Manatua. fa'aliliu.: O le tusitala o le tusiga, Reuven Harrison, e sili atu i le 20 tausaga o le poto masani i le atinaʻeina o polokalama, ma o aso nei o le CTO ma le faʻavaeina o Tufin, o se kamupani na te fatuina ni fofo o le pulega o faiga faʻavae. A'o ia va'ava'ai i faiga fa'avae feso'ota'iga Kubernetes ose meafaigaluega e sili ona mamana mo le fa'avasegaina o feso'ota'iga i totonu o se fuifui, na te talitonu fo'i e le faigofie tele ona fa'atino i le fa'atinoga. O lenei mea (e fai si voluminous) ua faʻamoemoe e faʻaleleia atili le malamalama o tagata tomai faapitoa i lenei mataupu ma fesoasoani ia i latou e faia ni faʻatulagaga talafeagai.
I aso nei, e tele kamupani ua faʻateleina le filifilia o Kubernetes e faʻatautaia a latou talosaga. O le fiafia i lenei polokalama e matua maualuga lava ma o nisi o loʻo taʻua Kubernetes "le faiga faʻaoga fou mo le nofoaga autu o faʻamatalaga." Faasolosolo malie, Kubernetes (poʻo k8s) ua amata ona vaʻaia o se vaega taua o le pisinisi, lea e manaʻomia ai le faʻatulagaina o faiga pisinisi matutua, e aofia ai le saogalemu o fesoʻotaiga.
Mo tagata tomai fa'apolofesa o lo'o fenumiai i le galulue fa'atasi ma Kubernetes, o le fa'aaliga moni atonu o le faiga fa'avae fa'aletonu: fa'ataga mea uma.
O lenei ta'iala o le a fesoasoani ia te oe e te malamalama ai i le fausaga i totonu o faiga fa'avae feso'ota'iga; malamalama pe faapefea ona ese mai tulafono mo pa puipui masani. O le a aofia ai foʻi nisi faʻalavelave ma tuʻuina atu fautuaga e fesoasoani e faʻamautu talosaga ile Kubernetes.
faiga fa'avae feso'ota'iga Kubernetes
O le faiga o faiga fa'avae feso'ota'iga Kubernetes e mafai ai e oe ona fa'atautaia le feso'ota'iga o talosaga o lo'o fa'apipi'iina i luga o le tulaga i luga ole laiga feso'ota'iga (le lona tolu ile fa'ata'ita'iga OSI). O faiga faʻavae fesoʻotaʻiga e leai ni faʻamatalaga faʻapitoa o puipui faʻaonaponei, e pei o le OSI Layer 7 faʻamalosia ma le faʻamataʻu mataʻutia, ae latou te maua ai se tulaga faavae o le saogalemu o fesoʻotaʻiga o se amataga lelei.
O faiga fa'avae feso'ota'iga e pulea feso'ota'iga i le va o pods
O galuega mamafa i Kubernetes o lo'o tufatufa atu i pods, lea e aofia ai se tasi pe sili atu pusa e fa'apipi'i fa'atasi. Kubernetes e tu'uina atu i pod ta'itasi se tuatusi IP e mafai ona maua mai isi pods. O faiga fa'avae feso'ota'iga a Kubernetes e fa'atulaga ai aia tatau mo vaega o pods i le auala lava e tasi e fa'aogaina ai vaega saogalemu i le ao e pulea ai avanoa i masini masini masini.
Fa'amalamalamaina o Faiga Fa'avae
E pei o isi punaoa Kubernetes, faiga faʻavae fesoʻotaʻiga o loʻo faʻamaonia ile YAML. I le faʻataʻitaʻiga o loʻo i lalo, o le talosaga balance avanoa i postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Manatua. fa'aliliu.: o lenei faʻamalama, e pei o isi mea tutusa uma, na faia e le faʻaaogaina meafaigaluega Kubernetes, ae faʻaaogaina le meafaigaluega Tufin Orca, lea na atiae e le kamupani a le tusitala o le uluai tusiga ma o loʻo taʻua i le pito o le mea.)
