Cherechedza. transl.: Munyori wechinyorwa, Reuven Harrison, ane makore anopfuura makumi maviri ane ruzivo mukugadzirwa kwesoftware, uye nhasi ndiye CTO uye co-muvambi weTufin, kambani inogadzira zvigadziriso zvekuchengetedza mitemo. Nepo iye achiona Kubernetes network marongero sechishandiso chine simba chetiweki segmentation musumbu, anotenda zvakare kuti hazvisi nyore kuita mukuita. Ichi chinyorwa (chakanyanya voluminous) chakagadzirirwa kuvandudza ruzivo rwenyanzvi nezvenyaya iyi uye kuvabatsira kugadzira magadzirirwo anodiwa.
Nhasi, makambani mazhinji ari kuwedzera kusarudza Kubernetes kumhanya mafomu avo. Kufarira software iyi kwakakwira zvekuti vamwe vari kudaidza Kubernetes "iyo nyowani inoshanda sisitimu yedata data." Zvishoma nezvishoma, Kubernetes (kana k8s) inotanga kuonekwa sechikamu chakakosha chebhizinesi, izvo zvinoda kurongeka kwemaitiro ebhizinesi akakura, kusanganisira kuchengetedza network.
Kune vashandi vekuchengetedza vanoshamiswa nekushanda naKubernetes, chizaruro chaicho chinogona kunge chiri chepuratifomu default policy: bvumidza zvese.
Gwaro iri rinokubatsira kuti unzwisise chimiro chemukati chetiweki marongero; nzwisisa kuti dzakasiyana sei nemitemo yenguva dzose firewalls. Ichavharawo mimwe misungo uye inopa kurudziro yekubatsira kuchengetedza zvikumbiro paKubernetes.
Kubernetes network policy
Iyo Kubernetes network policy system inokubvumira kuti utore kupindirana kwezvishandiso zvakaiswa pachikuva pane network layer (yechitatu muOSI modhi). Mitemo yeNetiweki inoshaya mamwe emhando yepamusoro yemazuva ano firewall, senge OSI Layer 7 kuteedzera uye kutyisidzira kutariswa, asi ivo vanopa hwaro nhanho yekuchengetedzwa kwetiweki inova yakanaka yekutanga.
Network mitemo inodzora kutaurirana pakati pemapodhi
Mitoro yebasa muKubernetes inogovaniswa pamapodhi, ayo ane mudziyo mumwe kana anopfuura akaiswa pamwechete. Kubernetes inopa yega yega kero yeIP inowanikwa kubva kune mamwe mapodhi. Kubernetes network mitemo inoisa kodzero dzekuwana dzemapoka epods nenzira imwechete iyo mapoka ekuchengetedza ari mugore anoshandiswa kudzora kuwana kune chaiwo muchina zviitiko.
Kutsanangura Network Policies
Kufanana nezvimwe zviwanikwa zveKubernetes, network marongero anotsanangurwa muYAML. Mumuenzaniso pazasi, application balance kuwana postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Cherechedza. transl.: iyi skrini, senge dzese dzakazotevera dzakafanana, yakagadzirwa isingashandisi maturusi ekuzvarwa eKubernetes, asi uchishandisa Tufin Orca chishandiso, chakagadzirwa nekambani yemunyori wechinyorwa chepakutanga uye icho chinotaurwa pakupera kwechinyorwa.)
Kuti utsanangure yako wega network policy, iwe unozoda ruzivo rwekutanga yeYAML. Mutauro uyu unobva pakupinza mukati (zvinotsanangurwa nenzvimbo kwete zvitebu). Chinhu chakaiswa mukati ndechechinhu chiri pedyo chakadzikwa pamusoro pacho. Chinhu chitsva cherondedzero chinotanga nehyphen, zvimwe zvese zvine chimiro kiyi-kukosha.
