Nco tseg. txhais.: Tus sau tsab xov xwm, Reuven Harrison, muaj ntau tshaj 20 xyoo ntawm kev paub nyob rau hauv software tsim, thiab hnub no yog CTO thiab co-founder ntawm Tufin, lub tuam txhab uas tsim kev ruaj ntseg txoj cai tswj kev daws teeb meem. Thaum nws saib Kubernetes cov cai tswjfwm hauv lub network yog ib lub cuab yeej muaj zog heev rau kev faib cov network hauv pawg, nws kuj ntseeg tias lawv tsis yooj yim rau kev coj ua. Cov khoom siv no (zoo heev) yog npaj los txhim kho cov kws tshaj lij kev paub txog qhov teeb meem no thiab pab lawv tsim cov kev teeb tsa tsim nyog.
Niaj hnub no, ntau lub tuam txhab tab tom xaiv Kubernetes los khiav lawv daim ntawv thov. Kev txaus siab rau cov software no siab heev uas qee tus hu rau Kubernetes "qhov kev ua haujlwm tshiab rau cov ntaub ntawv chaw." Maj mam, Kubernetes (los yog k8s) pib pom tias yog ib feem tseem ceeb ntawm kev lag luam, uas yuav tsum muaj lub koom haum ntawm cov txheej txheem kev lag luam paub tab, suav nrog kev ruaj ntseg network.
Rau cov kws tshaj lij kev nyab xeeb uas xav tsis thoob los ntawm kev ua haujlwm nrog Kubernetes, qhov kev tshwm sim tiag tiag yuav yog lub platform txoj cai ua ntej: tso cai rau txhua yam.
Cov lus qhia no yuav pab koj nkag siab txog cov qauv sab hauv ntawm cov cai hauv network; nkag siab tias lawv txawv li cas ntawm cov cai rau firewalls niaj hnub. Nws tseem yuav npog qee qhov pitfalls thiab muab cov lus pom zoo los pab cov ntawv thov kev nyab xeeb ntawm Kubernetes.
Kubernetes network cov cai
Kubernetes network txoj cai mechanism tso cai rau koj los tswj kev sib cuam tshuam ntawm cov ntawv thov siv rau ntawm lub platform ntawm txheej txheej network (qhov thib peb hauv OSI qauv). Network txoj cai tsis muaj qee qhov kev ua tau zoo ntawm cov firewalls niaj hnub no, xws li OSI Layer 7 kev tswj hwm thiab kev hem thawj, tab sis lawv muab cov theem pib ntawm kev ruaj ntseg network uas yog qhov pib zoo.
Network txoj cai tswj kev sib txuas lus ntawm pods
Cov khoom ua haujlwm hauv Kubernetes tau muab faib thoob plaws hauv cov pods, uas muaj ib lossis ntau lub ntim khoom siv ua ke. Kubernetes muab txhua lub pods tus IP chaw nyob uas nkag tau los ntawm lwm cov pods. Kubernetes cov cai tswjfwm tau teeb tsa txoj cai nkag mus rau cov pab pawg ntawm cov pods ib yam li cov pab pawg kev nyab xeeb hauv huab tau siv los tswj kev nkag mus rau lub tshuab virtual.
Defining Network Policy
Zoo li lwm yam khoom siv Kubernetes, cov cai hauv network tau teev tseg hauv YAML. Hauv qhov piv txwv hauv qab no, daim ntawv thov balance nkag mus rau postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Nco tseg. txhais.: qhov screenshot no, zoo li txhua qhov zoo sib xws, tau tsim tsis yog siv cov cuab yeej Kubernetes ib txwm, tab sis siv Tufin Orca cuab yeej, uas tau tsim los ntawm lub tuam txhab ntawm tus sau thawj tsab xov xwm thiab hais txog qhov kawg ntawm cov khoom siv.)
Txhawm rau txhais koj tus kheej txoj cai network, koj yuav xav tau kev paub yooj yim ntawm YAML. Cov lus no yog ua raws li cov lus qhia (hais los ntawm qhov chaw tsis yog tabs). Ib qho indented element belongs rau qhov ze tshaj indented element saum nws. Ib daim ntawv teev npe tshiab pib nrog hyphen, tag nrho lwm cov ntsiab lus muaj daim ntawv key-tus nqi.
