Rịba ama. ntụgharị asụsụ.: Onye edemede nke akụkọ ahụ, Reuven Harrison, nwere ihe karịrị afọ 20 nke ahụmahụ na mmepe ngwanrọ, ma taa bụ CTO na onye na-arụkọ ọrụ nke Tufin, ụlọ ọrụ na-emepụta ihe ngwọta nchịkwa nchekwa. Ọ bụ ezie na ọ na-ele atumatu netwọkụ Kubernetes anya dị ka ngwá ọrụ siri ike maka nkewa netwọkụ na ụyọkọ, ọ kwenyere na ọ dịghị mfe ime ya na omume. Ihe a (nke dị oke ụda) bụ iji kwalite mmata ndị ọkachamara banyere okwu a ma nyere ha aka ịmepụta nhazi dị mkpa.
Taa, ọtụtụ ụlọ ọrụ na-ahọrọ Kubernetes iji mee ngwa ha. Mmasị na ngwanrọ a dị elu nke na ụfọdụ na-akpọ Kubernetes "Sistemụ arụmọrụ ọhụrụ maka ebe data." Nke nta nke nta, Kubernetes (ma ọ bụ k8s) na-amalite ịghọta dị ka akụkụ dị oke mkpa nke azụmahịa, nke chọrọ nhazi nke usoro azụmahịa tozuru okè, gụnyere nchekwa netwọk.
Maka ndị ọkachamara nchekwa nke na-eju anya site n'ịrụ ọrụ na Kubernetes, mkpughe n'ezie nwere ike ịbụ amụma ndabara nke ikpo okwu: hapụ ihe niile.
Ntuziaka a ga-enyere gị aka ịghọta usoro ime nke atumatu netwọkụ; ghọta otú ha si dị iche na iwu maka firewalls mgbe niile. Ọ ga-ekpuchikwa ọnyà ụfọdụ wee nye ndụmọdụ iji nyere aka chekwaa ngwa na Kubernetes.
Amụma netwọkụ Kubernetes
Usoro amụma netwọkụ Kubernetes na-enye gị ohere ijikwa mmekọrịta nke ngwa etinyere n'elu ikpo okwu na oyi akwa netwọk (nke atọ na ụdị OSI). Amụma netwọk enweghị ụfọdụ atụmatụ dị elu nke firewalls ọgbara ọhụrụ, dị ka OSI Layer 7 mmanye na nchọpụta egwu, mana ha na-enye ọkwa dị mkpa nke nchekwa netwọk bụ ebe mmalite dị mma.
Atumatu netwọkụ na-achịkwa nkwukọrịta n'etiti pọd
A na-ekesa ibu ọrụ na Kubernetes n'ofe pọd, nke nwere otu arịa ma ọ bụ karịa ejikọtara ọnụ. Kubernetes na-ekenye onye ọ bụla adreesị IP nke nwere ike ịnweta site na pọd ndị ọzọ. Atumatu netwọkụ Kubernetes na-edobe ikike ịnweta otu pods n'otu aka ahụ a na-eji otu nchekwa na igwe ojii chịkwaa ịnweta ọnọdụ igwe mebere.
Ịkọwapụta amụma netwọkụ
Dịka akụrụngwa Kubernetes ndị ọzọ, akọwapụtara ụkpụrụ netwọkụ na YAML. N'ihe atụ dị n'okpuru, ngwa ahụ balance ohere postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Rịba ama. ntụgharị asụsụ.: nseta ihuenyo a, dị ka ndị ọzọ sochirinụ, emepụtara ọ bụghị iji ngwaọrụ Kubernetes, kama iji ngwa Tufin Orca, nke ụlọ ọrụ nke onye dere akụkọ mbụ mepụtara na nke a kpọtụrụ aha na njedebe nke ihe.)
Iji kọwapụta amụma netwọkụ nke gị, ị ga-achọ ihe ọmụma bụ isi nke YAML. Asụsụ a gbadoro ụkwụ na ntinye (nke oghere akọwapụtara karịa taabụ). Ihe mgbaba bụ nke ihe mgbaba kacha nso n'elu ya. Ihe ndepụta ọhụrụ na-amalite site na njiko, ihe ndị ọzọ niile nwere ụdị isi-uru.