Ina ia faʻamalamalamaina lau oe lava faiga faʻavae fesoʻotaʻiga, e te manaʻomia le poto masani o le YAML. O lenei gagana e fa'avae i luga o fa'ailoga (fa'amaoti avanoa nai lo fa'amau). O se elemene fa'apipi'i o lo'o iai i le elemene fa'apipi'i lata ane i luga a'e. O se elemene lisi fou e amata i se va'aiga, o isi elemene uma e iai le fomu taua-taua.
I le faʻamatalaina o le faiga faʻavae i le YAML, faʻaaoga e fai i totonu o le fuifui:
kubectl create -f policy.yamlFa'amatalaga Faiga Faavae
O fa'amatalaga faiga fa'avae feso'ota'iga Kubernetes e aofia ai elemene e fa:
-
podSelector: fa'amatala ai pusa o lo'o a'afia i lenei faiga fa'avae (fa'atatau) - mana'omia; -
policyTypes: fa'ailoa mai po'o a ituaiga faiga fa'avae o lo'o aofia ai i lenei mea: ulufale ma/po'o le alu i fafo - faitalia, ae ou te fautuaina fa'amalamalama manino i tulaga uma; -
ingress: fa'amatala fa'atagaina ulufale fe'avea'i i pusa fa'atatau - e filifili; -
egress: fa'amatala fa'atagaina alu i fafo fe'avea'i mai ta'avale fa'atatau e filifili.
Faʻataʻitaʻiga na maua mai le upega tafaʻilagi a Kubernetes (Na ou sui role i app), fa'aalia le fa'aogaina o elemene uma e fa:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Faamolemole ia matau o elemene uma e fa e le tatau ona aofia ai. E na'o le fa'atulafonoina podSelector, e mafai ona faʻaogaina isi taʻiala e pei ona manaʻo ai.
Afai e te lafoai policyTypes, o le a faauigaina le faiga faavae e faapea:
- E ala i le faaletonu, e manatu e faʻamatalaina le itu e ulufale ai. Afai e le fa'ailoa manino mai e le faiga fa'avae lenei, o le a fa'apea le faiga e fa'asaina uma feoaiga.
- O le amio i le itu alu ese o le a fuafuaina e ala i le i ai poʻo le toesea o le faʻasologa o le alu ese.
Ina ia aloese mai mea sese ou te fautuaina fa'ailoa manino i taimi uma policyTypes.
E tusa ai ma le manatu o loʻo i luga, pe afai o faʻamau ingress ma / poo egress ave'esea, o le a fa'afitia e le faiga fa'avae fefa'ataua'iga uma (silasila i le "Tulafono Tu'u'ese" i lalo).
Faiga fa'ataga ole Fa'ataga
Afai e leai ni faiga fa'avae e fa'amalamalamaina, e fa'atagaina e Kubernetes feoaiga uma e ala i le fa'aletonu. E mafai e pods uma ona fefa'asoa'i fa'amatalaga i latou lava. Atonu e foliga fa'afeagai mai se va'aiga saogalemu, ae ia manatua o Kubernetes na muamua fa'atulagaina e le au atia'e ina ia mafai ai ona fegalegaleai fa'aoga. Na faʻaopoopoina faiga faʻavae fesoʻotaʻiga mulimuli ane.
Avanoa igoa
Namespaces o le Kubernetes collaboration mechanism. Ua mamanuina e vavae ese siosiomaga talafeagai mai le tasi ma le isi, ae o fesootaiga i le va o avanoa e faatagaina e ala i le faaletonu.
E pei o le tele o vaega Kubernetes, o faiga fa'avae feso'ota'iga e ola i se igoa fa'apitoa. I totonu o le poloka metadata e mafai ona e fa'amaonia po'o fea avanoa e iai le faiga fa'avae:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Afai e le o faʻamaonia manino le igoa ole igoa ile metadata, ole a faʻaogaina e le faiga le igoa ole igoa ole kubectl (e ala i le faaletonu. namespace=default):
kubectl apply -n my-namespace -f namespace.yamlOu te fautua atu fa'ailoa manino igoa avanoa, se'i vagana ua e tusia se faiga fa'avae e fa'atatau i le tele o igoa avanoa i le taimi e tasi.
