ããŒãã 翻蚳ã: ãã®èšäºã®èè
ã§ãã Reuven Harrison ã¯ããœãããŠã§ã¢éçºã§ 20 幎以äžã®çµéšããããçŸåšã¯ã»ãã¥ãªã㣠ããªã·ãŒç®¡çãœãªã¥ãŒã·ã§ã³ãäœæããäŒç€Ÿ Tufin ã® CTO å
Ό
±ååµèšè
ã§ãã 圌ã¯ãKubernetes ãããã¯ãŒã¯ ããªã·ãŒãã¯ã©ã¹ã¿ãŒå
ã®ãããã¯ãŒã¯ ã»ã°ã¡ã³ããŒã·ã§ã³ã®ããã®éåžžã«åŒ·åãªããŒã«ã§ãããšèããŠããŸãããå®éã«å®è£
ããã®ã¯ããã»ã©ç°¡åã§ã¯ãªããšãèããŠããŸãã ãã®è³æ (éåžžã«ããªã¥ãŒã ããããŸã) ã¯ããã®åé¡ã«å¯Ÿããå°é家ã®èªèãåäžãããå¿
èŠãªæ§æã®äœæãæ¯æŽããããšãç®çãšããŠããŸãã
çŸåšãå€ãã®äŒæ¥ãã¢ããªã±ãŒã·ã§ã³ã®å®è¡ã« Kubernetes ãéžæããããšãå¢ããŠããŸãã ãã®ãœãããŠã§ã¢ãžã®é¢å¿ã¯éåžžã«é«ããKubernetes ããããŒã¿ã»ã³ã¿ãŒçšã®æ°ãããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ããšåŒã¶äººãããŸãã åŸã ã«ãKubernetes (ãŸã㯠k8s) ãããããã¯ãŒã¯ ã»ãã¥ãªãã£ãå«ãæçããããžãã¹ ããã»ã¹ã®çµç¹åãå¿ èŠãšããããžãã¹ã®éèŠãªéšåãšããŠèªèããå§ããŠããŸãã
Kubernetes ã䜿çšããããšã«æžæã£ãŠããã»ãã¥ãªãã£å°é家ã«ãšã£ãŠãçã®å瀺ã¯ããã©ãããã©ãŒã ã®ããã©ã«ã ããªã·ãŒã§ãããã¹ãŠãèš±å¯ããããšãããããŸããã
ãã®ã¬ã€ãã¯ããããã¯ãŒã¯ ããªã·ãŒã®å éšæ§é ãç解ããã®ã«åœ¹ç«ã¡ãŸãã éåžžã®ãã¡ã€ã¢ãŠã©ãŒã«ã®ã«ãŒã«ãšã©ã®ããã«ç°ãªãããç解ããŠãã ããã ãŸããããã€ãã®èœãšãç©Žã«ã€ããŠã説æããKubernetes äžã®ã¢ããªã±ãŒã·ã§ã³ãä¿è·ããããã®æšå¥šäºé ãæäŸããŸãã
Kubernetes ãããã¯ãŒã¯ ããªã·ãŒ
Kubernetes ãããã¯ãŒã¯ ããªã·ãŒ ã¡ã«ããºã ã䜿çšãããšããã©ãããã©ãŒã ã«ãããã€ãããã¢ããªã±ãŒã·ã§ã³ã®å¯Ÿè©±ããããã¯ãŒã¯å±€ (OSI ã¢ãã«ã® 7 çªç®) ã§ç®¡çã§ããŸãã ãããã¯ãŒã¯ ããªã·ãŒã«ã¯ãOSI ã¬ã€ã€ XNUMX ã®é©çšãè åšã®æ€åºãªã©ãææ°ã®ãã¡ã€ã¢ãŠã©ãŒã«ã®é«åºŠãªæ©èœã®äžéšãæ¬ ããŠããŸãããåºçºç¹ãšããŠé©ããåºæ¬ã¬ãã«ã®ãããã¯ãŒã¯ ã»ãã¥ãªãã£ãæäŸãããŸãã
ãããã¯ãŒã¯ããªã·ãŒã¯ãããéã®éä¿¡ãå¶åŸ¡ããŸã
Kubernetes ã®ã¯ãŒã¯ããŒãã¯ãäžç·ã«ãããã€ããã XNUMX ã€ä»¥äžã®ã³ã³ãããŒã§æ§æããããããå šäœã«åæ£ãããŸãã Kubernetes ã¯ãåãããã«ä»ã®ãããããã¢ã¯ã»ã¹ã§ãã IP ã¢ãã¬ã¹ãå²ãåœãŠãŸãã Kubernetes ãããã¯ãŒã¯ ããªã·ãŒã¯ãã¯ã©ãŠãå ã®ã»ãã¥ãªã㣠ã°ã«ãŒãã䜿çšããŠä»®æ³ãã·ã³ ã€ã³ã¹ã¿ã³ã¹ãžã®ã¢ã¯ã»ã¹ãå¶åŸ¡ããã®ãšåãæ¹æ³ã§ããããã®ã°ã«ãŒãã®ã¢ã¯ã»ã¹æš©ãèšå®ããŸãã
ãããã¯ãŒã¯ããªã·ãŒã®å®çŸ©
ä»ã® Kubernetes ãªãœãŒã¹ãšåæ§ã«ããããã¯ãŒã¯ ããªã·ãŒã¯ YAML ã§æå®ãããŸãã 以äžã®äŸã§ã¯ãã¢ããªã±ãŒã·ã§ã³ã¯ balance
ãžã®ã¢ã¯ã»ã¹ postgres
:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(ããŒãã 翻蚳ã: ãã®ã¹ã¯ãªãŒã³ã·ã§ããã¯ããã®åŸã®åæ§ã®ã¹ã¯ãªãŒã³ã·ã§ãããšåæ§ããã€ãã£ãã® Kubernetes ããŒã«ã䜿çšããã«ãå
ã®èšäºã®èè
ã®äŒç€Ÿã«ãã£ãŠéçºãããè³æã®æåŸã«èšèŒãããŠãã Tufin Orca ããŒã«ã䜿çšããŠäœæãããŸããã)
ç¬èªã®ãããã¯ãŒã¯ ããªã·ãŒãå®çŸ©ããã«ã¯ãYAML ã®åºæ¬çãªç¥èãå¿ èŠã§ãã ãã®èšèªã¯ã€ã³ãã³ã (ã¿ãã§ã¯ãªãã¹ããŒã¹ã§æå®) ã«åºã¥ããŠããŸãã ã€ã³ãã³ããããèŠçŽ ã¯ããã®äžã®æãè¿ãã€ã³ãã³ããããèŠçŽ ã«å±ããŸãã æ°ãããªã¹ãèŠçŽ ã¯ãã€ãã³ã§å§ãŸããä»ã®ãã¹ãŠã®èŠçŽ ã¯æ¬¡ã®åœ¢åŒã«ãªããŸãã ããŒãšå€.