N'ịkọwachara iwu na YAML, jiri ime ya na ụyọkọ:
kubectl create -f policy.yamlNkọwapụta amụma netwọkụ
Nkọwapụta amụma netwọkụ Kubernetes gụnyere ihe anọ:
-
podSelector: na-akọwa pọd ndị metụtara amụma a (ebumnuche) - achọrọ; -
policyTypes: na-egosi ụdị atumatu dị na nke a: ntinye na / ma ọ bụ egress - nhọrọ, ma ana m akwado ịkọwapụta ya n'ụzọ doro anya n'ọnọdụ niile; -
ingress: na-akọwa kwere abata okporo ụzọ iji lekwasịrị anya pods - nhọrọ; -
egress: na-akọwa kwere na-apụ apụ okporo ụzọ sitere na pọd ndị ebumnuche bụ nhọrọ.
Ọmụmaatụ ewepụtara na webụsaịtị Kubernetes (Edochiri m role on app), na-egosi otu esi eji ihe anọ ahụ eme ihe:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Biko mara na ekwesighi itinye ihe anọ niile. Ọ bụ naanị iwu podSelector, enwere ike iji paramita ndị ọzọ dị ka achọrọ.
Ọ bụrụ na ị hapụ policyTypes, a ga-akọwa usoro iwu dị ka ndị a:
- Site na ndabara, a na-eche na ọ na-akọwa akụkụ ntinye. Ọ bụrụ na amụma ahụ ekwupụtaghị nke a n'ụzọ doro anya, sistemụ ahụ ga-eche na amachibidoro okporo ụzọ niile.
- Omume dị n'akụkụ egress ga-ekpebi site na ọnụnọ ma ọ bụ enweghị nke parameter egress kwekọrọ.
Iji zere mmejọ m na-akwado na-eme ka ọ pụta ìhè mgbe niile policyTypes.
Dị ka mgbagha dị n'elu, ọ bụrụ na paramita ingress na / ma ọ bụ egress ewepụrụ, amụma a ga-agọnarị okporo ụzọ niile (lee "Iwu Mwepu" n'okpuru).
Amụma ndabara kwere
Ọ bụrụ na akọwapụtaghị atumatu, Kubernetes na-enye ohere ọ bụla na ndabara. Mpempe akwụkwọ niile nwere ike ịgbanwe ozi n'etiti onwe ha. Nke a nwere ike iyi ihe na-emegiderịta onwe ya site n'echiche nchekwa, mana cheta na Kubernetes bụ ndị mmepe mere ya ka ọ nwee ike ịmekọrịta ngwa. Egbakwunyere amụma netwọk ma emechaa.
Oghere aha
Oghere aha bụ usoro mmekorita Kubernetes. Emebere ha ka ha kewapụ gburugburu ebe ezi uche dị na ibe ha, ebe a na-anabata nkwukọrịta n'etiti oghere na ndabara.
Dịka ọtụtụ akụrụngwa Kubernetes, amụma netwọkụ na-ebi n'otu aha aha. Na ngọngọ metadata ị nwere ike ịkọwa ohere nke amụma ahụ bụ:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Ọ bụrụ na akọwapụtaghị oghere aha n'ụzọ doro anya na metadata, sistemụ ahụ ga-eji oghere aha akọwapụtara na kubectl (site na ndabara. namespace=default):
kubectl apply -n my-namespace -f namespace.yamlAkwadoro m ezipụta oghere aha n'ụzọ doro anya, ọ gwụla ma ị na-ede amụma na-eche ọtụtụ oghere aha n'otu oge.
Основной mmewere podSelector n'ime amụma ahụ, a ga-ahọrọ pọd site na oghere aha nke amụma ahụ nwere (ajụrụ ya ịnweta pọd site na oghere aha ọzọ).