O le autu elemene podSelector i totonu o le faiga faʻavae o le a filifilia ai pods mai le igoa avanoa o loʻo i ai le faiga faʻavae (e le mafai ona maua le avanoa i pods mai se isi igoa).
E faapena foi, podSelectors i totonu ma poloka fafo e mafai ona na'o le filifilia o pods mai o latou lava igoa, se'i vagana ua e tu'ufa'atasia namespaceSelector (o le a talanoaina lenei mea i le vaega "Fili e igoa avanoa ma pods").
Tulafono Fa'aigoaina Faiga Fa'avae
E tulaga ese igoa o faiga fa'avae i totonu ole igoa e tasi. E le mafai ona i ai ni faiga faavae se lua e tutusa le igoa i le avanoa e tasi, ae mafai ona i ai ni faiga faavae e tutusa le igoa i avanoa eseese. E aoga lenei mea pe a e mana'o e toe fa'aoga le faiga fa'avae e tasi ile tele avanoa.
Ou te fiafia lava i se tasi o auala e faaigoa ai. E aofia ai le tu'ufa'atasia o le igoa va'aiga igoa ma le fa'atatauga pods. Faataitaiga:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Fa'ailoga
E mafai ona e fa'apipi'i fa'ailoga masani i mea Kubernetes, pei o pods ma igoa avanoa. Fa'ailoga (igoa - pine) e tutusa ma pine i le ao. O faiga fa'avae a le Kubernetes e fa'aaoga igoa e filifili ai pusae fa'atatau i ai:
podSelector:
matchLabels:
role: db… pe igoa avanoalea latou te fa'atatau i ai. O lenei faʻataʻitaʻiga e filifilia uma pods i igoa avanoa ma faʻailoga tutusa:
namespaceSelector:
matchLabels:
project: myproject
Tasi lapataiga: pe a faʻaaogaina namespaceSelector ia mautinoa o igoa avanoa e te filifilia o loʻo i ai le igoa saʻo. Ia nofouta o igoa ua fausia i totonu e pei ole default и kube-system, e le o iai ni fa'ailoga.
E mafai ona e fa'aopoopoina se fa'ailoga i se avanoa fa'apenei:
kubectl label namespace default namespace=default
I le taimi lava e tasi, igoa avanoa i le vaega metadata e tatau ona faasino i le igoa avanoa moni, ae le o le igoa:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Puna ma le taunuuga
O faiga fa'avae firewall e aofia ai tulafono fa'atasi ai ma puna'oa ma nofoaga. O faiga fa'akomepiuta Kubernetes e fa'amatalaina mo se fa'amoemoe - o se seti o pods e fa'atatau i ai - ona fa'atulaga lea o tulafono mo le ulufale ma/po'o le alu i fafo. I la matou faʻataʻitaʻiga, o le faʻamoemoe o le faiga faʻavae o le a avea uma pods i le igoa avanoa default fa'atasi ai ma le fa'ailoga ma le ki app ma uiga db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Soafuaiupu ingress i lenei faiga fa'avae, e tatala ai felauaiga o lo'o o'o mai i pusa fa'atatau. I se isi faaupuga, o le ingress o le punavai ma le sini o le taunuuga tutusa. E fa'apea fo'i, o le alu i fafo o le taunu'uga lea ma le fa'amoemoe o lona puna.
E tutusa lea ma tulafono puipui e lua: Ingress → Target; Sini → Egress.
Egress ma DNS (taua!)
I le fa'atapula'aina o feoaiga i fafo, gauai faapitoa ile DNS - E fa'aogaina e Kubernetes lenei 'au'aunaga e fa'afanua ai auaunaga i tuatusi IP. Mo se faʻataʻitaʻiga, o le a le aoga le faiga faʻavae ona e te leʻi faʻatagaina le talosaga balance avanoa DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
E mafai ona e faʻaleleia e ala i le tatalaina o avanoa i le DNS service:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Elemene mulimuli to e gaogao, ma o lea e le tuusa'o ai le filifilia pods uma i igoa spaces uma, faatagaina balance auina atu fesili DNS i le auaunaga Kubernetes talafeagai (e masani ona tamoe i le avanoa kube-system).
