Ogow. turjumiQoraaga maqaalka, Reuven Harrison, wuxuu leeyahay waayo-aragnimo 20 sano ah oo ku saabsan horumarinta software, maantana waa CTO iyo aasaasaha Tufin, oo ah shirkad abuurta xalalka maareynta siyaasadda amniga. In kasta oo uu u arko siyaasadaha shabakada Kubernetes inay yihiin aalad si cadaalad ah u awood badan oo loogu talagalay kala-qaybinta shabakada ee kutlada, wuxuu sidoo kale aaminsan yahay inaysan aad u sahlanayn in lagu fuliyo ficil ahaan. Qalabkan (aad u badan) waxaa loogu talagalay in lagu wanaajiyo wacyiga takhasuska leh ee arrintan iyo ka caawinta inay abuuraan qaabeynta lagama maarmaanka ah.
Maanta, shirkado badan ayaa si isa soo taraya u dooranaya Kubernetes si ay u socodsiiyaan codsiyadooda. Xiisaha loo qabo software-kan aad buu u sarreeyaa oo qaarkood waxay ugu yeeraan Kubernetes "nidaamka cusub ee hawlgalka ee xarunta xogta." Si tartiib tartiib ah, Kubernetes (ama k8s) ayaa bilaabaya in loo arko inay tahay qayb muhiim ah oo ka mid ah ganacsiga, taas oo u baahan abaabulka hababka ganacsi ee qaangaarka ah, oo ay ku jiraan amniga shabakada.
Xirfadlayaasha amniga ee ku wareersan la shaqeynta Kubernetes, muujinta dhabta ah waxay noqon kartaa siyaasadda aasaasiga ah ee goobta: u oggolow wax walba.
Hagahan ayaa kaa caawin doona inaad fahanto qaabka gudaha ee siyaasadaha shabakada; Faham sida ay uga duwan yihiin xeerarka dab-damiska caadiga ah. Waxa kale oo ay dabooli doontaa dabinnada qaar oo waxay ku siin doontaa talooyin si ay u caawiso sugidda codsiyada Kubernetes.
Siyaasadaha shabakada Kubernetes
Nidaamka siyaasadda shabakada Kubernetes wuxuu kuu ogolaanayaa inaad maareyso isdhexgalka codsiyada lagu dhejiyay goobta lakabka shabakada (sida saddexaad ee qaabka OSI). Siyaasadaha shabakadu waxay ka maqan yihiin qaar ka mid ah astaamaha horumarsan ee dab-damiska casriga ah, sida OSI Layer 7 fulinta iyo ogaanshaha khatarta, laakiin waxay bixiyaan heerka aasaasiga ah ee amniga shabakada kaas oo ah bar bilow wanaagsan.
Siyaasadaha shabakadu waxay xakameeyaan xidhiidhka ka dhexeeya pods
Culayska shaqada ee Kubernetes waxaa loo qaybiyaa baloogyo, kuwaas oo ka kooban hal ama in ka badan oo weel la wada geeyo. Kubernetes waxay u dhiibtaa gad kasta ciwaanka IP-ga kaas oo laga heli karo galalka kale. Xeerarka shabakada Kubernetes waxay dejiyaan xuquuqda gelitaanka kooxaha pods si la mid ah sida kooxaha amniga ee daruuraha loo isticmaalo si loo xakameeyo gelitaanka tusaalooyinka mashiinka farsamada.
Qeexida Siyaasadaha Shabakada
Sida ilaha kale ee Kubernetes, siyaasadaha shabakada ayaa lagu qeexay YAML. Tusaalaha hoose, codsiga balance gelitaanka postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Ogow. turjumiShaashadan, sida dhammaan kuwa kale ee la midka ah, waxaa la abuuray iyada oo aan la isticmaalin qalabka Kubernetes ee asalka ah, laakiin la isticmaalayo qalabka Tufin Orca, kaas oo ay samaysay shirkadda qoraaga maqaalka asalka ah oo lagu sheegay dhammaadka walxaha.)