N'otu aka ahụ, podSelectors na ingress na egress blocks nwere ike họrọ pọd site na oghere aha ha, ọ gwụla ma ị jikọtara ha na ya namespaceSelector (a ga-atụle nke a na ngalaba "Nyochaa site na oghere aha na pọd").
Iwu Ịkpọ aha amụma
Aha iwu pụrụ iche n'ime otu oghere aha. Enweghị ike inwe amụma abụọ nwere otu aha n'otu oghere, mana enwere ike ịnwe otu aha na oghere dị iche iche. Nke a bara uru mgbe ịchọrọ itinyeghachi otu amụma n'ofe ọtụtụ oghere.
Otu ụzọ ịkpọ aha na-amasị m karịsịa. Ọ mejupụtara ijikọta aha oghere aha na pọd ndị ebumnuche. Ọmụmaatụ:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Akara aha
Ị nwere ike itinye akara aha omenala na ihe Kubernetes, dị ka pọd na oghere aha. akara (ederede - mkpado) bụ nhata mkpado na igwe ojii. Atumatu netwọkụ Kubernetes na-eji akara iji họrọ pọdnke ha na-etinye na ya:
podSelector:
matchLabels:
role: db… ma ọ bụ oghere ahanke ha na-etinye aka na ya. Ọmụmaatụ a na-ahọrọ pọd niile dị na oghere aha nwere akara ndị kwekọrọ:
namespaceSelector:
matchLabels:
project: myproject
Otu ịdọ aka ná ntị: mgbe ị na-eji namespaceSelector hụ na oghere aha ndị ị họọrọ nwere akara ziri ezi. Mara na oghere aha arụnyere dị ka default и kube-system, na ndabara enweghị akara.
Ị nwere ike itinye akara na oghere dị ka nke a:
kubectl label namespace default namespace=default
N'otu oge ahụ, aha oghere na ngalaba metadata kwesịrị izo aka na aha oghere n'ezie, ọ bụghị akara:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Isi mmalite na ebe aga
Amụma Firewall nwere iwu nwere isi mmalite na ebe aga. Akọwapụtara atumatu netwọkụ Kubernetes maka ebumnuche - usoro pọd nke ha na-etinye na ya - wee debe iwu maka mbata na/ma ọ bụ okporo ụzọ egress. N'ihe atụ anyị, ebumnuche nke amụma a ga-abụ pods niile na aha aha default nwere akara na igodo app na ihe pụtara db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Nkebi nke nta ingress n'ime amụma a, na-emepe okporo ụzọ na-abata na pọd ndị ezubere iche. N'ikwu ya n'ụzọ ọzọ, ntinye bụ isi mmalite na ebumnuche bụ ebe kwekọrọ. N'otu aka ahụ, egress bụ ebe a na-aga na ebumnuche bụ isi mmalite ya.
Nke a dabara na iwu firewall abụọ: Ingress → Target; Ebumnuche → Egress.
Egress na DNS (dị mkpa!)
Site na ịmachi okporo ụzọ na-apụ apụ, ntị pụrụ iche na DNS - Kubernetes na-eji ọrụ a maapụ ọrụ na adreesị IP. Dịka ọmụmaatụ, iwu na-esonụ agaghị arụ ọrụ n'ihi na ị kwenyeghị ngwa ahụ balance nweta DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
Ị nwere ike idozi ya site na imepe ohere na ọrụ DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Ihe ikpeazụ to bụ ihe efu, ya mere ọ na-ahọrọ na-apụtaghị ìhè akwụkwọ mpịakọta niile n'akụkụ niile, ikwe balance zipu ajụjụ DNS na ọrụ Kubernetes kwesịrị ekwesị (na-agbakarị na oghere kube-system).
Usoro a na-arụ ọrụ, n'agbanyeghị na-anabata oke na enweghị ntụkwasị obi, n'ihi na ọ na-enye ohere ka eduzi ajụjụ DNS na-abụghị ụyọkọ.
Ị nwere ike imeziwanye ya na usoro atọ na-esochi.