O lenei faiga e aoga, ae ui i lea soona tuufau ma le mautinoa, aua e mafai ai ona faʻatonu fesili DNS i fafo atu o le fuifui.
E mafai ona e faaleleia i laasaga sosoo e tolu.
1. Fa'ataga na'o fesili DNS i totonu fuifui e ala i le faaopoopo namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Fa'ataga fesili DNS i totonu na'o igoa avanoa kube-system.
Ina ia faia lenei mea e te manaʻomia le faʻaopopoina o se igoa i le igoa avanoa kube-system: kubectl label namespace kube-system namespace=kube-system - ma tusi i lalo ile faiga fa'aoga namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. E mafai e tagata paranoid ona alu atili ma faʻatapulaʻa fesili DNS i se auaunaga DNS patino i totonu kube-system. O le vaega "Filter by namespaces AND pods" o le a taʻuina atu ia te oe le auala e ausia ai lenei mea.
O le isi filifiliga o le foia lea o DNS ile tulaga ole igoa. I lenei tulaga, e le manaʻomia le tatalaina mo auaunaga taʻitasi:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Gaogao podSelector filifili uma pods i le namespace.
Fa'afetaui muamua ma le fa'atonuga o tulafono
I firewalls masani, o le gaioiga (Fa'ataga pe Te'ena) i luga o se pepa e faʻamoemoeina e le tulafono muamua e faʻamalieina. I Kubernetes, e le afaina le faasologa o faiga faʻavae.
E le mafai, pe a leai ni faiga fa'avae e fa'atulagaina, o feso'ota'iga i le va o pods e fa'atagaina ma e mafai ona fa'afesuia'i fa'amatalaga. O le taimi lava e te amata faia ai ni faiga fa'avae, o pusa ta'itasi e a'afia e le itiiti ifo ma le tasi o ia mea e tu'ufua e tusa ai ma le fa'amavaega (fa'atatau PO'O) o faiga fa'avae uma na filifilia ai. Pods e le afaina i so'o se faiga fa'avae o lo'o tatala pea.
E mafai ona e suia le amio lea e fa'aaoga ai se tulafono fa'a'ave'ese.
Tulafono fa'amavae (“Teena”)
O faiga fa'avae afi e masani ona fa'afitia so'o se ta'avale e le fa'atagaina manino.
E leai se fa'afitiga gaioiga i Kubernetes, ae ui i lea, e mafai ona maua se aafiaga tutusa i se faiga masani (fa'ataga) e ala i le filifilia o se vaega gaogao o puna puna (igress):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
O lenei faiga fa'avae e filifilia uma pods i le igoa avanoa ma tu'u ai le ulufale e le'i fa'amalamalamaina, fa'afitia uma felauaiga o lo'o sau.
I se auala talitutusa, e mafai ona e faʻatapulaaina fefaʻatauaiga uma mai se igoa avanoa:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Faamolemole ia matau lena mea so'o se faiga fa'aopoopo e fa'ataga ai felauaiga i pods i le va'aiga igoa o le a fa'amuamua i lenei tulafono (e tutusa ma le fa'aopoopoina o se tulafono fa'ataga a'o le'i faia se tulafono fa'afiti i totonu o se fa'atonuga o firewall).
Fa'ataga mea uma (So'o se-Soo se-Any-Allow)
Ina ia faia se faiga fa'ataga uma, e mana'omia lou fa'aopoopo i le Deny policy i luga ma se elemene gaogao ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
E fa'atagaina avanoa mai pods uma ile namespaces uma (ma IP uma) i so'o se pod ile namespace default. O lenei amio e mafai ona o le faaletonu, o lea e masani lava e le manaʻomia le faʻamalamalamaina atili. Ae ui i lea, o nisi taimi atonu e te manaʻomia le faʻagata mo sina taimi nisi faʻatagaga faʻapitoa e iloa ai le faʻafitauli.