Si aad u qeexdo siyaasaddaada shabakada, waxaad u baahan doontaa aqoonta aasaasiga ah ee YAML. Luqaddani waxay ku salaysan tahay soo gelid (waxaa lagu cayimay meelo bannaan oo aan ahayn tabs). Walxaha goglan waxaa iska leh xubinta ugu dhow ee ka sarreysa. Cunsurka liiska cusub wuxuu ku bilaabmaa jilaag, dhammaan walxaha kale waxay leeyihiin foomka qiimaha muhiimka ah.
Markaad ku qeexday siyaasadda YAML, isticmaal si loo abuuro kooxda:
kubectl create -f policy.yamlTilmaamaha Siyaasadda Shabakadda
Siyaasadda Shabakadda Kubernetes qeexida waxa ku jira afar shay:
-
podSelector: wuxuu qeexayaa boodhadhka ay siyaasaddani saamaysay (bartilmaameedyada) - loo baahan yahay; -
policyTypes: waxay muujinaysaa noocyada siyaasadaha ay ku jiraan tan: galitaanka iyo/ama ka bixista - ikhtiyaari, laakiin waxaan ku talinayaa in si cad loo qeexo dhammaan kiisaska; -
ingress: qeexayaa ogol yahay soo galaya taraafikada meelaha la beegsanayo waa ikhtiyaari; -
egress: qeexayaa ogol yahay baxaysa Taraafikada ka imanaysa meelaha la beegsanayo waa ikhtiyaari.
Tusaalaha laga soo qaatay shabakada Kubernetes (waxaan bedelay role on app), waxay tusinaysaa sida afarta walxood loo isticmaalo:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Fadlan ogow in dhammaan afarta walxood aysan ahayn in lagu daro. Waa qasab kaliya podSelector, xuduudaha kale waxaa loo isticmaali karaa sida la doonayo.
Haddii aad ka tagto policyTypes, siyaasadda waxaa loo fasiri doonaa sida soo socota:
- Sida caadiga ah, waxaa loo maleynayaa in ay qeexayso dhinaca soo galitaanka. Haddii siyaasaddu aysan si cad u sheegin tan, nidaamku wuxuu u qaadan doonaa in dhammaan taraafikada ay mamnuuc yihiin.
- Habdhaqanka dhinaca ka soo baxa waxaa lagu go'aamin doonaa joogitaanka ama maqnaanshaha cabbirka u dhigma.
Si looga fogaado khaladaadka waxaan ku talinayaa had iyo jeer ka dhig mid cad policyTypes.
Sida laga soo xigtay macquulka ah ee kor ku xusan, haddii xuduudaha ingress iyo / ama egress laga saaray, siyaasaddu waxay diidi doontaa dhammaan taraafikada (eeg "Xeer ka saarida" hoos).
Nidaamka caadiga ah waa Oggolow
Haddii aan siyaasad la qeexin, Kubernetes waxay u ogolaataa dhammaan taraafikada si caadi ah. Dhammaan cawska ayaa si xor ah isu weydaarsan kara macluumaadka dhexdooda. Tani waxay u ekaan kartaa mid lidi ku ah dhanka amniga, laakiin xusuusnow in Kubernetes markii hore ay naqshadeeyeen horumariyeyaal si ay awood ugu yeeshaan wadashaqeynta codsiga. Siyaasadaha shabakada ayaa lagu daray mar dambe.
Magacyada meelaha
Meelaha magacyadu waa habka wada shaqaynta Kubernetes. Waxaa loo qaabeeyey in ay ka fogaadaan deegaan macquul ah midba midka kale, halka xiriirka ka dhexeeya meelaha bannaan la oggol yahay si aan toos ahayn.
Sida qaybaha Kubernetes intooda badan, siyaasadaha shabakadu waxay ku nool yihiin meel magac gaar ah. In block metadata waxaad qeexi kartaa booska ay siyaasaddu leedahay:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Haddii booska magaca aan si toos ah loogu cayimin xogta badan, nidaamku wuxuu isticmaali doonaa booska magaca ku qeexan kubectl (sida caadiga ah namespace=default):
kubectl apply -n my-namespace -f namespace.yamlWaxaan kula talin si cad u sheeg meel magac, ilaa aad qorayso siyaasad bartilmaameedsanaysa meelo badan oo magacyo ah hal mar.