Mushure mekutsanangura mutemo muYAML, shandisa kuigadzira muchikwata:
kubectl create -f policy.yamlNetwork Policy Specification
Iyo Kubernetes network policy yakatarwa inosanganisira zvinhu zvina:
-
podSelector: inotsanangura mapodhi akabatwa neiyi mutemo (zvinangwa) - inodiwa; -
policyTypes: inoratidza kuti ndeapi marudzi emitemo inosanganisirwa mune izvi: ingress uye / kana egress - sarudzo, asi ini ndinokurudzira kunyatsozvitsanangura muzviitiko zvese; -
ingress: inotsanangura inobvumirwa kupinda traffic kune chinangwa pods - sarudzo; -
egress: inotsanangura inobvumirwa ichibuda traffic kubva kune zvakanangwa pods isarudzo.
Muenzaniso wakatorwa kubva kuKubernetes webhusaiti (ini ndakatsiva role pamusoro app), inoratidza mashandisirwo ese ari mana zvinhu:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Ndapota cherechedza kuti zvinhu zvina zvose hazvifaniri kuiswa. Zvinosungirwa chete podSelector, mamwe ma parameter anogona kushandiswa sezvaunoda.
Kana ukasiya policyTypes, mutemo unozodudzirwa sezvinotevera:
- Nokusingaperi, inofungidzirwa kuti inotsanangura iyo ingress side. Kana mutemo usingatauri pachena izvi, hurongwa huchafunga kuti motokari yose inorambidzwa.
- Maitiro ari padivi re egress achatemwa nekuvapo kana kusavapo kweinoenderana egress parameter.
Kuti ndirege kukanganisa ndinokurudzira nguva dzose zvijekese policyTypes.
Zvinoenderana nezviri pamusoro logic, kana parameters ingress uye / kana egress yakasiiwa, mutemo unoramba traffic yese (ona "Stripping Rule" pazasi).
Default policy is Allow
Kana pasina mitemo inotsanangurwa, Kubernetes inobvumira traffic yese nekukasira. Mapodhi ese anogona kupanana ruzivo pakati pavo. Izvi zvingaite sezvinopesana nemaonero ekuchengetedza, asi yeuka kuti Kubernetes yakatanga kugadzirwa nevagadziri kuti igone kushanda kwekushandisa. Network policy dzakawedzerwa gare gare.
Namespaces
Mazita enzvimbo ndiyo Kubernetes yekubatana maitiro. Izvo zvakagadzirirwa kuparadzanisa nharaunda dzine musoro kubva kune mumwe nemumwe, nepo kutaurirana pakati penzvimbo kunobvumidzwa nekusarudzika.
Kufanana nezvakawanda zveKubernetes zvikamu, network marongero anogara mune yakatarwa namespace. Mubhuroko metadata unogona kutsanangura kuti iyo policy ndeipi nzvimbo:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Kana iyo namespace isina kunyatso kutsanangurwa mune metadata, iyo sisitimu inoshandisa iyo namespace inotsanangurwa mukubectl (nekuda namespace=default):
kubectl apply -n my-namespace -f namespace.yamlNdinokurudzira tsanangura nzvimbo yezita zvakajeka, kunze kwekunge uri kunyora mutemo unonangana nemazita akawanda panguva imwe chete.
Main element podSelector mupolicy ichasarudza mapodhi kubva panzvimbo yezita iyo mutemo wacho (inorambidzwa kuwana mapodhi kubva kune imwe nzvimbo yezita).
Saizvozvo, podSelectors mu ingress uye egress blocks vanogona chete kusarudza mapodhi kubva munzvimbo yavo yezita, kunze kwekunge iwe waasanganisa nawo namespaceSelector (izvi zvichakurukurwa muchikamu "Sefa nemazita nemapods").
Mitemo Yekudoma Mazita
Mazita epolicy akasiyana mukati menzvimbo imwe chete yemazita. Ikoko hakugone kuve nemitemo miviri ine zita rimwechete munzvimbo imwechete, asi panogona kuva nemitemo ine zita rimwechete munzvimbo dzakasiyana. Izvi zvinobatsira kana iwe uchida kushandisa zvakare mutemo iwoyo munzvimbo dzakawanda.