YAML ã§ããªã·ãŒãèšè¿°ãããã次ã䜿çšããŸãã
kubectl create -f policy.yaml
ãããã¯ãŒã¯ããªã·ãŒä»æ§
Kubernetes ãããã¯ãŒã¯ ããªã·ãŒä»æ§ã«ã¯ã次㮠XNUMX ã€ã®èŠçŽ ãå«ãŸããŠããŸãã
-
podSelector
: ãã®ããªã·ãŒ (ã¿ãŒã²ãã) ã®åœ±é¿ãåããããããå®çŸ©ããŸã - å¿ é ã -
policyTypes
: ããã«å«ãŸããããªã·ãŒã®ã¿ã€ãã瀺ããŸã: å ¥åããã³/ãŸãã¯åºå - ãªãã·ã§ã³ã§ããããã¹ãŠã®å Žåã«æ瀺çã«æå®ããããšããå§ãããŸãã -
ingress
: èš±å¯ãããå®çŸ© çä¿¡ ã¿ãŒã²ããããããžã®ãã©ãã£ã㯠- ãªãã·ã§ã³ã -
egress
: èš±å¯ãããå®çŸ© çºä¿¡ ã¿ãŒã²ãã ãããããã®ãã©ãã£ãã¯ã¯ãªãã·ã§ã³ã§ãã
Kubernetes Web ãµã€ãããåŒçšããäŸ (眮ãæããŸãã) role
Ма app
) ã¯ãXNUMX ã€ã®èŠçŽ ãã¹ãŠãã©ã®ããã«äœ¿çšããããã瀺ããŠããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
XNUMX ã€ã®èŠçŽ ãã¹ãŠãå«ããå¿
èŠã¯ãªãããšã«æ³šæããŠãã ããã ãããŸã§å¿
é ã§ã podSelector
ãä»ã®ãã©ã¡ãŒã¿ã¯å¿
èŠã«å¿ããŠäœ¿çšã§ããŸãã
çç¥ããå Žå policyTypes
ã®å Žåãããªã·ãŒã¯æ¬¡ã®ããã«è§£éãããŸãã
- ããã©ã«ãã§ã¯ãå ¥ååŽãå®çŸ©ãããšæ³å®ãããŸãã ããªã·ãŒã«ãããæ瀺çã«èšèŒãããŠããªãå Žåãã·ã¹ãã ã¯ãã¹ãŠã®ãã©ãã£ãã¯ãçŠæ¢ãããŠãããšæ³å®ããŸãã
- åºååŽã®åäœã¯ã察å¿ããåºåãã©ã¡ãŒã¿ã®æç¡ã«ãã£ãŠæ±ºãŸããŸãã
ééããé¿ããããã«ç§ããå§ãããã®ã¯ åžžã«ãããæ瀺çã«ãã policyTypes
.
äžèšã®ããžãã¯ã«ããã°ããã©ã¡ãŒã¿ã ingress
ããã³/ãŸã㯠egress
çç¥ããå Žåãããªã·ãŒã¯ãã¹ãŠã®ãã©ãã£ãã¯ãæåŠããŸã (äžèšã®ãã¹ããªããã³ã° ã«ãŒã«ããåç
§)ã
ããã©ã«ãã®ããªã·ãŒã¯èš±å¯ã§ã
ããªã·ãŒãå®çŸ©ãããŠããªãå ŽåãKubernetes ã¯ããã©ã«ãã§ãã¹ãŠã®ãã©ãã£ãã¯ãèš±å¯ããŸãã ãã¹ãŠã®ãããã¯ããããã®éã§æ å ±ãèªç±ã«äº€æã§ããŸãã ããã¯ã»ãã¥ãªãã£ã®èŠ³ç¹ããã¯çŽèŠ³ã«åããããã«æãããããããŸããããKubernetes ã¯ããšããšã¢ããªã±ãŒã·ã§ã³ã®çžäºéçšæ§ãå¯èœã«ããããã«éçºè ã«ãã£ãŠèšèšããããã®ã§ããããšãæãåºããŠãã ããã ãããã¯ãŒã¯ ããªã·ãŒã¯åŸã§è¿œå ãããŸããã
åå空é
åå空éã¯ãKubernetes ã³ã©ãã¬ãŒã·ã§ã³ ã¡ã«ããºã ã§ãã ãããã¯è«çç°å¢ãçžäºã«åé¢ããããã«èšèšãããŠããŸãããã¹ããŒã¹éã®éä¿¡ã¯ããã©ã«ãã§èš±å¯ãããŠããŸãã
ã»ãšãã©ã® Kubernetes ã³ã³ããŒãã³ããšåæ§ããããã¯ãŒã¯ ããªã·ãŒã¯ç¹å®ã®åå空éã«ååšããŸãã ãããã¯å
metadata
ããªã·ãŒãå±ããã¹ããŒã¹ãæå®ã§ããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
åå空éãã¡ã¿ããŒã¿ã§æ瀺çã«æå®ãããŠããªãå Žåãã·ã¹ãã 㯠kubectl ã§æå®ãããåå空éã䜿çšããŸã (ããã©ã«ãã§ã¯)ã namespace=default
):
kubectl apply -n my-namespace -f namespace.yaml
ç§ã¯ãå§ã åå空éãæ瀺çã«æå®ãããã ããäžåºŠã«è€æ°ã®åå空éã察象ãšããããªã·ãŒãäœæããå Žåã¯é€ããŸãã
ãã©ã€ããªãŒ èŠçŽ podSelector
ããªã·ãŒå
ã® ã¯ãããªã·ãŒãå±ããåå空éããããããéžæããŸã (å¥ã®åå空éããã®ããããžã®ã¢ã¯ã»ã¹ã¯æåŠãããŸã)ã
åæ§ã«ãpodSelectors ã€ã³ã°ã¬ã¹ãããã¯ãšãšã°ã¬ã¹ãããã¯å
ãã¡ããããããçµã¿åãããªãéããç¬èªã®åå空éããã®ã¿ããããéžæã§ããŸã namespaceSelector