Tau piav qhia txoj cai hauv YAML, siv los tsim nws hauv pawg:
kubectl create -f policy.yamlNetwork Policy Specification
Kubernetes network txoj cai tshwj xeeb suav nrog plaub yam:
-
podSelector: txhais cov pods cuam tshuam los ntawm txoj cai no (cov hom phiaj) - xav tau; -
policyTypes: qhia tias hom kev cai twg muaj nyob rau hauv no: ingress thiab/los yog egress - xaiv tau, tab sis kuv pom zoo kom qhia meej meej nws nyob rau hauv txhua rooj plaub; -
ingress: txhais tau tso cai tuaj tsheb mus rau lub hom phiaj pods - xaiv tau; -
egress: txhais tau tso cai tawm tsheb khiav los ntawm lub hom phiaj pods yog xaiv tau.
Piv txwv coj los ntawm Kubernetes lub vev xaib (Kuv hloov role rau app), qhia tau hais tias tag nrho plaub lub ntsiab lus siv li cas:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Thov nco ntsoov tias tag nrho plaub yam tsis tas yuav suav nrog. Nws tsuas yog yuav tsum tau ua podSelector, lwm yam tsis tuaj yeem siv raws li xav tau.
Yog peb omit policyTypes, txoj cai yuav raug txhais raws li hauv qab no:
- Los ntawm lub neej ntawd, nws yog assumed tias nws txhais lub ingress sab. Yog tias txoj cai tsis qhia meej txog qhov no, lub kaw lus yuav xav tias tag nrho cov tsheb yuav raug txwv.
- Tus cwj pwm ntawm sab egress yuav raug txiav txim los ntawm qhov muaj lossis tsis muaj qhov sib thooj egress parameter.
Kom tsis txhob yuam kev kuv pom zoo ib txwm ua kom meej meej policyTypes.
Raws li cov logic saum toj no, yog cov tsis ingress thiab / lossis egress tshem tawm, txoj cai yuav tsis lees paub tag nrho cov tsheb khiav (saib "Stripping Rule" hauv qab).
Txoj cai Default yog Allow
Yog tias tsis muaj txoj cai tau teev tseg, Kubernetes tso cai rau tag nrho cov tsheb khiav los ntawm lub neej ntawd. Txhua lub pods tuaj yeem hloov pauv cov ntaub ntawv ntawm lawv tus kheej. Qhov no yuav zoo li tsis txaus ntseeg los ntawm qhov kev xav txog kev nyab xeeb, tab sis nco ntsoov tias Kubernetes yog thawj zaug tsim los ntawm cov neeg tsim khoom los ua kom muaj kev sib cuam tshuam ntawm daim ntawv thov. Network txoj cai tau ntxiv tom qab.
Namespaces
Namespaces yog Kubernetes kev koom tes mechanism. Lawv raug tsim los cais cov kev sib raug zoo ntawm ib leeg, thaum kev sib txuas lus ntawm qhov chaw raug tso cai los ntawm lub neej ntawd.
Zoo li feem ntau Kubernetes Cheebtsam, cov cai hauv network nyob hauv ib lub npe tshwj xeeb. Hauv thaiv metadata koj tuaj yeem qhia qhov chaw twg txoj cai belongs rau:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Yog hais tias lub namespace tsis qhia meej meej nyob rau hauv cov metadata, lub kaw lus yuav siv lub namespace teev nyob rau hauv kubectl (los ntawm lub neej ntawd namespace=default):
kubectl apply -n my-namespace -f namespace.yamlKuv xav qhia meej lub npe, tshwj tsis yog tias koj tab tom sau tsab cai tswj hwm ntau lub npe ib zaug.
Lub ntsiab caij podSelector nyob rau hauv txoj cai yuav xaiv pods los ntawm lub namespace uas txoj cai belongs (nws yog tsis kam mus rau pods los ntawm lwm lub namespace).
Ib yam li ntawd, podSelectors nyob rau hauv ingress thiab egress blocks tuaj yeem xaiv cov pods los ntawm lawv tus kheej lub npe, tshwj tsis yog tias koj ua ke nrog lawv namespaceSelector (qhov no yuav tau tham nyob rau hauv seem "Lim los ntawm namespaces thiab pods").