Ndinonyanya kufarira imwe yenzira dzekupa mazita. Inosanganisira kubatanidza zita rezita nemapodhi anonangwa. Semuyenzaniso:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Labels
Iwe unogona kubatanidza mavara echinyakare kuKubernetes zvinhu, senge pods uye namespaces. Labels (mavara - ma tags) akafanana nema tag ari mugore. Kubernetes network mitemo inoshandisa mavara kusarudza podskwazviri kushanda:
podSelector:
matchLabels:
role: db... kana mazita enzvimbokwazviri kushanda. Uyu muenzaniso unosarudza mapodhi ese mumazita ane mavara anoenderana:
namespaceSelector:
matchLabels:
project: myproject
Imwe yambiro: paunenge uchishandisa namespaceSelector ita shuwa kuti nzvimbo dzaunosarudza dzine zita chairo. Ziva kuti akavakirwa-mukati mazita nzvimbo dzakadai default ΠΈ kube-system, by default haina mavara.
Unogona kuwedzera label panzvimbo yakaita seiyi:
kubectl label namespace default namespace=default
Panguva imwecheteyo, namespace muchikamu metadata inofanira kureva zita renzvimbo chaiyo, kwete iyo label:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Kwakabva uye kwaunoenda
Firewall marongero ane mitemo ine masosi uye kwekuenda. Kubernetes network marongero anotsanangurwa kune chinangwa - seti yemapods kwavanoshandisa - uye vobva vaisa mitemo yekupinda uye / kana egress traffic. Mumuenzaniso wedu, chinangwa chemutemo chichava mapodhi ose munzvimbo yezita default ine label ine kiyi app uye zvinoreva db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Subsection ingress mune iyi mutemo, inovhura iyo inouya traffic kune inonangwa pods. Mune mamwe mazwi, ingress ndiyo sosi uye chinangwa ndiyo inoenderana kuenda. Saizvozvo, egress ndiko kwainoenda uye chinangwa ndicho chitubu chayo.
Izvi zvakaenzana nemitemo miviri yefirewall: Ingress β Target; Chinangwa β Egress.
Egress uye DNS (yakakosha!)
Nekudzikamisa traffic inobuda, teerera zvakanyanya kuDNS - Kubernetes inoshandisa iyi sevhisi kumepu masevhisi kune IP kero. Semuenzaniso, mutemo unotevera haushande nekuti hauna kubvumira application balance kuwana DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
Unogona kuzvigadzirisa nekuvhura kupinda kune iyo DNS sevhisi:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Last element to haina chinhu, uye saka inosarudza zvisina kunanga mapodhi ese munzvimbo dzese mazita, kubvumira balance tumira DNS mibvunzo kune yakakodzera Kubernetes sevhisi (inowanzo mhanya munzvimbo kube-system).
Iyi nzira inoshanda, zvisinei kunyanyobvumira uye kusachengeteka, nekuti inobvumira DNS mibvunzo kutungamirwa kunze kwesumbu.
Unogona kuivandudza mumatanho matatu anotevedzana.
1. Bvumira DNS mibvunzo chete mukati cluster nekuwedzera namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Bvumira DNS mibvunzo mukati memazita chete kube-system.
Kuti uite izvi unoda kuwedzera chikwangwani kune zita rezita kube-system: kubectl label namespace kube-system namespace=kube-system - woinyora pasi mupolicy uchishandisa namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Paranoid vanhu vanogona kuenda zvakatopfuura uye kudzikamisa DNS mibvunzo kune chaiyo DNS sevhisi mukati kube-system. Chikamu "Sefa nemazita NA mapods" chinokuudza maitiro ekuita izvi.
Imwe sarudzo ndeyekugadzirisa DNS padanho remazita. Muchiitiko ichi, hazvizodi kuti zvivhurwe kune yega yega sevhisi:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Empty podSelector inosarudza mapodhi ese ari munzvimbo yemazita.
Kutanga mutambo uye kutonga kurongeka
Mumafirewall akajairwa, chiito (Bvumira kana Kuramba) papaketi inotemwa nemutemo wekutanga wainogutsa. MuKubernetes, kurongeka kwemitemo hakuna basa.