(ããã«ã€ããŠã¯ããåå空éãšãããã«ãããã£ã«ã¿ãŒãã»ã¯ã·ã§ã³ã§èª¬æããŸã)ã
ããªã·ãŒã®åœåèŠå
ããªã·ãŒåã¯ãåãåå空éå ã§ã¯äžæã§ãã åãã¹ããŒã¹ã«åãååã® XNUMX ã€ã®ããªã·ãŒãååšãããããšã¯ã§ããŸããããç°ãªãã¹ããŒã¹ã«åãååã®ããªã·ãŒãååšãããããšã¯ã§ããŸãã ããã¯ãè€æ°ã®ã¹ããŒã¹ã«åãããªã·ãŒãåé©çšããå Žåã«äŸ¿å©ã§ãã
ç§ã¯ç¹ã«æ°ã«å ¥ã£ãŠããåœåæ¹æ³ã® XNUMX ã€ã§ãã ããã¯ãåå空éåãšã¿ãŒã²ãã ããããçµã¿åãããããšã§æ§æãããŸãã äŸãã°ïŒ
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
ã©ãã«
ããããåå空éãªã©ã® Kubernetes ãªããžã§ã¯ãã«ã«ã¹ã¿ã ã©ãã«ãä»ããããšãã§ããŸãã ã©ãã« (ã©ãã« - ã¿ã°) ã¯ãã¯ã©ãŠãå ã®ã¿ã°ã«çžåœããŸãã Kubernetes ãããã¯ãŒã¯ ããªã·ãŒã¯ã©ãã«ã䜿çšããŠéžæããŸã ãããããããé©çšããããã®:
podSelector:
matchLabels:
role: db
⊠ãŸã㯠åå空éããããé©çšãããŸãã ãã®äŸã§ã¯ã察å¿ããã©ãã«ãæã€åå空éå ã®ãã¹ãŠã®ããããéžæããŸãã
namespaceSelector:
matchLabels:
project: myproject
䜿çšäžã®æ³šæç¹ãXNUMXã€ãããŸãã namespaceSelector
éžæããåå空éã«æ£ããã©ãã«ãå«ãŸããŠããããšã確èªããŠãã ããã 次ã®ãããªçµã¿èŸŒã¿ã®åå空éãããããšã«æ³šæããŠãã ããã default
О kube-system
ãããã©ã«ãã§ã¯ã©ãã«ã¯å«ãŸããŸããã
次ã®ããã«ã¹ããŒã¹ã«ã©ãã«ãè¿œå ã§ããŸãã
kubectl label namespace default namespace=default
åæã«ãã»ã¯ã·ã§ã³å
ã®åå空é metadata
ã©ãã«ã§ã¯ãªããå®éã®ã¹ããŒã¹åãåç
§ããå¿
èŠããããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...
éä¿¡å ãšå®å
ãã¡ã€ã¢ãŠã©ãŒã« ããªã·ãŒã¯ãéä¿¡å
ãšå®å
ãå«ãã«ãŒã«ã§æ§æãããŸãã Kubernetes ãããã¯ãŒã¯ ããªã·ãŒã¯ãã¿ãŒã²ãã (é©çšå
ã®ãããã®ã»ãã) ã«å¯ŸããŠå®çŸ©ãããã€ã³ã°ã¬ã¹ ãã©ãã£ãã¯ããšã°ã¬ã¹ ãã©ãã£ãã¯ã®ã«ãŒã«ãèšå®ããŸãã ãã®äŸã§ã¯ãããªã·ãŒã®ã¿ãŒã²ããã¯åå空éå
ã®ãã¹ãŠã®ãããã«ãªããŸãã default
ã©ãã«ä»ã éµä»ã app
ãšæå³ db
:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
ãµãã»ã¯ã·ã§ã³ ingress
ãã®ããªã·ãŒã§ã¯ãã¿ãŒã²ãã ããããžã®åä¿¡ãã©ãã£ãã¯ãéããŸãã ã€ãŸããã€ã³ã°ã¬ã¹ã¯ãœãŒã¹ã§ãããã¿ãŒã²ããã¯å¯Ÿå¿ããå®å
ã§ãã åæ§ã«ãåºåã¯å®å
ã§ãããã¿ãŒã²ããã¯ãã®éä¿¡å
ã§ãã
ããã¯ãXNUMX ã€ã®ãã¡ã€ã¢ãŠã©ãŒã« ã«ãŒã« (Ingress â Target) ã«çžåœããŸãã ãŽãŒã«âåºå£ã
Egress ãš DNS (éèŠ!)
éä¿¡ãã©ãã£ãã¯ãå¶éããããšã§ã DNSã«ã¯ç¹ã«æ³šæããŠãã ãã - Kubernetes ã¯ããã®ãµãŒãã¹ã䜿çšããŠãµãŒãã¹ã IP ã¢ãã¬ã¹ã«ãããã³ã°ããŸãã ããšãã°ã次ã®ããªã·ãŒã¯ãã¢ããªã±ãŒã·ã§ã³ãèš±å¯ããŠããªãããæ©èœããŸããã balance
DNS ã«ã¢ã¯ã»ã¹ããŸã:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
DNS ãµãŒãã¹ãžã®ã¢ã¯ã»ã¹ãéãããšã§ãã®åé¡ãä¿®æ£ã§ããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
æåŸã®èŠçŽ to
ã¯ç©ºã§ãããããéæ¥çã«éžæãããŸã ãã¹ãŠã®åå空éã®ãã¹ãŠã®ããããèš±å¯ããŸã balance
DNS ã¯ãšãªãé©å㪠Kubernetes ãµãŒãã¹ (éåžžã¯ã¹ããŒã¹ã§å®è¡ãããŠãã) ã«éä¿¡ããŸãã kube-system
).