1. Kwe ka DNS ajụjụ naanị n'ime ụyọkọ site na ịgbakwunye namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Kwe ka DNS ajụjụ n'ime namespace naanị kube-system.
Iji mee nke a, ịkwesịrị ịgbakwunye akara na oghere aha kube-system: kubectl label namespace kube-system namespace=kube-system - ma detuo ya na iwu site na iji namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Paranoid ndị mmadụ nwere ike ịga ọbụna n'ihu na-amachi DNS gbara ajụjụ ka a kpọmkwem DNS ọrụ na kube-system. Akụkụ "Nyochaa site na oghere aha NA pọd" ga-agwa gị otu esi eme nke a.
Nhọrọ ọzọ bụ iji dozie DNS na ọkwa aha. N'okwu a, ọ gaghị adị mkpa ka emepee ya maka ọrụ ọ bụla:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Ihe efu podSelector na-ahọpụta pọd niile na oghere aha.
Egwuregwu mbụ na usoro iwu
Na firewalls, ihe omume (Kwe ka ma ọ bụ jụ) na ngwugwu kpebisiri ike site na iwu mbụ nke na-eju afọ. Na Kubernetes, usoro iwu adịghị mkpa.
Site na ndabara, ọ bụrụ na edoghị iwu ọ bụla, a na-anabata nkwukọrịta n'etiti pọd na ha nwere ike ịgbanwe ozi n'efu. Ozugbo ịmalite ịmepụta atumatu, pọd ọ bụla nke opekata mpe otu n'ime ha metụtara ga-anọpụ iche dabere na ntughari (ezi uche OR) nke amụma niile họpụtara ya. Amụma ọ bụla emetụtaghị pọọlụ ghe oghe.
Ị nwere ike ịgbanwe omume a site na iji iwu iwepụ.
Iwu iwepụ ("Ajụjụ")
Amụma Firewall na-agọnarị okporo ụzọ ọ bụla anaghị anabata nke ọma.
Enweghị ihe ịgọnarị na Kubernetes, Otú ọ dị, enwere ike nweta mmetụta yiri nke ahụ site na usoro iwu oge niile site na ịhọrọ otu ihe efu nke isi iyi pods (ingress):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Iwu a na-ahọpụta pọd niile dị na oghere aha wee hapụ ịbanye na-akọwaghị ya, na-agọnarị okporo ụzọ na-abata.
N'otu aka ahụ, ị nwere ike machibido okporo ụzọ na-apụ apụ site na oghere aha:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Biko mara nke ahụ Atumatu ọ bụla ọzọ na-enye ohere ka okporo ụzọ gaa na pods na oghere aha ga-ebute ụzọ n'iwu a (dị ka ịgbakwụnye ikike ikike tupu ịgọnarị iwu na nhazi firewall).
Kwe ka ihe ọ bụla (Ihe ọ bụla-Ihe ọ bụla-ekwe)
Iji mepụta amụma Kwe ka All, ị ga-agbakwunyere amụma agọnarị n'elu na ihe efu ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
Ọ na-enye ohere ịnweta site na pọd niile na oghere aha niile (na IP niile) gaa na pọd ọ bụla na oghere aha default. Enyere omume a site na ndabara, yabụ na ọ naghị adị mkpa ka akọwapụta ya n'ihu. Agbanyeghị, mgbe ụfọdụ ị nwere ike ịchọ ka gbanyụọ ụfọdụ ikike iji chọpụta nsogbu ahụ.
Enwere ike ibelata iwu ka ị nweta naanị ohere otu set nke pọd (app:balance) n'ụdị aha default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Amụma ndị a na-enye ohere ọ bụla mbata na okporo ụzọ egress, gụnyere ịnweta IP ọ bụla na-abụghị ụyọkọ:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Ijikọta ọtụtụ amụma
A na-ejikọta amụma site na iji ezi uche ma ọ bụ na ọkwa atọ; Edebere ikike ikike nke pọd ọ bụla dabere na nbibi nke amụma niile metụtara ya:
1. N'ubi from и to Enwere ike ịkọwa ụdị ihe atọ (a na-ejikọta ha niile site na iji OR):
-
namespaceSelector- ahọrọ dum namespace; -
podSelector- họrọ pọd; -
ipBlock- ahọrọ subnet.