Nekumisikidza, kana pasina marongero akaiswa, kutaurirana pakati pepods kunobvumidzwa uye vanogona kushandura ruzivo vakasununguka. Ukangotanga kugadzira marongero, podhi yega yega inobatwa neinenge imwe chete yadzo inove yakasarudzika zvinoenderana nedisjunction (inonzwisisika OR) yemapurani ese akaisarudza. Mapodhi asina kukanganiswa chero mutemo anoramba akavhurika.
Iwe unogona kushandura maitiro aya uchishandisa murairo wekubvisa.
Kubvisa mutemo ("Ramba")
Firewall mitemo inowanzoramba chero traffic isingabvumirwe zvakajeka.
Iko hakuna kuramba chiito muKubernetes, zvisinei, mhedzisiro yakafanana inogona kuwanikwa neyakajairwa (inobvumidza) mutemo nekusarudza boka risina chinhu revanobva pods (ingress):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Iyi mutemo inosarudza ese mapodhi munzvimbo yezita uye inosiya ingress isina kutsanangurwa, ichiramba zvese zvinouya traffic.
Nenzira yakafanana, iwe unogona kudzora traffic yese inobuda kubva kune namespace:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Ndapota ona kuti chero mamwe marongero anobvumira traffic kune mapods munzvimbo yezita achatora pamberi pemutemo uyu (zvakafanana nekuwedzera mutemo unobvumidza usati waramba mutemo mukugadziriswa kwefirewall).
Bvumira zvese (Zvose-Zvose-Zvose-Zvibvumira)
Kugadzira iyo Bvumira Yese mutemo, iwe unofanirwa kuwedzera iyo Deny mutemo pamusoro nechinhu chisina chinhu ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
Inobvumira kupinda kubva ese mapodhi munzvimbo dzese mazita (uye ese IP) kune chero pod munzvimbo yemazita default. Maitiro aya anogoneswa nekusarudzika, saka kazhinji haadi kutsanangurwa zvakare. Nekudaro, dzimwe nguva ungangoda kudzima kwechinguva mvumo yekuongorora dambudziko.
Mutemo unogona kuderedzwa kuti ubvumire kupinda chete imwe seti yemapods (app:balance) munzvimbo yemazita default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Iyi inotevera mutemo inobvumira zvese ingress uye egress traffic, kusanganisira kuwana chero IP kunze kwesumbu:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Kubatanidza Mitemo Yakawanda
Mitemo inosanganiswa uchishandisa zvine musoro OR pamatanho matatu; Mvumo yega yega pod inoiswa zvinoenderana nekusawirirana kwemitemo yese inoibata:
1. Muminda from ΠΈ to Mhando nhatu dzezvinhu zvinogona kutsanangurwa (zvese zvakasanganiswa uchishandisa OR):
-
namespaceSelector- inosarudza nzvimbo yese yezita; -
podSelector- anosarudza pods; -
ipBlockβ anosarudza subnet.
Uyezve, huwandu hwezvinhu (kunyangwe zvakafanana) muzvikamu zvidiki from/to kwete kuganhurirwa. Ese achasanganiswa neane musoro OR.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. Mukati pechikamu chemitemo ingress inogona kuva nezvinhu zvakawanda from (yakasanganiswa neane musoro OR). Saizvozvowo, chikamu egress inogona kusanganisira zvinhu zvakawanda to (zvakare zvakasanganiswa ne disjunction):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Mitemo yakasiyana inosanganiswawo neane musoro OR
Asi pakuzvibatanidza, pane imwe ganhuriro pairi : Kubernetes inogona chete kusanganisa marongero ane akasiyana policyTypes (Ingress kana Egress) Mitemo inotsanangura ingress (kana egress) inonyora pamusoro peimwe.
Hukama pakati pemazita
Nekumisikidza, kugovana ruzivo pakati pemazita anobvumidzwa. Izvi zvinogona kuchinjwa nekushandisa mutemo wekuramba uyo unorambidza traffic inobuda uye/kana inopinda munzvimbo yezita (ona "Stripping Rule" pamusoro).