Txoj Cai Sau Npe
Cov npe ntawm txoj cai yog tshwj xeeb hauv tib lub npe. Tsis tuaj yeem muaj ob txoj cai nrog tib lub npe nyob hauv tib qhov chaw, tab sis tuaj yeem muaj cov cai nrog tib lub npe nyob rau ntau qhov chaw. Qhov no muaj txiaj ntsig zoo thaum koj xav rov ua dua tib txoj cai hla ntau qhov chaw.
Kuv tshwj xeeb tshaj yog nyiam ib qho ntawm txoj kev sau npe. Nws muaj kev sib txuas lub npe namespace nrog lub hom phiaj pods. Piv txwv li:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Daim ntawv lo
Koj tuaj yeem xa cov ntawv sau rau Kubernetes cov khoom, xws li cov pods thiab namespaces. Cov ntawv lo (Cov ntawv - tag) yog qhov sib npaug ntawm cov cim hauv huab. Kubernetes txoj cai network siv daim ntawv lo xaiv podsuas lawv siv:
podSelector:
matchLabels:
role: dbβ¦lub cov nperau qhov lawv thov. Qhov piv txwv no xaiv tag nrho cov pods hauv namespaces nrog rau cov ntawv sau:
namespaceSelector:
matchLabels:
project: myproject
Ib qho kev ceeb toom: thaum siv namespaceSelector xyuas kom meej tias cov namespaces koj xaiv muaj cov ntawv sau raug. Nco ntsoov tias built-in namespaces xws li default ΠΈ kube-system, los ntawm lub neej ntawd tsis muaj cov ntawv sau.
Koj tuaj yeem ntxiv daim ntawv lo rau qhov chaw zoo li no:
kubectl label namespace default namespace=default
Nyob rau tib lub sijhawm, namespace hauv seem metadata yuav tsum xa mus rau lub npe qhov chaw tiag tiag, tsis yog daim ntawv lo:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Qhov chaw thiab qhov chaw
Firewall cov cai muaj cov cai nrog cov chaw thiab cov chaw. Kubernetes network cov cai yog txhais rau lub hom phiaj - ib pawg ntawm cov pods uas lawv siv - thiab tom qab ntawd teeb tsa cov cai rau kev nkag mus thiab / lossis kev khiav tawm. Hauv peb qhov piv txwv, lub hom phiaj ntawm txoj cai yuav yog tag nrho cov pods hauv lub npe default nrog daim ntawv lo nrog tus yuam sij app thiab lub ntsiab lus db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Ntu ntu ingress hauv txoj cai no, qhib kev nkag mus rau lub hom phiaj pods. Hauv lwm lo lus, ingress yog qhov chaw thiab lub hom phiaj yog qhov chaw sib xws. Ib yam li ntawd, egress yog qhov chaw thiab lub hom phiaj yog nws qhov chaw.
Qhov no sib npaug rau ob txoj cai firewall: Ingress β Target; Lub hom phiaj β Egress.
Egress thiab DNS (tseem ceeb!)
Los ntawm kev txwv cov tsheb khiav tawm, them tshwj xeeb rau DNS - Kubernetes siv qhov kev pabcuam no los qhia cov kev pabcuam rau IP chaw nyob. Piv txwv li, txoj cai hauv qab no yuav tsis ua haujlwm vim tias koj tsis tau tso cai rau daim ntawv thov balance nkag mus rau DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
Koj tuaj yeem kho nws los ntawm kev qhib nkag mus rau DNS kev pabcuam:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Xeem keeb to yog khoob, thiab yog li ntawd nws indirectly xaiv tag nrho cov nyob rau hauv tag nrho cov npe, tso cai balance xa DNS queries mus rau qhov tsim nyog Kubernetes cov kev pab cuam (feem ntau khiav hauv qhov chaw kube-system).
Txoj kev no ua haujlwm, txawm li cas los xij overly permissive thiab insecure, vim nws tso cai rau cov lus nug DNS raug coj mus rau sab nraud pawg.