Ọzọkwa, ọnụ ọgụgụ nke ihe (ọbụlagodi ndị yiri ya) na mpaghara nkebi from/to ọnweghị oke. A ga-ejikọta ha niile site na ezi uche OR.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. N'ime ngalaba amụma ingress nwere ike inwe ọtụtụ ihe from (jikọtara ya na ezi uche OR). N'otu aka ahụ, ngalaba egress nwere ike ịgụnye ọtụtụ ihe to (nke a na-ejikọta ya na nkwụsị):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Atumatu dị iche iche jikọtara ya na ezi uche OR
Ma mgbe ị na-ejikọta ha, e nwere otu njedebe na nke : Kubernetes nwere ike ijikọta atumatu dị iche iche policyTypes (Ingress ma ọ bụ Egress). Atumatu na-akọwa ntinye (ma ọ bụ egress) ga-edegharị ibe ya.
Mmekọrịta dị n'etiti oghere aha
Site na ndabara, anabatara ikesa ozi n'etiti oghere aha. Enwere ike ịgbanwe nke a site na iji amụma ịgọnarị nke ga-amachibido ọpụpụ na/ma ọ bụ ịbata n'ime oghere aha (lee "Iwu Mwepu" n'elu).
Ozugbo ị gbochiri ohere ịbanye na oghere aha (lee "Iwu Mwepu" nke dị n'elu), ị nwere ike mee ka ewepu na iwu ịgọnarị site na ikwe ka njikọ sitere na otu aha aha. namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
N'ihi ya, niile pods na namespace default ga-enwe ohere ịnweta pods postgres na oghere aha database. Ma gịnị ma ọ bụrụ na ịchọrọ imeghe ohere postgres naanị pọd ndị akọwapụtara na oghere aha default?
Wepụta site na oghere aha na pọd
Ụdị Kubernetes 1.11 na nke dị elu na-enye gị ohere ijikọta ndị ọrụ namespaceSelector и podSelector iji ezi uche AND. Ọ dị ka nke a:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Kedu ihe kpatara atụgharịrị nke a ka NA kama nke a na-emebu ma ọ bụ?
rụba nke ahụ ama podSelector ejighị nkịrịka ebido. Na YAML nke a pụtara na podSelector na guzo n'ihu ya namespaceSelector rụtụ aka n'otu ihe ndepụta ahụ. Ya mere, a na-ejikọta ha na ezi uche AND.
Na-agbakwụnye hyphen tupu podSelector ga-eme ka mpụta ihe ndepụta ọhụrụ, nke a ga-ejikọta ya na nke gara aga namespaceSelector iji ezi uche OR.
Ka ịhọrọ pọd nwere akara a kapịrị ọnụ n'ebe niile aha, tinye oghere namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Otutu aha aha ya na I
A na-ejikọta iwu maka firewall nwere ọtụtụ ihe (ndị ọbịa, netwọkụ, otu) site na iji ezi uche ma ọ bụ. Iwu na-esote ga-arụ ọrụ ma ọ bụrụ na isi mmalite ngwugwu dabara Host_1 OR Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
N'ụzọ megidere nke ahụ, na Kubernetes akara dị iche iche dị na podSelector ma ọ bụ namespaceSelector Ejikọtara ya na ezi uche NA Dịka ọmụmaatụ, iwu na-esote ga-ahọrọ pọd nwere akara abụọ, role=db И version=v2:
podSelector:
matchLabels:
role: db
version: v2Otu ezi uche na-emetụta ụdị ndị ọrụ niile: ndị na-ahọrọ ebumnuche amụma, ndị na-ahọpụta pọd, na ndị na-ahọpụta aha oghere.
Subnets na adreesị IP (IPBlocks)
Firewalls na-eji VLAN, adreesị IP, na subnets iji kewaa netwọk.