Kana uchinge wavharira kuwana nzvimbo yezita (ona iyo "Stripping Rule" iri pamusoro), unogona kuita zvisizvo kune yekuramba mutemo nekubvumira kubatana kubva kune yakatarwa namespace uchishandisa. namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
Nekuda kweizvozvo, ese mapodhi munzvimbo yezita default vachawana mapodhi postgres munzvimbo yemazita database. Asi ko kana iwe uchida kuvhura kupinda postgres mapodhi chaiwo chete munzvimbo yemazita default?
Sefa nemazita nemapods
Kubernetes vhezheni 1.11 uye yepamusoro inobvumidza iwe kusanganisa vashandisi namespaceSelector ΠΈ podSelector uchishandisa zvine musoro AND. Zvinoita seizvi:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Sei izvi zvichidudzirwa seUYE panzvimbo pezvakajairwa KANA?
ziva kuti podSelector haitangi nehosho. MuYAML izvi zvinoreva kuti podSelector uye akamira pamberi pake namespaceSelector tarisa kune imwechete list element. Naizvozvo, ivo vakasanganiswa neane musoro UYE.
Kuwedzera hyphen pamberi podSelector zvichaguma nekubuda kwechinhu chitsva cherunyorwa, icho chichabatanidzwa nechakapfuura namespaceSelector kushandisa zvine musoro OR.
Kusarudza mapodhi ane label chaiyo munzvimbo dzose dzemazita, pinda pasina namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Mazita akawanda anobatana neI
Mitemo ye firewall ine zvinhu zvakawanda (mahosti, network, mapoka) inosanganiswa uchishandisa zvine musoro OR. Mutemo unotevera uchashanda kana packet source ichienderana Host_1 OR Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
Pane zvinopesana, muKubernetes mavara akasiyana mu podSelector kana namespaceSelector zvinosanganiswa zvine musoro UYE. Semuenzaniso, mutemo unotevera uchasarudza mapods ane mavara ese, role=db Π version=v2:
podSelector:
matchLabels:
role: db
version: v2Iwo mafungiro akafanana anoshanda kune ese marudzi evashandisi: policy target selectors, pod selectors, uye namespace selectors.
Subnets uye IP kero (IPBlocks)
Mafirewall anoshandisa maVLAN, IP kero, uye subnets kugovera network.
MuKubernetes, IP kero inopihwa kumapods otomatiki uye inogona kuchinja kazhinji, saka mavara anoshandiswa kusarudza mapodhi nemazita mumatiweki marongero.
Subnets (ipBlocks) anoshandiswa pakutarisira zvinopinda (ingress) kana zvinobuda (egress) zvekunze (North-South) zvinongedzo. Semuenzaniso, iyi mutemo inovhura kune ese mapodhi kubva kune namespace default kuwana sevhisi yeGoogle DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
Iyo isina chinhu podhi yekusarudza mumuenzaniso uyu inoreva "sarudza ese mapodhi munzvimbo yemazita."
Iyi mutemo inobvumira chete kupinda kune 8.8.8.8; kupinda kune chero imwe IP inorambidzwa. Saka, muchidimbu, iwe wakavharira kupinda kune yemukati Kubernetes DNS sevhisi. Kana uchiri kuda kuivhura, ratidza izvi zvakajeka.
kazhinji ipBlocks ΠΈ podSelectors zvakabatana, sezvo iyo yemukati IP kero dzepods isingashandiswe mukati ipBlocks. Nekuratidza zvemukati IP pods, iwe unozonyatso bvumidza zvinongedzo ku/kubva kumapodhi ane maadhiresi aya. Mukuita, hauzoziva kuti ndeipi IP kero yekushandisa, ndosaka isingafanirwe kushandiswa kusarudza pods.