O le tulafono e mafai ona fa'aitiiti i lalo e fa'ataga ai na'o se seti faapitoa o pods (app:balance) i le igoa avanoa default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Ole faiga fa'avae o lo'o mulimuli mai e fa'ataga uma ai fe'avea'i ma fe'avea'i, e aofia ai le avanoa i so'o se IP i fafo atu o le fuifui:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Tu'ufa'atasia Faiga Fa'avae
O faiga fa'avae e tu'ufa'atasia e fa'aoga ai le fa'atatau PO'O i la'asaga e tolu; O fa'atagaga a pod ta'itasi e fa'atulaga e tusa ai ma le tu'ueseeseina o faiga fa'avae uma e a'afia ai:
1. I fanua from и to E tolu ituaiga o elemene e mafai ona faʻamalamalamaina (o ia mea uma e tuʻufaʻatasia e faʻaaoga ai le OR):
-
namespaceSelector- filifilia le igoa avanoa atoa; -
podSelector- filifilia pods; -
ipBlock— filifili se subnet.
E le gata i lea, o le numera o elemene (tusa lava mea tutusa) i vaega laiti from/to e le gata. O ia mea uma o le a tu'ufa'atasia e ala tonu OR.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. I totonu o le vaega o faiga faavae ingress e mafai ona tele elemene from (tu'ufa'atasia e fa'atatau PO). E faapena foi, vaega egress e mafai ona aofia ai le tele o elemene to (tu'ufa'atasia fo'i i le tu'ufa'atasiga):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. O faiga fa'avae 'ese'ese e tu'ufa'atasia fo'i ma fa'apolokiki PO'O
Ae pe a tuʻufaʻatasia, e tasi le tapulaʻa : E mafai e Kubernetes ona tuʻufaʻatasia faiga faʻavae ma eseese policyTypes (Ingress poʻo Egress). O faiga fa'avae o lo'o fa'amatalaina le ulufale atu (po'o le alu i fafo) o le a fa'asolo e le tasi le isi.
So'oga i le va o igoa avanoa
E le mafai, fa'asoa fa'amatalaga i le va o igoa avanoa e fa'atagaina. E mafai ona suia lenei mea e ala i le faʻaaogaina o se faiga faʻafitia e faʻatapulaʻaina ai feoaiga i fafo ma/poʻo le ulufale mai i totonu o le igoa avanoa (silasila i le "Tulafono Faʻamalo" i luga).
O le taimi lava e te poloka ai le avanoa i se igoa avanoa (silasila i le "Tulafono Tu'ueseese" i luga), e mafai ona e faia tuusaunoaga i le faafitia faiga faavae e ala i le faatagaina o sootaga mai se igoa faapitoa igoa e faaaoga ai. namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
O se taunuuga, o pods uma i le igoa avanoa default o le a maua avanoa i pods postgres i igoa avanoa database. Ae fa'afefea pe a e mana'o e tatala avanoa i postgres na'o pods fa'apitoa i le igoa avanoa default?
Filifili e ala i igoa avanoa ma pods
Kubernetes version 1.11 ma maualuga atu e mafai ai e oe ona tuʻufaʻatasia faʻalapotopotoga namespaceSelector и podSelector fa'aoga talafeagai MA. E pei o lenei:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Aisea ua faauigaina ai lenei mea o le MA nai lo le masani OR?
matau lena podSelector e le amata i se faailoga. I le YAML o lona uiga o lena podSelector ma tu i ona luma namespaceSelector tagai ile elemene lisi tutusa. O le mea lea, latou te tuʻufaʻatasia ma faʻamaonia MA.
Fa'aopoopoina se va'aiga muamua podSelector o le a iʻu i le tulaʻi mai o se elemene lisi fou, lea o le a tuʻufaʻatasia ma le muamua namespaceSelector fa'aoga talafeagai PO.