Na Kubernetes, a na-ekenye adreesị IP na pods na-akpaghị aka ma nwee ike ịgbanwe ugboro ugboro, ya mere a na-eji akara akara họrọ pods na oghere aha na atumatu netwọkụ.
Subnets (ipBlocks) A na-eji ya mgbe ị na-ejikwa njikọ na-abata (mbanye) ma ọ bụ ọpụpụ (egress) mpụga (North-South). Dịka ọmụmaatụ, amụma a ga-emepe oghere niile site na oghere aha default ịnweta ọrụ DNS Google:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
Nhọrọ pọd efu na ihe atụ a pụtara "họrọ pọd niile dị na oghere aha."
Iwu a na-enye ohere ịnweta 8.8.8.8; amachibidoro ịnweta IP ọ bụla ọzọ. Yabụ, n'isi okwu, ị gbochiri ohere ịbanye na ọrụ Kubernetes DNS dị n'ime. Ọ bụrụ na ị ka chọrọ imepe ya, gosi nke a n'ụzọ doro anya.
Ọtụtụ mgbe ipBlocks и podSelectors bụ ndị na-ekewapụ onwe ha, ebe ọ bụ na adreesị IP dị n'ime nke pọd anaghị eji ya ipBlocks. Site n'igosipụta pọd IP n'ime, ị ga-ekwe ka njikọ na / site na pọd na adreesị ndị a. Na omume, ị gaghị ama adreesị IP ị ga-eji, nke mere na ekwesighi iji ha họrọ pọd.
Dịka ọmụmaatụ, amụma ndị a gụnyere IP niile ma yabụ na-enye ohere ịnweta pọd ndị ọzọ niile:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Ị nwere ike imepe ohere naanị na IP dị n'èzí, ewezuga adreesị IP dị n'ime nke pọd. Dịka ọmụmaatụ, ọ bụrụ na subnet pọd gị bụ 10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Ports na protocol
Otu pọọsụ na-ege otu ọdụ ụgbọ mmiri. Nke a pụtara na ị nweghị ike ịkọwa nọmba ọdụ ụgbọ mmiri na atumatu wee hapụ ihe niile dị ka ndabara. Agbanyeghị, a na-atụ aro ka ịme iwu ka ọ bụrụ ihe mgbochi dịka enwere ike, yabụ na oge ụfọdụ ị ka nwere ike ịkọwa ọdụ ụgbọ mmiri:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Mara na onye nhọpụta ports na-emetụta ihe niile dị na ngọngọ to ma ọ bụ from, nke nwere. Iji kọwapụta ọdụ ụgbọ mmiri dị iche iche maka ihe dị iche iche, kewaa ingress ma ọ bụ egress n'ime ọtụtụ ngalaba na to ma ọ bụ from na ndebanye aha ọdụ ụgbọ mmiri gị ọ bụla:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Ịrụ ọrụ ọdụ ụgbọ mmiri:
- Ọ bụrụ na ịhapụ nkọwa ọdụ ụgbọ mmiri kpamkpam (
ports), nke a pụtara niile protocol na niile ọdụ ụgbọ mmiri; - Ọ bụrụ na ịhapụ nkọwa protocol (
protocol), nke a pụtara TCP; - Ọ bụrụ na ịhapụ nkọwa ọdụ ụgbọ mmiri (
port), nke a pụtara ọdụ ụgbọ mmiri niile.
Omume kachasị mma: adaberela na ụkpụrụ ndabara, kọwaa ihe ịchọrọ n'ụzọ doro anya.
Biko mara na ị ga-ejirịrị ọdụ ụgbọ mmiri, ọ bụghị ọdụ ụgbọ mmiri (karịa na nke a na paragraf na-esote).
Akọwapụtarala iwu maka pọd ma ọ bụ ọrụ?