Koj tuaj yeem txhim kho nws hauv peb kauj ruam ua tiav.
1. Tso cai rau cov lus nug DNS nkaus xwb sab hauv pawg los ntawm kev ntxiv namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Tso cai DNS queries hauv namespace nkaus xwb kube-system.
Ua li no koj yuav tsum tau ntxiv ib daim ntawv lo rau lub namespace kube-system: kubectl label namespace kube-system namespace=kube-system - thiab sau nws hauv txoj cai siv namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Paranoid neeg tuaj yeem mus ntxiv thiab txwv cov lus nug DNS rau ib qho kev pabcuam DNS tshwj xeeb hauv kube-system. Ntu "Lim los ntawm namespaces THIAB pods" yuav qhia koj yuav ua li cas ua tiav qhov no.
Lwm qhov kev xaiv yog daws DNS ntawm qib namespace. Hauv qhov no, nws yuav tsis tas yuav qhib rau txhua qhov kev pabcuam:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Npua podSelector xaiv tag nrho cov pods nyob rau hauv lub namespace.
Thawj qhov sib tw thiab txoj cai txiav txim
Nyob rau hauv cov pa firewalls, qhov kev txiav txim (Cia los yog tsis kam) ntawm ib pob ntawv yog txiav txim los ntawm thawj txoj cai uas nws txaus siab. Hauv Kubernetes, qhov kev txiav txim ntawm txoj cai tsis muaj teeb meem.
Los ntawm lub neej ntawd, thaum tsis muaj txoj cai raug teeb tsa, kev sib txuas lus ntawm cov pods raug tso cai thiab lawv tuaj yeem pauv cov ntaub ntawv dawb. Thaum koj pib tsim cov cai, txhua lub pod cuam tshuam los ntawm tsawg kawg yog ib qho ntawm lawv yuav raug cais raws li qhov kev tsis sib haum xeeb (lub ntsiab lus OR) ntawm txhua txoj cai uas tau xaiv. Pods tsis cuam tshuam los ntawm ib txoj cai tseem qhib.
Koj tuaj yeem hloov tus cwj pwm no siv txoj cai stripping.
Txoj cai stripping ("Deny")
Firewall cov cai feem ntau tsis lees paub cov tsheb khiav uas tsis tso cai meej meej.
Tsis muaj qhov tsis lees paub hauv Kubernetes, txawm li cas los xij, cov txiaj ntsig zoo sib xws tuaj yeem ua tiav nrog txoj cai tsis tu ncua (tso cai) los ntawm kev xaiv ib pawg khoob ntawm cov hauv paus pods (ingress):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Txoj cai no xaiv tag nrho cov pods nyob rau hauv namespace thiab tawm ingress undefined, tsis kam lees tag nrho cov khoom nkag.
Hauv ib txoj kev zoo sib xws, koj tuaj yeem txwv tag nrho cov tsheb khiav tawm los ntawm lub npe chaw:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Thov nco ntsoov tias ib qho kev cai ntxiv uas tso cai rau kev khiav mus rau pods hauv namespace yuav ua qhov tseem ceeb ntawm txoj cai no (zoo ib yam li ntxiv txoj cai tso cai ua ntej txoj cai tsis lees paub hauv firewall configuration).
Cia txhua yam (Any-Any-Any-Allow)
Txhawm rau tsim Daim Ntawv Tso Cai Txhua Yam, koj yuav tsum tau ntxiv Txoj Cai Tsis Txaus Siab saum toj no nrog rau qhov khoob ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
Nws tso cai nkag los ntawm tag nrho cov pods nyob rau hauv tag nrho cov namespaces (thiab tag nrho cov IP) rau tej pods nyob rau hauv lub namespace default. Tus cwj pwm no tau qhib los ntawm lub neej ntawd, yog li nws feem ntau tsis tas yuav tsum tau txhais ntxiv. Txawm li cas los xij, qee zaum koj yuav tsum tau lov tes taw ib ntus qee qhov kev tso cai tshwj xeeb los kuaj xyuas qhov teeb meem.