Le filifilia o pods ma se fa'ailoga patino i igoa avanoa uma, ulufale avanoa namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
O igoa e tele e galulue faatasi ma I
Tulafono mo se pa puipui e tele mea faitino (talimalo, fesoʻotaʻiga, vaega) e tuʻufaʻatasia e faʻaaoga ai le OR talafeagai. Ole tulafono o lo'o mulimuli mai o le a aoga pe a fetaui le fa'apogai Host_1 Pe Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
I se isi itu, i Kubernetes o igoa eseese i totonu podSelector poʻo namespaceSelector o lo'o tu'ufa'atasia ma fa'atatau ma le MA. role=db И version=v2:
podSelector:
matchLabels:
role: db
version: v2O le manatu lava lea e tasi e fa'atatau i ituaiga uma o fa'alapotopotoga: tagata e fa'atatau i faiga fa'avae, tagata e filifili pod, ma fa'ailoga igoa.
Subnets ma tuatusi IP (IPBlocks)
E fa'aoga e puipui afi VLAN, tuatusi IP, ma subnets e vaelua ai se feso'otaiga.
I Kubernetes, o tuatusi IP e tuʻuina atu i pods otometi ma e mafai ona suia soo, o lea e faʻaogaina ai igoa e filifili ai pods ma igoa avanoa i faiga faʻavae fesoʻotaʻiga.
Subnets (ipBlocks) e fa'aaogaina pe a fa'atautaia feso'ota'iga o lo'o sau (malaga) po'o fafo (egress) i fafo (North-South). Mo se faʻataʻitaʻiga, o lenei faiga faʻavae e tatala i pods uma mai le igoa avanoa default avanoa ile Google DNS auaunaga:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
O le fa'aoga o le pod gaogao i lenei fa'ata'ita'iga o lona uiga "filifili uma pusa i le igoa avanoa."
O lenei faiga fa'avae e na'o le avanoa i le 8.8.8.8; e fa'asa le avanoa i so'o se isi IP. O lona uiga, ua e poloka le avanoa i totonu ole Kubernetes DNS service. Afai e te mana'o pea e tatala, fa'ailoa manino mai.
E masani lava ipBlocks и podSelectors e fa'atasi, talu ai o tuatusi IP i totonu o pods e le fa'aogaina i totonu ipBlocks. E ala i le faailoaina totonu IP pods, e te fa'atagaina moni lava feso'ota'iga i/mai pods ma nei tuatusi. I le faʻatinoga, e te le iloa poʻo fea tuatusi IP e faʻaoga, o le mea lea e le tatau ai ona faʻaaogaina e filifili ai pods.
E fai ma fa'ata'ita'iga fa'afeagai, o faiga fa'avae o lo'o i lalo e aofia uma ai IP ma fa'ataga ai le avanoa i isi pods uma:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
E mafai ona e tatalaina avanoa na'o IP fafo, e le aofia ai tuatusi IP i totonu o pods. Mo se faʻataʻitaʻiga, afai o le subnet o lau pod o le 10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Taulaga ma protocols
E masani ona fa'alogo pods i le tasi uafu. O lona uiga e le mafai ona e faʻamaonia numera o taulaga i faiga faʻavae ma tuʻu mea uma e le mafai. Ae ui i lea, e fautuaina le faia o faiga faʻavae e faʻasaʻo pe a mafai, o lea i nisi tulaga e mafai lava ona e faʻamaonia ports:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Manatua o le tagata filifilia ports e fa'atatau i elemene uma i totonu o le poloka to poʻo from, lea e aofia ai. Ina ia faʻamaonia ports eseese mo seti eseese o elemene, vaelua ingress poʻo egress i ni vaega laiti ma to poʻo from ma i tusi ta'itasi o au ports:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Fa'agaioiga uafu masani:
- Afai e te ave'esea atoa le fa'auigaga o le taulaga (
ports), o lona uiga o protocols uma ma ports uma; - Afai e te aveesea le fa'auigaina o le protocol (
protocol), o lona uiga TCP; - Afai e te aveesea le faauigaina o le taulaga (
port), o lona uiga o ports uma.
Fa'ata'ita'iga sili: Aua le fa'alagolago i tau fa'aletonu, fa'ailoa manino mea e te mana'omia.
Faamolemole ia matau e tatau ona e faaaogaina ports pod, ae le o auaunaga ports (sili atu i lenei i le isi parakalafa).
O fa'amatalaina faiga fa'avae mo pods po'o tautua?