Semuenzaniso-muenzaniso, mutemo unotevera unosanganisira ese maIP uye saka unobvumira kuwana kune mamwe ese mapodhi:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Iwe unogona kuvhura kupinda chete kune ekunze IPs, kusasanganisa yemukati IP kero dzepods. Semuenzaniso, kana subnet yepodhi yako iri 10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Ports uye maprotocol
Kazhinji mapodhi anoteerera kune imwe chiteshi. Izvi zvinoreva kuti iwe haugone kungotsanangura nhamba dzechiteshi mumapuratifomu uye wosiya zvese sekunge zvagara. Nekudaro, zvinokurudzirwa kuita marongero seanoganhurira sezvinobvira, saka mune dzimwe nguva unogona kutsanangura madoko:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Cherechedza kuti selector ports inoshanda kune zvese zvinhu mu block to kana from, iyo ine. Kuti utsanangure zviteshi zvakasiyana zvezvikamu zvakasiyana zvezvinhu, patsanura ingress kana egress muzvikamu zvidiki ne to kana from uye murejista yega yega zviteshi zvako:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Default port operation:
- Kana ukasiya tsanangudzo yechiteshi zvachose (
ports), izvi zvinoreva zvese maprotocol uye ese madoko; - Kana ukasiya tsanangudzo yeprotocol (
protocol), izvi zvinoreva TCP; - Kana ukasiya tsananguro yechiteshi (
port), izvi zvinoreva zviteshi zvese.
Maitiro akanakisa: Usavimbe nemaitiro akasarudzika, tsanangura zvaunoda zvakajeka.
Ndokumbira utarise kuti unofanirwa kushandisa pod ports, kwete sevhisi zviteshi (zvimwe pane izvi mundima inotevera).
Mitemo inotsanangurwa yemapods kana masevhisi?
Kazhinji, mapodhi muKubernetes anowana mumwe nemumwe kuburikidza nesevhisi - chaiyo inoremedza chiyero inodzosera traffic kune iyo pods inoshandisa iyo sevhisi. Iwe unogona kufunga kuti network marongero anodzora kuwana masevhisi, asi izvi handizvo. Kubernetes network mitemo inoshanda pane pod ports, kwete sevhisi zviteshi.
Semuyenzaniso, kana sevhisi ikaterera chiteshi 80, asi ichidzokorodza traffic kuchiteshi 8080 yemapodhi ayo, iwe unofanirwa kutsanangura chaizvo 8080 mune network mutemo.
Maitiro akadaro anofanirwa kutariswa seasingaite: kana chimiro chemukati chesevhisi (machiteshi anoteerera mapodhi) achinja, mitemo yetiweki inofanirwa kuvandudzwa.
Nzira itsva yekuvaka uchishandisa Service Mesh (semuenzaniso, ona nezve Istio pazasi - approx. transl.) inokubvumira kutsungirira dambudziko iri.
Zvakakosha here kunyoresa zvese Ingress uye Egress?
Mhinduro pfupi ndeyokuti hongu, kuitira kuti pod A itaurirane nepod B, inofanira kubvumirwa kugadzira chinobuda kunze (nokuda kweizvi unoda kugadzirisa mutemo we egress), uye pod B inofanira kukwanisa kubvuma kubatanidza kunouya ( nokuda kweizvi, saizvozvo, unoda ingress policy).
Nekudaro, mukuita, iwe unogona kuvimba neiyo default mutemo kuti ubvumire kubatana mune imwe kana nzira mbiri.
Kana imwe pod-tsime ichasarudzwa nemumwe kana kupfuura egress-vezvematongerwo enyika, zvirambidzo zvakatemerwa pazviri zvichagadziriswa nekusawirirana kwavo. Muchiitiko ichi, iwe uchafanirwa kubvumidza zvakajeka kubatana kune pod -kumutauri. Kana podhi isina kusarudzwa nechero mutemo, iyo inobuda (egress) traffic inotenderwa nekukasira.
Saizvozvowo, kuguma kwepodhi ndeyeaddressee, yakasarudzwa nemumwe kana kupfuura ingress-vezvematongerwo enyika, vanozotemwa nekusawirirana kwavo. Muchiitiko ichi, iwe unofanirwa kuibvumira zvakajeka kuti igamuchire traffic kubva kune sosi pod. Kana pod isina kusarudzwa nechero mutemo, yese ingress traffic yayo inotenderwa nekusarudzika.
Ona Stateful kana Stateless pazasi.