Txoj cai tuaj yeem txo qis kom tso cai nkag mus rau xwb ib tug tshwj xeeb txheej ntawm pods (app:balance) nyob rau hauv lub npe default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Txoj cai hauv qab no tso cai rau txhua qhov kev nkag mus thiab nkag mus, suav nrog kev nkag mus rau txhua tus IP sab nraum pawg:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Kev sib xyaw ntau txoj cai
Txoj cai sib xyaw ua ke siv cov laj thawj LOSSIS ntawm peb theem; Txhua lub plhaub taum tso cai tau teeb tsa raws li qhov tsis sib haum xeeb ntawm txhua txoj cai uas cuam tshuam rau nws:
1. Hauv teb from ΠΈ to Peb hom ntawm cov ntsiab lus tuaj yeem txhais tau (tag nrho cov uas tau ua ke siv LOSSIS):
-
namespaceSelector- xaiv tag nrho namespace; -
podSelector- xaiv cov pods; -
ipBlock- xaiv ib lub subnet.
Ntxiv mus, tus naj npawb ntawm cov ntsiab lus (txawm tias zoo ib yam) hauv ntu ntu from/to tsis txwv. Tag nrho cov ntawm lawv yuav muab sib xyaw ua ke los ntawm kev sib cav OR.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. Sab hauv seem txoj cai ingress tuaj yeem muaj ntau yam from (ua ke los ntawm kev xav OR). Ib yam li ntawd, ntu egress tuaj yeem suav nrog ntau yam to (tseem ua ke los ntawm kev sib cais):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Cov kev cai sib txawv kuj tseem ua ke nrog cov laj thawj OR
Tab sis thaum sib txuas lawv, muaj ib qho kev txwv ntawm qhov twg : Kubernetes tsuas tuaj yeem muab cov cai sib txawv policyTypes (Ingress los yog Egress). Txoj cai txhais lus ingress (los yog egress) yuav overwrite ib leeg.
Kev sib raug zoo ntawm cov npe
Los ntawm lub neej ntawd, cov ntaub ntawv sib qhia ntawm namespaces raug tso cai. Qhov no tuaj yeem hloov pauv tau los ntawm kev siv txoj cai tsis lees paub uas yuav txwv cov tsheb khiav tawm thiab / lossis nkag mus rau hauv lub npe (saib "Txoj Cai" saum toj no).
Thaum koj tau thaiv kev nkag mus rau lub npe chaw (saib "Txoj Cai Kev Cai" saum toj no), koj tuaj yeem ua kev zam rau kev tsis lees paub txoj cai los ntawm kev tso cai sib txuas los ntawm lub npe tshwj xeeb siv namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
Yog li ntawd, tag nrho cov pods nyob rau hauv lub namespace default yuav muaj kev nkag tau mus rau cov pods postgres hauv lub npe database. Tab sis dab tsi yog tias koj xav qhib kev nkag mus rau postgres tsuas yog cov pods tshwj xeeb hauv lub npe default?
Lim los ntawm namespaces thiab pods
Kubernetes version 1.11 thiab siab dua tso cai rau koj los ua ke cov neeg ua haujlwm namespaceSelector ΠΈ podSelector siv logical THIAB.Nws zoo li no:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Vim li cas qhov no txhais li AND es tsis yog qhov ib txwm OR?
nco ntsoov tias podSelector tsis pib nrog hyphen. Hauv YAML qhov no txhais tau tias podSelector thiab sawv ntawm nws xub ntiag namespaceSelector xa mus rau tib daim ntawv teev npe. Yog li ntawd, lawv tau ua ke nrog cov laj thawj AND.
Ntxiv ib hyphen ua ntej podSelector yuav ua rau muaj qhov tshwm sim ntawm cov npe tshiab, uas yuav ua ke nrog rau yav dhau los namespaceSelector siv logical OR.
