name> -o yamlE hoʻomanaʻo ʻaʻole hewa ʻole ka ʻōnaehana hōʻoia Kubernetes a hala paha kekahi mau ʻano hewa.
Hoʻohui
ʻAʻole hoʻokō ʻo Kubernetes i nā kulekele ʻoihana ponoʻī, akā he ʻīpuka API wale nō e hāʻawi i ke kaumaha o ka mana i kahi ʻōnaehana kumu i kapa ʻia ʻo Container Networking Interface (CNI). ʻO ka hoʻonohonoho ʻana i nā kulekele ma kahi pūʻulu Kubernetes me ka ʻole o ka hāʻawi ʻana i ka CNI kūpono e like me ka hoʻokumu ʻana i nā kulekele ma kahi kikowaena hoʻokele pā ahi me ka ʻole o ka hoʻokomo ʻana iā lākou ma nā pā ahi. Aia iā ʻoe e hōʻoia e loaʻa iā ʻoe kahi CNI maikaʻi a i ʻole, i ka hihia o nā platform Kubernetes, mālama ʻia ma ke ao. (hiki iā ʻoe ke ʻike i ka papa inoa o nā mea hoʻolako - kokoke. trans.), e hoʻololi i nā kulekele pūnaewele e hoʻonohonoho iā CNI no ʻoe.
E hoʻomaopopo ʻaʻole e aʻo ʻo Kubernetes iā ʻoe inā ʻoe e hoʻonohonoho i kahi kulekele pūnaewele me ka ʻole o ke kōkua CNI kūpono.
Mokuʻāina a Mokuʻāina ʻole paha?
ʻO nā Kubernetes CNI a pau aʻu i hālāwai ai he kūlana kūlana (no ka laʻana, hoʻohana ʻo Calico i Linux conntrack). ʻAe kēia i ka pod e loaʻa nā pane ma ka pilina TCP i hoʻomaka me ka ʻole e hoʻokumu hou. Eia naʻe, ʻaʻole wau ʻike i kahi maʻamau Kubernetes e hōʻoiaʻiʻo i ka statefulness.
Hooponopono Kulekele Palekana
Eia kekahi mau ala e hoʻomaikaʻi ai i ka hoʻokō ʻana i nā kulekele palekana ma Kubernetes:
- Ke hoʻohana nei ka ʻōnaehana hoʻolālā Service Mesh i nā pahu sidecar e hāʻawi i ka telemetry kikoʻī a me ka hoʻokele kaʻa ma ka pae lawelawe. Ma keʻano he laʻana hiki iā mākou ke lawe .
- Ua hoʻonui kekahi o nā mea kūʻai CNI i kā lākou mau mea hana e hele ma mua o nā kulekele pūnaewele Kubernetes.
- Hāʻawi i ka ʻike a me ka automation o nā kulekele pūnaewele Kubernetes.
Hoʻoponopono ka pūʻolo Tufin Orca i nā kulekele pūnaewele Kubernetes (a ʻo ia ke kumu o nā kiʻi ma luna).
hou ike
- ;
- ;
- ;
- .
hopena
Hāʻawi nā kulekele ʻoihana Kubernetes i kahi papa hana maikaʻi no ka hoʻokaʻawale ʻana i nā puʻupuʻu, akā ʻaʻole lākou intuitive a he nui nā subtleties. Ma muli o kēia paʻakikī, manaʻoʻiʻo wau he nui nā kulekele cluster e kū nei. ʻO nā hoʻonā hiki i kēia pilikia ke hoʻohana ʻana i nā wehewehe kulekele a i ʻole ka hoʻohana ʻana i nā mea hana ʻāpana ʻē aʻe.
Manaʻo wau e kōkua kēia alakaʻi e hoʻomaʻemaʻe i kekahi mau nīnau a hoʻoholo i nā pilikia āu e hālāwai ai.
PS mai ka unuhi
E heluhelu pū ma kā mākou blog:
- "Hoʻi i nā microservices me Istio": , , ;
- "He alakaʻi i hōʻike ʻia no ka hui ʻana ma Kubernetes": , ;
- «";
- «";
- «".
Source: www.habr.com