Dịka, pọd na Kubernetes na-enweta ibe ha site na ọrụ - ihe nrụzi ibu nke mebere nke na-ebugharị okporo ụzọ gaa na pọd ndị na-emejuputa ọrụ ahụ. Ị nwere ike iche na atumatu netwọkụ na-achịkwa ịnweta ọrụ, mana nke a abụghị ikpe. Atumatu netwọkụ Kubernetes na-arụ ọrụ na ọdụ ụgbọ mmiri, ọ bụghị ọdụ ụgbọ mmiri ọrụ.
Dịka ọmụmaatụ, ọ bụrụ na ọrụ na-ege ntị na ọdụ ụgbọ mmiri 80, mana na-ebugharị okporo ụzọ gaa na ọdụ ụgbọ mmiri 8080 nke pọd ya, ị ga-ezipụta 8080 kpọmkwem na amụma netwọkụ.
Ekwesịrị iwere usoro dị otú ahụ dị ka nke kachasị mma: ọ bụrụ na nhazi nke ọrụ ahụ (ọdụ ụgbọ mmiri nke pọd na-ege ntị) agbanwe, a ga-emelite amụma netwọkụ.
Ụzọ ụkpụrụ ụlọ ọhụrụ site na iji Mesh Service (dịka ọmụmaatụ, lee maka Istio n'okpuru - approx. transl.) na-enye gị ohere ịnagide nsogbu a.
Ọ dị mkpa ịdebanye aha ma Ingress na Egress?
Azịza dị mkpirikpi bụ ee, ka pod A wee nwee ike ịkparịta ụka na pod B, a ghaghị ikwe ka ịmepụta njikọ na-apụ apụ (maka nke a ịkwesịrị ịhazi iwu egress), na pod B ga-enwe ike ịnakwere njikọ na-abata ( maka nke a, ya mere, ịchọrọ iwu ingress).
Agbanyeghị, na omume, ị nwere ike ịdabere na amụma ndabara iji kwe ka njikọ dị n'otu ụzọ ma ọ bụ abụọ.
Ọ bụrụ na ụfọdụ pod-isi iyi otu ma ọ bụ karịa ga-ahọrọ ọrụ-Ndị ndọrọ ndọrọ ọchịchị, ihe mgbochi ndị a na-etinye na ya ga-ekpebi site na nkwụsị ha. N'okwu a, ị ga-achọ ikwe ka njikọ na pod -nye onye adres ya. Ọ bụrụ na ahọpụtaghị pọd site na amụma ọ bụla, a na-anabata okporo ụzọ ọpụpụ (egress) ya na ndabara.
N'otu aka ahụ, akara aka nke pọd bụadreesị, nke otu ma ọ bụ karịa họpụtara na -abata-Ndị ndọrọ ndọrọ ọchịchị, a ga-ekpebi site na nhụsianya ha. N'okwu a, ị ga-ahapụrịrị ka ọ nweta okporo ụzọ site na pọd isi iyi. Ọ bụrụ na ahọpụtaghị pọd site na amụma ọ bụla, a na-anabata okporo ụzọ niile maka ya na ndabara.
Lee Stateful ma ọ bụ enweghị obodo n'okpuru.
Ndekọ
Atumatu netwọkụ Kubernetes enweghị ike ịbanye okporo ụzọ. Nke a na-eme ka o sie ike ịchọpụta ma amụma ọ na-arụ ọrụ dịka e zubere ma na-agbagwoju anya nyocha nchekwa.
Njikwa okporo ụzọ gaa ọrụ mpụga
Atumatu netwọkụ Kubernetes anaghị enye gị ohere izipụta aha ngalaba tozuru oke (DNS) na ngalaba egress. Eziokwu a na-eduga ná nnukwu nsogbu mgbe ị na-agbalị igbochi okporo ụzọ gaa na mpụga ebe na-enweghị adreesị IP edobere (dị ka aws.com).