Xaiv cov pods nrog ib daim ntawv lo tshwj xeeb nyob rau hauv tag nrho cov npe, nkag qhov khoob namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Ntau daim ntawv sau ua ke nrog I
Cov cai rau lub foob pob hluav taws nrog ntau yam khoom (tus tswv, tes hauj lwm, pab pawg) tau ua ke siv cov laj thawj OR. Cov cai hauv qab no yuav ua haujlwm yog tias pob ntawv sib tw Host_1 Los yog Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
Ntawm qhov tsis sib xws, hauv Kubernetes cov ntawv sib txawv hauv podSelector los yog namespaceSelector ua ke nrog cov laj thawj THIAB. Piv txwv li, txoj cai hauv qab no yuav xaiv cov pods uas muaj ob daim ntawv lo, role=db Π version=v2:
podSelector:
matchLabels:
role: db
version: v2Tib lub logic siv tau rau txhua yam ntawm cov neeg ua haujlwm: txoj cai xaiv lub hom phiaj, cov neeg xaiv pod, thiab cov npe xaiv npe.
Subnets thiab IP chaw nyob (IPBlocks)
Firewalls siv VLANs, IP chaw nyob, thiab subnets los faib lub network.
Hauv Kubernetes, IP chaw nyob tau muab rau cov pods tau txais thiab tuaj yeem hloov tau ntau zaus, yog li cov ntawv siv los xaiv cov pods thiab namespaces hauv network txoj cai.
Subnets (ipBlocks) yog siv thaum tswj kev nkag (ingress) lossis tawm (egress) sab nraud (North-South) kev sib txuas. Piv txwv li, txoj cai no qhib rau tag nrho cov pods los ntawm namespace default nkag mus rau Google DNS kev pabcuam:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
Qhov khoob pob selector hauv qhov piv txwv no txhais tau tias "xaiv txhua lub pods hauv lub npe chaw."
Txoj cai no tsuas tso cai nkag mus rau 8.8.8.8; txwv tsis pub nkag mus rau lwm tus IP. Yog li, hauv qhov tseeb, koj tau thaiv kev nkag mus rau hauv Kubernetes DNS kev pabcuam. Yog tias koj tseem xav qhib nws, qhia qhov no qhia meej.
feem ntau ipBlocks ΠΈ podSelectors yog kev sib koom ua ke, txij li qhov chaw nyob IP sab hauv ntawm cov pods tsis siv hauv ipBlocks. Los ntawm kev qhia Internal IP pods, koj yuav tso cai rau kev sib txuas rau / los ntawm cov pods nrog cov chaw nyob no. Hauv kev xyaum, koj yuav tsis paub qhov chaw nyob IP siv, yog vim li cas lawv yuav tsum tsis txhob siv los xaiv cov pods.
Raws li kev piv txwv, txoj cai hauv qab no suav nrog txhua tus IPs thiab yog li tso cai nkag mus rau tag nrho lwm cov pods:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Koj tuaj yeem qhib kev nkag mus rau lwm tus IPs nkaus xwb, tsis suav nrog qhov chaw nyob IP sab hauv ntawm pods. Piv txwv li, yog tias koj lub pod lub subnet yog 10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Ports thiab raws tu qauv
Feem ntau cov pods mloog ib qho chaw nres nkoj. Qhov no txhais tau tias koj tuaj yeem tsis qhia tus lej chaw nres nkoj hauv cov cai thiab tawm txhua yam raws li lub neej ntawd. Txawm li cas los xij, nws raug pom zoo kom ua cov cai txwv li qhov ua tau, yog li hauv qee kis koj tseem tuaj yeem teev cov chaw nres nkoj:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Nco ntsoov tias tus xaiv ports siv rau tag nrho cov ntsiab lus hauv qhov thaiv to los yog from, uas muaj. Txhawm rau qhia cov chaw nres nkoj sib txawv rau cov khoom sib txawv ntawm cov ntsiab lus, cais ingress los yog egress rau hauv ob peb ntu nrog to los yog from thiab hauv txhua tus sau npe koj cov chaw nres nkoj:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Default chaw nres nkoj ua haujlwm:
- Yog tias koj tshem tawm qhov chaw nres nkoj txhais tag nrho (
ports), qhov no txhais tau tias tag nrho cov kev cai thiab txhua qhov chaw nres nkoj; - Yog tias koj tso tseg txoj cai txhais (
protocol), qhov no txhais tau tias TCP; - Yog tias koj tshem tawm qhov chaw nres nkoj txhais (
port), qhov no txhais tau tias txhua qhov chaw nres nkoj.
Kev xyaum zoo tshaj plaws: Tsis txhob cia siab rau qhov tseem ceeb, qhia qhov koj xav tau kom meej meej.