ãã®ã¢ãããŒãã¯æ©èœããŸããã é床ã«å¯å®¹ã§äžå®ããã«ãããDNS ã¯ãšãªãã¯ã©ã¹ã¿ãŒã®å€éšã«éä¿¡ã§ããããã«ãªãããã§ãã
XNUMX ã€ã®é£ç¶ããã¹ãããã§æ¹åã§ããŸãã
1. DNS ã¯ãšãªã®ã¿ãèš±å¯ãã å
éš è¿œå ã«ããã¯ã©ã¹ã¿ãŒå namespaceSelector
:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. ããŒã ã¹ããŒã¹å
ã®ã¿ã§ DNS ã¯ãšãªãèš±å¯ãã kube-system
.
ãããè¡ãã«ã¯ãåå空éã«ã©ãã«ãè¿œå ããå¿
èŠããããŸã kube-system
: kubectl label namespace kube-system namespace=kube-system
- ãããŠãããããªã·ãŒã«æžãçããŸã namespaceSelector
:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. åå·çãªäººã
ã¯ããã«é²ãã§ãDNS ã¯ãšãªãç¹å®ã® DNS ãµãŒãã¹ã«å¶éããå¯èœæ§ããããŸãã kube-system
ã ãåå空éãšãããã«ãããã£ã«ã¿ãŒãã»ã¯ã·ã§ã³ã§ã¯ããããå®çŸããæ¹æ³ã«ã€ããŠèª¬æããŸãã
ãã XNUMX ã€ã®ãªãã·ã§ã³ã¯ãåå空éã¬ãã«ã§ DNS ã解決ããããšã§ãã ãã®å ŽåããµãŒãã¹ããšã«éãå¿ èŠã¯ãããŸããã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
ãã« podSelector
åå空éå
ã®ãã¹ãŠã®ããããéžæããŸãã
æåã®è©Šåãšã«ãŒã«ã®é åº
åŸæ¥ã®ãã¡ã€ã¢ãŠã©ãŒã«ã§ã¯ããã±ããã«å¯Ÿããã¢ã¯ã·ã§ã³ (èš±å¯ãŸãã¯æåŠ) ã¯ããã±ãããæºããæåã®ã«ãŒã«ã«ãã£ãŠæ±ºå®ãããŸãã Kubernetes ã§ã¯ãããªã·ãŒã®é åºã¯éèŠã§ã¯ãããŸããã
ããã©ã«ãã§ã¯ãããªã·ãŒãèšå®ãããŠããªãå Žåããããéã®éä¿¡ãèš±å¯ãããèªç±ã«æ å ±ã亀æã§ããŸãã ããªã·ãŒã®çå®ãéå§ãããšãå°ãªããšã XNUMX ã€ã®ããªã·ãŒã®åœ±é¿ãåããåãããã¯ããããéžæãããã¹ãŠã®ããªã·ãŒã®è«çå (è«çå) ã«åŸã£ãŠåé¢ãããŸãã ã©ã®ããªã·ãŒã«ã圱é¿ãåããªããããã¯éãããŸãŸã«ãªããŸãã
ã¹ããªããã³ã° ã«ãŒã«ã䜿çšããŠããã®åäœãå€æŽã§ããŸãã
ã¹ããªããã³ã° ã«ãŒã« (ãæåŠã)
éåžžããã¡ã€ã¢ãŠã©ãŒã« ããªã·ãŒã¯ãæ瀺çã«èš±å¯ãããŠããªããã©ãã£ãã¯ãæåŠããŸãã
Kubernetes ã«ã¯æåŠã¢ã¯ã·ã§ã³ã¯ãããŸãããã ãããœãŒã¹ ãããã®ç©ºã®ã°ã«ãŒã (ã€ã³ã°ã¬ã¹) ãéžæããããšã§ãéåžžã® (å¯å®¹ãª) ããªã·ãŒã§ãåæ§ã®å¹æãéæã§ããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
ãã®ããªã·ãŒã¯ãåå空éå
ã®ãã¹ãŠã®ããããéžæããã€ã³ã°ã¬ã¹ãæªå®çŸ©ã®ãŸãŸã«ããŠããã¹ãŠã®åä¿¡ãã©ãã£ãã¯ãæåŠããŸãã
åæ§ã®æ¹æ³ã§ãåå空éããã®ãã¹ãŠã®éä¿¡ãã©ãã£ãã¯ãå¶éã§ããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
泚æããŠãã ãã åå空éå
ã®ããããžã®ãã©ãã£ãã¯ãèš±å¯ããè¿œå ã®ããªã·ãŒã¯ããã®ã«ãŒã«ãããåªå
ãããŸãã (ãã¡ã€ã¢ãŠã©ãŒã«æ§æã§æåŠã«ãŒã«ã®åã«èš±å¯ã«ãŒã«ãè¿œå ããã®ãšäŒŒãŠããŸã)ã
ãã¹ãŠãèš±å¯ (Any-Any-Any-Allow)
ãã¹ãŠèš±å¯ããªã·ãŒãäœæããã«ã¯ãäžèšã®æåŠããªã·ãŒã空ã®èŠçŽ ã§è£è¶³ããå¿
èŠããããŸãã ingress
:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
ããã®ã¢ã¯ã»ã¹ãèš±å¯ããŸã ãã¹ãŠã®åå空é (ããã³ãã¹ãŠã® IP) ã®ãã¹ãŠã®ãããããåå空éå
ã®ä»»æã®ããããž default
ã ãã®åäœã¯ããã©ã«ãã§æå¹ã«ãªã£ãŠãããããéåžžã¯ããã«å®çŸ©ããå¿
èŠã¯ãããŸããã ãã ããåé¡ã蚺æããããã«ãäžéšã®ç¹å®ã®ã¢ã¯ã»ã¹èš±å¯ãäžæçã«ç¡å¹ã«ããå¿
èŠãããå ŽåããããŸãã
ã«ãŒã«ã¯ãã¢ã¯ã»ã¹ã®ã¿ãèš±å¯ããããã«çµã蟌ãããšãã§ããŸãã ç¹å®ã®ãããã®ã»ãã (app:balance
) åå空éå
default
:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