E masani lava, o pods i Kubernetes e fa'afeso'ota'i le tasi i le isi e ala i se tautua - o se fa'asoa fa'afuata'i uta e toe fa'afeiloa'i feoaiga i pods o lo'o fa'atinoina le auaunaga. Atonu e te manatu e pulea e faiga fa'avae feso'otaiga le avanoa i auaunaga, ae e le o le tulaga lea. O faiga fa'avae feso'ota'iga Kubernetes e galue i luga o ports pod, ae le'o ports tautua.
Mo se faʻataʻitaʻiga, afai e faʻalogo se auʻaunaga i le taulaga 80, ae toe faʻafeiloaʻi feoaiga i le taulaga 8080 o ona pods, e tatau ona e faʻamaonia tonu le 8080 i le faiga faʻavae fesoʻotaʻiga.
O sea faiga e tatau ona manatu i lalo o le tulaga lelei: afai o le fausaga i totonu o le auaunaga (o pusa o loʻo faʻalogo ai pods) e suia, e tatau ona faʻafouina faiga faʻavae fesoʻotaʻiga.
Faiga faufale fou e fa'aaoga ai le Mesh Mesh (mo se fa'ata'ita'iga, va'ai Istio i lalo - approx. transl.) e mafai ai ona e feagai ma lenei faafitauli.
E tatau ona resitalaina uma Ingress ma Egress?
O le tali puupuu o le ioe, ina ia mafai e le pod A ona fesoʻotaʻi ma le pod B, e tatau ona faʻatagaina e faia se fesoʻotaʻiga i fafo (mo lenei mea e te manaʻomia le faʻatulagaina o se faiga faʻavae), ma e tatau i le pod B ona talia se fesoʻotaʻiga oʻo mai ( mo lenei, e tusa ai, e te manaʻomia se faiga faʻavae).
Ae ui i lea, i le faʻatinoga, e mafai ona e faʻalagolago i le faiga faʻavae e faʻatagaina ai fesoʻotaʻiga i se tasi poʻo itu uma e lua.
Afai o se vaegapunavai o le a filifilia e se tasi pe sili atu sese-politician, o tapulaʻa e tuʻuina atu i ai o le a faʻamoemoeina e la latou faʻasalaga. I lenei tulaga, e te manaʻomia le faʻatagaina manino o fesoʻotaʻiga i le pod -i le tagata e fa'asalalau. Afai e le filifilia se pod i so'o se faiga fa'avae, o lona alu ese (egress) felauaiga e fa'atagaina ona o le faaletonu.
E faapena foi, o le taunuuga o le pod efa'afeiloa'i, filifilia e se tasi pe sili atu ulufale-politician, o le a fuafuaina e latou disjunction. I lenei tulaga, e tatau ona e faʻatagaina manino le mauaina o fefaʻatauaiga mai le source pod. Afai e le filifilia se pod e soʻo se faiga faʻavae, o fefaʻatauaiga uma i totonu e faʻatagaina e le mafai.
Va'ai Stateful po'o Stateless i lalo.
Ogalaau
Kubernetes faiga fa'akomepiuta e le mafai ona fa'amauina feoaiga. O le mea lea e faigata ai ona iloa pe o loʻo galue se faiga faʻavae e pei ona faʻamoemoeina ma faʻalavelave tele ai le suʻesuʻeina o le puipuiga.
Puleaina o feoaiga i auaunaga i fafo
O faiga fa'avae a le Kubernetes e le fa'atagaina oe e fa'ama'oti se igoa fa'aigoaina atoatoa (DNS) i vaega o fafo. O lenei mea moni e taʻitaʻia ai le faʻalavelave tele pe a taumafai e faʻatapulaʻa feoaiga i nofoaga i fafo e leai se tuatusi IP tumau (pei o le aws.com).