Thov nco ntsoov tias koj yuav tsum siv pods chaw nres nkoj, tsis yog chaw nres nkoj pabcuam (ntxiv rau qhov no hauv kab lus tom ntej).
Puas yog cov kev cai raug cai rau cov pods lossis cov kev pabcuam?
Feem ntau, cov pods hauv Kubernetes nkag mus rau ib leeg los ntawm kev pabcuam - virtual load balancer uas redirects tsheb mus rau pods uas siv cov kev pabcuam. Tej zaum koj yuav xav tias cov kev cai hauv network tswj kev nkag mus rau cov kev pabcuam, tab sis qhov no tsis yog li ntawd. Kubernetes txoj cai network ua haujlwm ntawm cov chaw nres nkoj, tsis yog chaw nres nkoj pabcuam.
Piv txwv li, yog tias ib qho kev pabcuam mloog chaw nres nkoj 80, tab sis hloov tsheb mus rau qhov chaw nres nkoj 8080 ntawm nws cov pods, koj yuav tsum qhia meej meej 8080 hauv txoj cai network.
Cov txheej txheem zoo li no yuav tsum suav tias yog qhov zoo tshaj plaws: yog tias cov qauv sab hauv ntawm cov kev pabcuam (cov chaw nres nkoj ntawm cov pods mloog) hloov pauv, cov cai hauv network yuav tsum tau hloov kho.
Tshiab architectural mus kom ze siv Service Mesh (piv txwv li, saib txog Istio hauv qab no - kwv yees li.) tso cai rau koj los daws qhov teeb meem no.
Nws puas tsim nyog rau npe rau ob qho tib si Ingress thiab Egress?
Cov lus teb luv luv yog yog, txhawm rau txhawm rau pod A sib txuas lus nrog pod B, nws yuav tsum raug tso cai los tsim kev sib txuas sab nraud (rau qhov no koj yuav tsum tau teeb tsa txoj cai egress), thiab pod B yuav tsum muaj peev xwm lees txais kev sib txuas tuaj ( rau qhov no, raws li, koj xav tau txoj cai ingress).
Txawm li cas los xij, hauv kev xyaum, koj tuaj yeem tso siab rau txoj cai ua ntej tso cai rau kev sib txuas hauv ib lossis ob qho lus qhia.
Yog ib co pod-qhov chaw yuav raug xaiv los ntawm ib lossis ntau dua egress-politicians, cov kev txwv rau nws yuav txiav txim los ntawm lawv disjunction. Nyob rau hauv rooj plaub no, koj yuav tsum tau tso cai rau kev txuas mus rau lub pod -mus rau tus neeg sau npe. Yog tias lub plhaub taum tsis raug xaiv los ntawm ib txoj cai, nws txoj kev tawm mus (egress) raug tso cai los ntawm lub neej ntawd.
Ib yam li ntawd, txoj hmoo ntawm lub plhaub yogtus neeg hais lus, xaiv los ntawm ib lossis ntau dua ingress-politicians, yuav txiav txim los ntawm lawv disjunction. Hauv qhov no, koj yuav tsum tau tso cai rau nws kom tau txais kev khiav tsheb los ntawm lub hauv paus pod. Yog hais tias lub pod tsis raug xaiv los ntawm ib txoj cai, tag nrho cov ingress tsheb rau nws raug tso cai los ntawm lub neej ntawd.
Saib Stateful lossis Stateless hauv qab no.
Cov log
Kubernetes txoj cai network tsis tuaj yeem nkag mus rau hauv tsheb. Qhov no ua rau nws nyuaj rau kev txiav txim siab seb txoj cai tswjfwm puas ua haujlwm raws li qhov xav tau thiab ua rau nyuaj rau kev soj ntsuam kev nyab xeeb.
Tswj kev khiav tsheb mus rau cov kev pabcuam sab nraud
Kubernetes cov cai tswjfwm tsis tso cai rau koj los qhia meej lub npe tsim nyog (DNS) nyob rau hauv ntu egress. Qhov tseeb no ua rau muaj teeb meem loj thaum sim txwv kev tsheb mus rau lwm qhov chaw uas tsis muaj qhov chaw nyob IP ruaj khov (xws li aws.com).