次ã®ããªã·ãŒã¯ãã¯ã©ã¹ã¿ãŒå€éšã® IP ãžã®ã¢ã¯ã»ã¹ãå«ãããã¹ãŠã®åä¿¡ãã©ãã£ãã¯ãšéä¿¡ãã©ãã£ãã¯ãèš±å¯ããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
è€æ°ã®ããªã·ãŒã®çµå
ããªã·ãŒã¯ XNUMX ã€ã®ã¬ãã«ã§è«ç OR ã䜿çšããŠçµåãããŸãã åãããã®æš©éã¯ãããã«åœ±é¿ãããã¹ãŠã®ããªã·ãŒã®è«çåã«åŸã£ãŠèšå®ãããŸãã
1. ç㧠from
О to
XNUMX çš®é¡ã®èŠçŽ ãå®çŸ©ã§ããŸã (ãã¹ãŠ OR ã䜿çšããŠçµåãããŸã)ã
-
namespaceSelector
â åå空éå šäœãéžæããŸãã -
podSelector
â ããããéžæããŸãã -
ipBlock
â ãµãããããéžæããŸãã
ããã«ããµãã»ã¯ã·ã§ã³å
ã®èŠçŽ ã®æ°ïŒåãèŠçŽ ã§ãã£ãŠãïŒ from
/to
ç¡å¶éã ãããã¯ãã¹ãŠè«çåã§çµåãããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. ããªã·ãŒã»ã¯ã·ã§ã³å
ingress
å€ãã®èŠçŽ ãå«ããããšãã§ããŸã from
(è«çåã§çµå)ã åæ§ã«ãã»ã¯ã·ã§ã³ egress
å€ãã®èŠçŽ ãå«ãŸããå ŽåããããŸã to
(éžèšã«ãã£ãŠçµåããããšãã§ããŸã):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. ç°ãªãããªã·ãŒãè«ç OR ã§çµåãããŸã
ãã ããããããçµã¿åãããå Žåãã©ããçµã¿åãããããšããå¶éã XNUMX ã€ãããŸãã policyTypes
(Ingress
ãŸã㯠Egress
ïŒã ã€ã³ã°ã¬ã¹ (ãŸãã¯ãšã°ã¬ã¹) ãå®çŸ©ããããªã·ãŒã¯çžäºã«äžæžããããŸãã
åå空ééã®é¢ä¿
ããã©ã«ãã§ã¯ãããŒã ã¹ããŒã¹éã§ã®æ å ±å ±æãèš±å¯ãããŠããŸãã ããã¯ãåå空éã«éåä¿¡ããããã©ãã£ãã¯ãå¶éããæåŠããªã·ãŒã䜿çšããããšã§å€æŽã§ããŸã (äžèšã®ãã¹ããªããã³ã° ã«ãŒã«ããåç §)ã
ããŒã ã¹ããŒã¹ãžã®ã¢ã¯ã»ã¹ããããã¯ãããš (äžèšã®ãã¹ããªããã³ã° ã«ãŒã«ããåç
§)ã次ã®ã³ãã³ãã䜿çšããŠç¹å®ã®ããŒã ã¹ããŒã¹ããã®æ¥ç¶ãèš±å¯ããããšã§ãæåŠããªã·ãŒã®äŸå€ãäœæã§ããŸãã namespaceSelector
:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
ãã®çµæãåå空éå
ã®ãã¹ãŠã®ãããã default
ãããã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸã postgres
åå空éå
database
ã ããããã¢ã¯ã»ã¹ããªãŒãã³ã«ãããå Žåã¯ã©ãããã°ããã§ãããã postgres
åå空éå
ã®ç¹å®ã®ãããã®ã¿ default
?
åå空éãšãããã«ãããã£ã«ã¿ãŒ
Kubernetes ããŒãžã§ã³ 1.11 以éã§ã¯ãæŒç®åãçµã¿åãããããšãã§ããŸã namespaceSelector
О podSelector
è«ç AND ã䜿çšãããšã次ã®ããã«ãªããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
ãããéåžžã® OR ã§ã¯ãªã AND ãšããŠè§£éãããã®ã¯ãªãã§ãã?
ãäºæ¿ãã ãã podSelector
ãã€ãã³ã§å§ãŸã£ãŠããŸããã YAML ã§ã¯ãããã¯æ¬¡ã®ããšãæå³ããŸã podSelector
ãããŠåœŒã®åã«ç«ã£ãŠãã namespaceSelector
åããªã¹ãèŠçŽ ãåç
§ããŸãã ãããã£ãŠããããã¯è«çç©ã§çµåãããŸãã
åã«ãã€ãã³ãè¿œå ãã podSelector
æ°ãããªã¹ãèŠçŽ ãåºçŸããåã®èŠçŽ ãšçµåãããŸãã namespaceSelector
è«çåã䜿çšããŸãã
ç¹å®ã®ã©ãã«ãä»ããããããéžæããã«ã¯ ãã¹ãŠã®åå空éã§ã空çœãå
¥åããŠãã ãã namespaceSelector
:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
è€æ°ã®ã¬ãŒãã«ã I ãšææº
è€æ°ã®ãªããžã§ã¯ã (ãã¹ãããããã¯ãŒã¯ãã°ã«ãŒã) ãå«ããã¡ã€ã¢ãŠã©ãŒã«ã®ã«ãŒã«ã¯ãè«ç OR ã䜿çšããŠçµåãããŸãã ãã±ãããœãŒã¹ãäžèŽããå Žåã次ã®ã«ãŒã«ãæ©èœããŸãã Host_1
OR Host_2
:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