Siaki Faiga Faavae
O le a lapataia oe e firewalls pe musu foi e talia le tulafono sese. E faia foi e Kubernetes nisi faʻamaoniga. Pe a faʻatulagaina se faiga faʻavae fesoʻotaʻiga e ala i le kubectl, e mafai e Kubernetes ona faʻaalia e le saʻo ma mumusu e talia. I isi tulaga, o le a ave e Kubernetes le faiga faʻavae ma faʻatumu i faʻamatalaga o loʻo misi. E mafai ona vaʻaia i latou i le faʻaaogaina o le poloaiga:
kubernetes get networkpolicy <policy-name> -o yamlIa manatua o le faiga faʻamaonia Kubernetes e le faʻamaonia ma e ono misia nisi ituaiga o mea sese.
Faatinoga
E le fa'atinoina e Kubernetes faiga fa'avae feso'ota'iga lava ia, ae ua na'o se faitoto'a API e tu'uina atu le avega o le fa'atonuga i se faiga fa'avae e ta'ua o le Container Networking Interface (CNI). O le fa'atulagaina o faiga fa'avae i luga ole fuifui Kubernetes e aunoa ma le tu'uina atu o le CNI talafeagai e tutusa ma le faia o faiga fa'avae i luga ole fa'aumau e pulea le pa puipui e aunoa ma le fa'apipi'iina i luga ole pa puipui. E o'o ia te oe le fa'amautinoa o lo'o i ai sau CNI lelei po'o, i le tulaga o Kubernetes platforms, talimalo i le ao. (e mafai ona e vaʻai i le lisi o auʻaunaga - tusa. trans.), faʻatagaina faiga faʻavae fesoʻotaʻiga o le a seti CNI mo oe.
Manatua e le lapataia oe e Kubernetes pe a e setiina se faiga faʻavae fesoʻotaʻiga e aunoa ma le CNI fesoasoani talafeagai.
Fa'atete'e pe leai se Setete?
O Kubernetes CNI uma na ou faʻafeiloaʻi e faʻamaonia (mo se faʻataʻitaʻiga, Calico faʻaoga Linux conntrack). Ole mea lea e mafai ai e le pod ona maua tali ile TCP feso'ota'iga na amataina e aunoa ma le toe fa'atūina. Ae ui i lea, ou te le o iloa se tulaga Kubernetes e faʻamaonia ai le tulaga.
Pulega o Faiga Fa'avae Saogalemu Maualuga
O nisi nei o auala e faʻaleleia atili ai le faʻamalosia o faiga faʻavae i Kubernetes:
- O le fa'ata'ita'iga fa'ata'ita'iga a le Service Mesh e fa'aogaina ai atigipusa ta'avale e tu'uina atu ai fa'amatalaga au'ili'ili ma le fa'atonutonuina o feoaiga i le tulaga o auaunaga. Mo se faʻataʻitaʻiga e mafai ona tatou faia .
- O nisi o le au fa'atau CNI ua fa'alauteleina a latou mea faigaluega e alu i tua atu o faiga fa'avae feso'ota'iga Kubernetes.
- Tuuina atu le vaʻaia ma le faʻaautomatika o faiga faʻavae fesoʻotaʻiga Kubernetes.
O le pusa Tufin Orca e faʻatautaia faiga faʻavae fesoʻotaʻiga Kubernetes (ma o le faʻapogai o ata o loʻo i luga).
faamatalaga faaopoopo
- ;
- ;
- ;
- .
iʻuga
Kubernetes 'upega tafaʻilagi faiga faʻavae e ofoina atu se seti lelei o meafaigaluega mo le vaevaeina o fuifui, ae latou te le faʻaogaina ma e tele mea faʻapitoa. Ona o lenei lavelave, ou te talitonu o le tele o faiga faʻavae o loʻo i ai nei o loʻo faʻalavelave. Ole fa'afitauli e mafai ona fa'aogaina e aofia ai le fa'autometi fa'amatalaga o faiga fa'avae po'o le fa'aogaina o isi mea faigaluega fa'asoa.
Ou te faʻamoemoe o lenei taʻiala e fesoasoani e faʻamama ni fesili ma foia faʻafitauli e te ono feagai.
PS mai faaliliu
Faitau foi i la matou blog:
- "Toe i microservices ma Istio": , , ;
- "O se Faʻataʻitaʻiga Faʻataʻitaʻiga i Fesoʻotaʻiga i Kubernetes": , ;
- «";
- «";
- «".
puna: www.habr.com