Logs
Kubernetes network marongero haigone kurodha traffic. Izvi zvinoita kuti zviome kuona kana mutemo uri kushanda sezvaunofanirwa uye unoomesa zvakanyanya kuongororwa kwekuchengetedza.
Kudzora traffic kune ekunze masevhisi
Kubernetes network marongero haakubvumidze kuti utaure zita rakazara rakakwana rezita (DNS) muzvikamu zveegress. Chokwadi ichi chinotungamira mukukanganisika kukuru paunenge uchiedza kudzora traffic kune ekunze kwekuenda iyo isina yakatarwa IP kero (senge aws.com).
Policy Check
Mafirewall achakuyambira kana kutoramba kubvuma mutemo usiri iwo. Kubernetes anoitawo imwe ongororo. Pakuisa mutemo wetiweki kuburikidza ne kubectl, Kubernetes anogona kutaura kuti haina kururama uye oramba kuigamuchira. Mune zvimwe zviitiko, Kubernetes achatora mutemo uye oizadza nezvakashaikwa. Vanogona kuonekwa vachishandisa murairo:
kubernetes get networkpolicy <policy-name> -o yamlRamba uchifunga kuti iyo Kubernetes yekusimbisa system haina kukanganisa uye inogona kupotsa mamwe marudzi ezvikanganiso.
Kuuraya
Kubernetes haitese network marongero pachayo, asi inongori API gedhi rinoendesa mutoro wekutonga kune iri pasi system inonzi Container Networking Interface (CNI). Kuisa marongero paKubernetes cluster pasina kugovera CNI yakakodzera kwakafanana nekugadzira marongero pane firewall manejimendi server pasina kuzoimisa pamadziro emoto. Zviri kwauri kuti uve nechokwadi chekuti une CNI yakanaka kana, kana iri Kubernetes mapuratifomu, anogarwa mugore. (unogona kuona rondedzero yevanopa - approx. trans.), gonesa network marongero anoseta CNI yako.
Ziva kuti Kubernetes haazokuyambira iwe kana ukaisa network network pasina mubatsiri akakodzera CNI.
Vane Hurukuro Kana Kuti Vasina Nyika?
Ese Kubernetes CNIs andakasangana nawo ane hunyanzvi (semuenzaniso, Calico inoshandisa Linux contrack). Izvi zvinobvumira iyo pod kuti igamuchire mhinduro pakubatana kweTCP kwayakatanga pasina kuita kuti iite zvakare. Nekudaro, ini handizive nezve Kubernetes chiyero chinogona kuvimbisa statefulness.
Advanced Security Policy Management
Hedzino dzimwe nzira dzekuvandudza kuchengetedzwa kwemitemo muKubernetes:
- Iyo Service Mesh yekuvaka pateni inoshandisa sidecar midziyo kupa yakadzama telemetry uye traffic traffic padanho rebasa. Somuenzaniso tinogona kutora .
- Vamwe vevatengesi veCNI vakawedzera maturusi avo kuti aende kupfuura Kubernetes network policy.
- Inopa kuoneka uye otomatiki yeKubernetes network marongero.
Iyo Tufin Orca package inobata Kubernetes network marongero (uye ndiyo sosi yezvidzitiro zviri pamusoro).
mamwe mashoko
- ;
- ;
- ;
- .
mhedziso
Kubernetes network marongero inopa yakanaka seti yezvishandiso zvekukamura masumbu, asi haana intuitive uye ane akawanda akavanzika. Nekuda kwekuoma uku, ini ndinotenda akawanda aripo masumbu marongero ari buggy. Mhinduro dzinogoneka kudambudziko iri dzinosanganisira otomatiki tsananguro yemitemo kana kushandisa mamwe maturusi echikamu.
Ndinovimba gwaro rino rinobatsira kujekesa mimwe mibvunzo uye kugadzirisa nyaya dzaungasangana nazvo.
PS kubva kumushanduri
Verenga zvakare pablog yedu:
- "Kudzokera kumamicroservices neIstio": , , ;
- "An Illustrated Guide to Networking muKubernetes": , ;
- Β«";
- Β«";
- Β«".
Source: www.habr.com