Txoj Cai Saib Xyuas
Firewalls yuav ceeb toom koj lossis txawm tias tsis kam lees txais txoj cai tsis raug. Kubernetes kuj ua qee qhov pov thawj. Thaum teeb tsa txoj cai network los ntawm kubectl, Kubernetes yuav tshaj tawm tias nws tsis raug thiab tsis kam lees nws. Hauv lwm qhov xwm txheej, Kubernetes yuav coj txoj cai thiab sau nws nrog cov ntsiab lus uas ploj lawm. Lawv tuaj yeem pom tau siv cov lus txib:
kubernetes get networkpolicy <policy-name> -o yamlNco ntsoov tias Kubernetes validation system yog tsis infallible thiab tej zaum yuav nco ib co ntawm cov yuam kev.
Tiav
Kubernetes tsis ua raws li kev cai network nws tus kheej, tab sis tsuas yog ib qho API rooj vag uas tso cai rau lub nra ntawm kev tswj mus rau lub hauv paus system hu ua Container Networking Interface (CNI). Kev teeb tsa cov cai ntawm Kubernetes pawg yam tsis tau muab qhov tsim nyog CNI yog tib yam li tsim cov cai ntawm firewall tswj server yam tsis tas yuav txhim kho lawv ntawm firewalls. Nws yog nyob ntawm koj kom ntseeg tau tias koj muaj CNI zoo lossis, nyob rau hauv rooj plaub ntawm Kubernetes platforms, tuav hauv huab (koj tuaj yeem pom cov npe ntawm cov chaw muab kev pabcuam - kwv yees. trans.), pab kom network cov cai uas yuav teeb tsa CNI rau koj.
Nco ntsoov tias Kubernetes yuav tsis ceeb toom koj yog tias koj teeb tsa txoj cai network yam tsis muaj tus pab tsim nyog CNI.
Stateful lossis Stateless?
Tag nrho Kubernetes CNIs kuv tau ntsib yog lub xeev (piv txwv li, Calico siv Linux conntrack). Qhov no tso cai rau lub pod tau txais cov lus teb ntawm TCP kev twb kev txuas nws pib yam tsis tas yuav rov tsim nws. Txawm li cas los xij, kuv tsis paub txog tus qauv Kubernetes uas yuav lav qhov muaj tseeb.
Advanced Security Policy Management
Nov yog qee txoj hauv kev los txhim kho kev tswj hwm kev ruaj ntseg hauv Kubernetes:
- Lub Service Mesh architectural qauv siv cov thawv sab hauv los muab cov ncauj lus kom ntxaws telemetry thiab kev tswj tsheb khiav ntawm qib kev pabcuam. Ua piv txwv peb tuaj yeem ua .
- Qee tus neeg muag khoom CNI tau txuas ntxiv lawv cov cuab yeej mus dhau Kubernetes cov cai tswjfwm.
- Muab visibility thiab automation ntawm Kubernetes network txoj cai.
Lub pob Tufin Orca tswj Kubernetes network cov cai (thiab yog lub hauv paus ntawm cov screenshots saum toj no).
cov lus qhia ntxiv
- ;
- ;
- ;
- .
xaus
Kubernetes network cov cai muaj cov txheej txheem zoo rau kev faib cov pawg, tab sis lawv tsis muaj kev nkag siab zoo thiab muaj ntau yam tsis zoo. Vim tias qhov nyuaj no, kuv ntseeg tias ntau txoj cai tswjfwm uas twb muaj lawm yog buggy. Muaj peev xwm daws tau qhov teeb meem no suav nrog automating txoj cai txhais lossis siv lwm cov cuab yeej segmentation.
Kuv vam tias phau ntawv qhia no yuav pab tshem tawm qee cov lus nug thiab daws teeb meem koj yuav ntsib.
PS los ntawm tus txhais lus
Nyeem kuj ntawm peb blog:
- "Rov qab mus rau microservices nrog Istio": , , ;
- "Ib Daim Ntawv Qhia Txog Kev Sib Txuas Hauv Kubernetes": , ;
- «»;
- «»;
- Β«".
Tau qhov twg los: www.hab.com