Nyochaa amụma
Firewalls ga-adọ gị aka na ntị ma ọ bụ ọbụna jụ ịnakwere iwu na-ezighi ezi. Kubernetes na-emekwa ụfọdụ nkwenye. Mgbe ị na-edozi amụma netwọkụ site na kubectl, Kubernetes nwere ike ikwuwapụta na ọ ezighi ezi ma jụ ịnakwere ya. N'ọnọdụ ndị ọzọ, Kubernetes ga-ewere amụma ahụ wee jupụta nkọwa ndị na-efu efu. Enwere ike ịhụ ha site na iji iwu:
kubernetes get networkpolicy <policy-name> -o yamlBuru n'uche na usoro nkwado Kubernetes abụghị nke na-adịghị agha agha ma nwee ike tufuo ụfọdụ ụdị njehie.
Mmegbu
Kubernetes anaghị emejuputa atumatu netwọkụ n'onwe ya, kama ọ bụ naanị ọnụ ụzọ API nke na-enyefe ibu njikwa na sistemụ dị n'okpuru akpọrọ Container Networking Interface (CNI). Ịtọlite atumatu na ụyọkọ Kubernetes na-enyeghị CNI kwesịrị ekwesị bụ otu ihe ahụ dị ka ịmepụta atumatu na ihe nkesa njikwa ọkụ na-etinyeghị ha na firewalls. Ọ dịịrị gị ijide n'aka na ị nwere ezigbo CNI ma ọ bụ, n'ihe banyere nyiwe Kubernetes, na-akwado na igwe ojii. (ị nwere ike ịhụ ndepụta nke ndị na-eweta ya - ihe ruru. trans.), mee ka atumatu netwọkụ ga-edozi CNI maka gị.
Rịba ama na Kubernetes agaghị adọ gị aka na ntị ma ọ bụrụ na ịtọọ atumatu netwọkụ na-enweghị onye enyemaka CNI kwesịrị ekwesị.
Steeti ma ọ bụ enweghị mba?
Kubernetes CNI niile m zutere bụ ndị nwere steeti (dịka ọmụmaatụ, Calico na-eji Linux conntrack). Nke a na-enye ohere ka pọd ahụ nweta nzaghachi na njikọ TCP ọ malitere na-enweghị ịmaliteghachi ya. Agbanyeghị, amataghị m ọkọlọtọ Kubernetes nke ga-ekwe nkwa ịdị mma.
Njikwa amụma nchekwa dị elu
Nke a bụ ụzọ ụfọdụ iji melite mmanye iwu nchekwa na Kubernetes:
- Ụkpụrụ ụkpụrụ ụlọ Mesh Service na-eji igbe akụkụ iji nye ozi telemetry zuru ezu na njikwa okporo ụzọ na ọkwa ọrụ. Dịka ọmụmaatụ anyị nwere ike iwere .
- Ụfọdụ n'ime ndị na-ere ahịa CNI agbatịla ngwá ọrụ ha iji gafee atumatu netwọkụ Kubernetes.
- Na-enye visibiliti na akpaaka nke amụma netwọkụ Kubernetes.
Ngwungwu Tufin Orca na-ejikwa atumatu netwọkụ Kubernetes (ma bụrụ isi mmalite nke nseta ihuenyo dị n'elu).
na ozi ndị ọzọ
- ;
- ;
- ;
- .
nkwubi
Amụma netwọkụ Kubernetes na-enye ezigbo ngwaọrụ maka ikewa ụyọkọ, mana ha enweghị nghọta ma nwee ọtụtụ aghụghọ. N'ihi mgbagwoju anya a, ekwenyere m na ọtụtụ atumatu ụyọkọ dị adị na-akpa ike. Ngwọta nwere ike ime maka nsogbu a gụnyere ịkpachapụ anya nkọwa amụma ma ọ bụ iji ngwaọrụ nkewa ndị ọzọ.
Enwere m olileanya na ntuziaka a ga-enyere aka dozie ụfọdụ ajụjụ wee dozie nsogbu ị nwere ike izute.
PS sitere na onye ntụgharị
Gụọkwa na blọọgụ anyị:
- "Laghachi na microservices na Istio": , , ;
- "Nduzi atụpụtara maka ịkparịta ụka n'Ịntanet na Kubernetes": , ;
- «»;
- «»;
- «".
isi: www.habr.com