ããã©ããããKubernetes ã§ã¯ããŸããŸãªã©ãã«ã podSelector
ãŸã㯠namespaceSelector
ããšãã°ã次ã®ã«ãŒã«ã¯äž¡æ¹ã®ã©ãã«ãæã€ããããéžæããŸãã role=db
Ð version=v2
:
podSelector:
matchLabels:
role: db
version: v2
åãããžãã¯ããããªã·ãŒ ã¿ãŒã²ãã ã»ã¬ã¯ã¿ãŒãããã ã»ã¬ã¯ã¿ãŒãåå空éã»ã¬ã¯ã¿ãŒãªã©ããã¹ãŠã®ã¿ã€ãã®æŒç®åã«é©çšãããŸãã
ãµãããããš IP ã¢ãã¬ã¹ (IPBlock)
ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãVLANãIP ã¢ãã¬ã¹ãããã³ãµããããã䜿çšããŠãããã¯ãŒã¯ãã»ã°ã¡ã³ãåããŸãã
Kubernetes ã§ã¯ãIP ã¢ãã¬ã¹ã¯ãããã«èªåçã«å²ãåœãŠãããé »ç¹ã«å€æŽãããå¯èœæ§ãããããããããã¯ãŒã¯ ããªã·ãŒã§ããããšåå空éãéžæããããã«ã©ãã«ã䜿çšãããŸãã
ãµãããã (ipBlocks
) ã¯ãåä¿¡ (ã€ã³ã°ã¬ã¹) ãŸãã¯éä¿¡ (ãšã°ã¬ã¹) å€éš (åå) æ¥ç¶ã管çãããšãã«äœ¿çšãããŸãã ããšãã°ããã®ããªã·ãŒã¯åå空éã®ãã¹ãŠã®ãããã«å¯ŸããŠéãããŸãã default
Google DNS ãµãŒãã¹ãžã®ã¢ã¯ã»ã¹:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
ãã®äŸã®ç©ºã®ããã ã»ã¬ã¯ã¿ãŒã¯ããåå空éå
ã®ãã¹ãŠã®ããããéžæãããããšãæå³ããŸãã
ãã®ããªã·ãŒã¯ 8.8.8.8 ãžã®ã¢ã¯ã»ã¹ã®ã¿ãèš±å¯ããŸãã ä»ã® IP ãžã®ã¢ã¯ã»ã¹ã¯çŠæ¢ãããŠããŸãã ã€ãŸããæ¬è³ªçã«ã¯ãå éš Kubernetes DNS ãµãŒãã¹ãžã®ã¢ã¯ã»ã¹ããããã¯ãããããšã«ãªããŸãã ããã§ãéãããå Žåã¯ããã®ããšãæ瀺çã«æå®ããŠãã ããã
éåžž ipBlocks
О podSelectors
ãããã®å
éš IP ã¢ãã¬ã¹ã¯äœ¿çšãããªããããçžäºã«æä»çã§ãã ipBlocks
ã 瀺ãããšã«ãã£ãŠ å
éš IP ããããå®éã«ã¯ããããã®ã¢ãã¬ã¹ãæã€ããããšã®æ¥ç¶ãèš±å¯ããŸãã å®éã«ã¯ãã©ã® IP ã¢ãã¬ã¹ã䜿çšããã°ãããããããªãããããããã®éžæã« IP ã¢ãã¬ã¹ã䜿çšãã¹ãã§ã¯ãããŸããã
åäŸãšããŠã次ã®ããªã·ãŒã«ã¯ãã¹ãŠã® IP ãå«ãŸãããããä»ã®ãã¹ãŠã®ããããžã®ã¢ã¯ã»ã¹ãèš±å¯ãããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ãããã®å
éš IP ã¢ãã¬ã¹ãé€ããå€éš IP ãžã®ã¢ã¯ã»ã¹ã®ã¿ãéãããšãã§ããŸãã ããšãã°ããããã®ãµããããã 10.16.0.0/14 ã®å Žå:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
ããŒããšãããã³ã«
éåžžãããã㯠XNUMX ã€ã®ããŒãããªãã¹ã³ããŸãã ã€ãŸããããªã·ãŒã§ããŒãçªå·ãæå®ããããã¹ãŠãããã©ã«ãã®ãŸãŸã«ããããšãã§ããŸãã ãã ããå Žåã«ãã£ãŠã¯ããŒããæå®ã§ããããã«ãããªã·ãŒãã§ããã ãå¶éããããšããå§ãããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
ã»ã¬ã¯ã¿ãŒã«æ³šæããŠãã ãã ports
ãããã¯å
ã®ãã¹ãŠã®èŠçŽ ã«é©çšãããŸã to
ãŸã㯠from
ã ãå«ãã èŠçŽ ã®ç°ãªãã»ããã«ç°ãªãããŒããæå®ããã«ã¯ãåå²ããŸãã ingress
ãŸã㯠egress
ããã€ãã®ãµãã»ã¯ã·ã§ã³ã«åãããŠããŸã to
ãŸã㯠from
ãããŠãåã¬ãžã¹ã¿ã§ããŒãã次ã®ããã«ããŸãã
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
ããã©ã«ãã®ããŒãæäœ:
- ããŒãå®çŸ©ãå®å
šã«çç¥ããå Žå (
ports
)ãããã¯ãã¹ãŠã®ãããã³ã«ãšãã¹ãŠã®ããŒããæå³ããŸãã - ãããã³ã«å®çŸ©ãçç¥ããå Žå(
protocol
)ããã㯠TCP ãæå³ããŸãã - ããŒãå®çŸ©ãçç¥ããå Žå(
port
)ãããã¯ãã¹ãŠã®ããŒããæå³ããŸãã
ãã¹ã ãã©ã¯ãã£ã¹: ããã©ã«ãå€ã«äŸåãããå¿ èŠãªãã®ãæ瀺çã«æå®ããŸãã
ãµãŒãã¹ ããŒãã§ã¯ãªããããã ããŒãã䜿çšããå¿ èŠãããããšã«æ³šæããŠãã ãã (ããã«ã€ããŠã¯æ¬¡ã®æ®µèœã§è©³ãã説æããŸã)ã
ããªã·ãŒã¯ããããŸãã¯ãµãŒãã¹ã«å¯ŸããŠå®çŸ©ãããŠããŸãã?
éåžžãKubernetes ã®ãããã¯ããµãŒãã¹ (ãµãŒãã¹ãå®è£ ãããããã«ãã©ãã£ãã¯ããªãã€ã¬ã¯ãããä»®æ³ããŒã ãã©ã³ãµãŒ) ãéããŠçžäºã«ã¢ã¯ã»ã¹ããŸãã ãããã¯ãŒã¯ ããªã·ãŒã«ãã£ãŠãµãŒãã¹ãžã®ã¢ã¯ã»ã¹ãå¶åŸ¡ããããšæããããããããŸããããããã§ã¯ãããŸããã Kubernetes ãããã¯ãŒã¯ ããªã·ãŒã¯ããµãŒãã¹ ããŒãã§ã¯ãªãããã ããŒãã§æ©èœããŸãã
ããšãã°ããµãŒãã¹ãããŒã 80 ããªãã¹ã³ãããã©ãã£ãã¯ããã®ãããã®ããŒã 8080 ã«ãªãã€ã¬ã¯ãããå Žåããããã¯ãŒã¯ ããªã·ãŒã§æ£ç¢ºã« 8080 ãæå®ããå¿ èŠããããŸãã
ãã®ãããªã¡ã«ããºã ã¯æé©ãšã¯èšããŸããããµãŒãã¹ã®å éšæ§é (ãããããªãã¹ã³ããããŒã) ãå€æŽãããå Žåããããã¯ãŒã¯ ããªã·ãŒãæŽæ°ããå¿ èŠããããŸãã
Service Mesh ã䜿çšããæ°ããã¢ãŒããã¯ã㣠ã¢ãããŒã (ããšãã°ã以äžã® Istio ã«ã€ããŠãåç §ããŠãã ãããããããã®ç¿»èš³ã§ãã) ã䜿çšãããšããã®åé¡ã«å¯ŸåŠã§ããŸãã
IngressãšEgressã®äž¡æ¹ãç»é²ããå¿ èŠããããŸãã?
ç°¡åãªçãã¯ãã¯ããã§ããããã A ãããã B ãšéä¿¡ããã«ã¯ãçºä¿¡æ¥ç¶ã®äœæãèš±å¯ããå¿ èŠããã (ãã®ããã«ã¯åºåããªã·ãŒãæ§æããå¿ èŠããããŸã)ãããã B ã¯åä¿¡æ¥ç¶ãåãå ¥ããããšãã§ããªããã°ãªããŸãã (ãããã£ãŠããã®ããã«ã¯ãã€ã³ã°ã¬ã¹ããªã·ãŒ).ããªã·ãŒ)ãå¿ èŠã§ãã
ãã ããå®éã«ã¯ãããã©ã«ãã®ããªã·ãŒãå©çšããŠäžæ¹åãŸãã¯äž¡æ¹åã®æ¥ç¶ãèš±å¯ã§ããŸãã
ããããããã°-ãœãŒã¹ XNUMX人以äžã«ãã£ãŠéžæãããŸã äžã-æ¿æ²»å®¶ãããã«èª²ãããå¶éã¯åœŒãã®éžèšã«ãã£ãŠæ±ºå®ãããŸãã ãã®å Žåãããããžã®æ¥ç¶ãæ瀺çã«èš±å¯ããå¿ èŠããããŸããåå人ã«ã ããããã©ã®ããªã·ãŒã§ãéžæãããŠããªãå Žåããã®éä¿¡ (ãšã°ã¬ã¹) ãã©ãã£ãã¯ã¯ããã©ã«ãã§èš±å¯ãããŸãã
åæ§ã«ããããã®éåœã¯å®å ãXNUMX 人以äžãéžæ é²å ¥-æ¿æ²»å®¶ã¯ã圌ãã®éžèšã«ãã£ãŠæ±ºå®ãããŸãã ãã®å ŽåããœãŒã¹ ãããããã®ãã©ãã£ãã¯ã®åä¿¡ãæ瀺çã«èš±å¯ããå¿ èŠããããŸãã ããããã©ã®ããªã·ãŒã§ãéžæãããŠããªãå Žåããã®ãããã«å¯Ÿãããã¹ãŠã®å ¥åãã©ãã£ãã¯ãããã©ã«ãã§èš±å¯ãããŸãã
以äžã®ã¹ããŒããã«ãŸãã¯ã¹ããŒãã¬ã¹ãåç §ããŠãã ããã
ãã°
Kubernetes ãããã¯ãŒã¯ ããªã·ãŒã§ã¯ãã©ãã£ãã¯ããã°ã«èšé²ã§ããŸããã ãã®ãããããªã·ãŒãæå³ãããšããã«æ©èœããŠãããã©ãããå€æããããšãé£ãããªããã»ãã¥ãªãã£åæãéåžžã«è€éã«ãªããŸãã
å€éšãµãŒãã¹ãžã®ãã©ãã£ãã¯ã®å¶åŸ¡
Kubernetes ãããã¯ãŒã¯ ããªã·ãŒã§ã¯ãåºåã»ã¯ã·ã§ã³ã§å®å šä¿®é£Ÿãã¡ã€ã³å (DNS) ãæå®ããããšã¯ã§ããŸããã ãã®äºå®ã¯ãåºå® IP ã¢ãã¬ã¹ãæããªãå€éšå®å (aws.com ãªã©) ãžã®ãã©ãã£ãã¯ãå¶éããããšããå Žåã«ãé倧ãªäžäŸ¿ãåŒãèµ·ãããŸãã
ããªã·ãŒãã§ãã¯
ãã¡ã€ã¢ãŠã©ãŒã«ã¯èŠåãçºããããééã£ãããªã·ãŒã®åãå ¥ããæåŠãããããããšããããŸãã Kubernetes ã¯ããã€ãã®æ€èšŒãè¡ããŸãã kubectl ãä»ããŠãããã¯ãŒã¯ ããªã·ãŒãèšå®ãããšãKubernetes ã¯ãããæ£ãããªããšå®£èšããåãå ¥ããæåŠããå ŽåããããŸãã ä»ã®å Žåã«ã¯ãKubernetes ã¯ããªã·ãŒãååŸããäžè¶³ããŠãã詳现ãå ¥åããŸãã ãããã¯æ¬¡ã®ã³ãã³ãã䜿çšããŠç¢ºèªã§ããŸãã
kubernetes get networkpolicy <policy-name> -o yaml
Kubernetes æ€èšŒã·ã¹ãã ã¯å®å šã§ã¯ãªããäžéšã®çš®é¡ã®ãšã©ãŒãèŠéãå¯èœæ§ãããããšã«æ³šæããŠãã ããã
å®è¡
Kubernetes èªäœã¯ãããã¯ãŒã¯ ããªã·ãŒãå®è£
ããŸããããå¶åŸ¡ã®è² æ
ã Container Networking Interface (CNI) ãšåŒã°ããåºç€ãšãªãã·ã¹ãã ã«å§ä»»ãã API ã²ãŒããŠã§ã€ã«ãããŸããã é©å㪠CNI ãå²ãåœãŠãã« Kubernetes ã¯ã©ã¹ã¿ãŒã«ããªã·ãŒãèšå®ããããšã¯ããã¡ã€ã¢ãŠã©ãŒã«ã«ã€ã³ã¹ããŒã«ããã«ãã¡ã€ã¢ãŠã©ãŒã«ç®¡çãµãŒããŒã«ããªã·ãŒãäœæããããšãšåãã§ãã é©å㪠CNI ã確ä¿ããããKubernetes ãã©ãããã©ãŒã ã®å Žåã¯ã¯ã©ãŠãã§ãã¹ãããããã確èªããã®ã¯ããªã次第ã§ãã (ãããã€ããŒã®ãªã¹ãã衚瀺ãããŸã)
é©åãªãã«ã㌠CNI ã䜿çšããã«ãããã¯ãŒã¯ ããªã·ãŒãèšå®ããå ŽåãKubernetes ã¯èŠåã衚瀺ããªãããšã«æ³šæããŠãã ããã
ã¹ããŒããã«ãã¹ããŒãã¬ã¹ã?
ç§ãééãããã¹ãŠã® Kubernetes CNI ã¯ã¹ããŒããã«ã§ã (ããšãã°ãCalico 㯠Linux conntrack ã䜿çšããŸã)ã ããã«ããããããã¯ãå確ç«ããããšãªããéå§ãã TCP æ¥ç¶äžã§å¿çãåä¿¡ã§ããããã«ãªããŸãã ãã ããã¹ããŒããã«æ§ãä¿èšŒãã Kubernetes æšæºã«ã€ããŠã¯ç¥ããŸããã
é«åºŠãªã»ãã¥ãªã㣠ããªã·ãŒç®¡ç
Kubernetes ã§ã®ã»ãã¥ãªã㣠ããªã·ãŒã®é©çšãæ¹åããæ¹æ³ãããã€ã玹ä»ããŸãã
- ãµãŒãã¹ ã¡ãã·ã¥ ã¢ãŒããã¯ã㣠ãã¿ãŒã³ã¯ããµã€ãã«ãŒ ã³ã³ãããŒã䜿çšããŠããµãŒãã¹ ã¬ãã«ã§è©³çŽ°ãªãã¬ã¡ããªãšãã©ãã£ãã¯å¶åŸ¡ãæäŸããŸãã äŸãšããŠã
ã€ã¹ãã£ãª . - CNI ãã³ããŒã®äžã«ã¯ãKubernetes ãããã¯ãŒã¯ ããªã·ãŒãè¶ ããŠããŒã«ãæ¡åŒµããŠãããã®ããããŸãã
-
ãã¥ãã£ã³ãªã«ã« Kubernetes ãããã¯ãŒã¯ ããªã·ãŒã®å¯èŠæ§ãšèªååãæäŸããŸãã
Tufin Orca ããã±ãŒãžã¯ãKubernetes ãããã¯ãŒã¯ ããªã·ãŒã管çããŸã (äžèšã®ã¹ã¯ãªãŒã³ã·ã§ããã®ãœãŒã¹ã§ããããŸã)ã
è¿œå æ å ±
-
GKE ã® Ahmet Alp Balkan ãäœæãããããã¯ãŒã¯ ããªã·ãŒã®äŸ ; -
Kubernetes å ¬åŒ Web ãµã€ãã®ããã¥ã¡ã³ã ; -
Kubernetes ãããã¯ãŒãã³ã° ã¢ãã«ã®ã¬ã€ã ; -
ãããã¯ãŒã¯ããªã·ãŒããã§ãã¯ããããã®ã¹ã¯ãªãã .
ãŸãšã
Kubernetes ãããã¯ãŒã¯ ããªã·ãŒã¯ãã¯ã©ã¹ã¿ãŒãã»ã°ã¡ã³ãåããããã®åªããããŒã« ã»ãããæäŸããŸãããçŽæçã§ã¯ãªããå€ãã®åŸ®åŠãªç¹ããããŸãã ãã®è€éãã®ãããæ¢åã®ã¯ã©ã¹ã¿ãŒ ããªã·ãŒã®å€ãã«ã¯ãã°ããããšæãããŸãã ãã®åé¡ã«å¯Ÿããèãããã解決çã«ã¯ãããªã·ãŒå®çŸ©ãèªååããããä»ã®ã»ã°ã¡ã³ããŒã·ã§ã³ ããŒã«ã䜿çšããããšãå«ãŸããŸãã
ãã®ã¬ã€ããããã€ãã®çåã解決ããééããå¯èœæ§ã®ããåé¡ã®è§£æ±ºã«åœ¹ç«ã€ããšãé¡ã£ãŠããŸãã
翻蚳è ããã®è¿œäŒž
ç§ãã¡ã®ããã°ããèªã¿ãã ãã:
- ãIstio ã§ãã€ã¯ããµãŒãã¹ã«æ»ãã:
ããŒã 1 (äž»ãªæ©èœã®çŽ¹ä») ,ããŒã 2 (ã«ãŒãã£ã³ã°ããã©ãã£ãã¯å¶åŸ¡) ,ããŒã 3 (ã»ãã¥ãªãã£) ; - ãKubernetes ã§ã®ãããã¯ãŒã¯ã®å³è§£ã¬ã€ãã:
ããŒã 1 ããã³ 2 (ãããã¯ãŒã¯ ã¢ãã«ããªãŒããŒã¬ã€ ãããã¯ãŒã¯) ,ããŒã 3 (ãµãŒãã¹ãšãã©ãã£ãã¯åŠç) ; - «
ã»ãã¥ãªãã£ãèŠæ±ãããç°å¢ã«ããã Docker ãš Kubernetes "; - «
9 Kubernetes ã»ãã¥ãªãã£ã®ãã¹ã ãã©ã¯ãã£ã¹ "; - «
Kubernetes ãããã³ã°ã®è¢«å®³è ã«ãªããªã (被害è ã«ãªããªã) 11 ã®æ¹æ³ 'ã
åºæïŒ habr.com