Ugu weyn cunsur podSelector siyaasadda dhexdeeda waxay dooran doontaa gad-gabo ka mid ah goobta magaceed ee ay siyaasaddu ka tirsan tahay (waxaa loo diidayaa in la helo pods-ka magac kale).
Sidoo kale, podSelectors ee soo gelida iyo blocks kaliya waxay dooran karaan gadaasha magacooda, ilaa dabcan aad isku darto mooyaane namespaceSelector (tani waxa lagaga hadli doonaa qaybta "Ku kala shaandhayso meelaha magacyo iyo boodhadhka").
Xeerarka Magacaabidda Siyaasadda
Magacyada siyaasaddu waa kuwo u gaar ah isla meel isku mid ah. Ma jiri karaan laba siyaasadood oo magac isku mid ah oo isku meel ah, laakiin waxaa jiri kara siyaasado magac isku mid ah oo meelo kala duwan ka jira. Tani waxay faa'iido leedahay markaad rabto inaad dib u dalbato isla siyaasadii meelo badan.
Waxaan si gaar ah u jeclahay mid ka mid ah hababka magac-bixinta. Waxay ka kooban tahay isku-darka magaca meel-magaca iyo meelaha la beegsanayo. Tusaale ahaan:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Calaamadaha
Waxaad ku dhejin kartaa summadaha gaarka ah walxaha Kubernetes, sida boodhadhka iyo meelaha magacyada. Calaamadaha (calaamadaha - tags) waxay u dhigantaa calaamadaha daruuraha. Xeerarka shabakada Kubernetes waxay isticmaalaan calaamado si ay u doortaan cawskakuwaas oo ay ku dabaqaan:
podSelector:
matchLabels:
role: db⦠ama meelaha magacyadakuwaas oo ay ku dabaqaan. Tusaalahan ayaa dooranaya dhammaan gad-yada ku yaal meelo magacyo leh oo leh sumadaha u dhigma:
namespaceSelector:
matchLabels:
project: myproject
Hal taxaddar: marka la isticmaalayo namespaceSelector Hubi in meelaha magacyada aad dooratay ay ku jiraan summada saxda ah. Ka fiirso meelaha la dhisay sida default ΠΈ kube-system, sida caadiga ah kuma jiraan calaamado.
Waxaad ku dari kartaa sumadda meel bannaan sida tan:
kubectl label namespace default namespace=default
Isla mar ahaantaana, booska magaca ee qaybta metadata waa inay tixraacaan magaca booska dhabta ah, ma aha calaamadda:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Isha iyo meesha loo socdo
Siyaasadaha Firewall waxay ka kooban yihiin shuruuc leh ilo iyo meelo loo socdo. Xeerarka shabakada Kubernetes waxaa lagu qeexaa bartilmaameedka - go'an pods oo ay ku dabaqaan - ka dibna dejiyaan sharciyo soo galitaanka iyo/ama socodka socodka. Tusaalahayaga, bartilmaameedka siyaasaddu waxay noqon doontaa dhammaan boodhadhka magaca default oo leh sumad leh fure app iyo macnaha db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Qaybta hoose ingress siyaasaddan, waxay u furtaa taraafikada soo gelaysa meelaha la beegsanayo. Si kale haddii loo dhigo, galashadu waa isha, bartilmaameedkuna waa meesha u dhiganta. Sidoo kale, guurku waa meesha loo socdo, bartilmaameedkuna waa isha.
Tani waxay u dhigantaa laba xeer oo dab-damis ah: Ingress β Bartilmaameedka; Hadafka β Socod.
Egress iyo DNS (muhiim ah!)
Iyadoo la xaddidayo gaadiidka baxaya, fiiro gaar ah u leh DNS - Kubernetes waxay adeegsataa adeegan si ay u khariidayso adeegyada ciwaanka IP-ga. Tusaale ahaan, siyaasadda soo socota ma shaqayn doonto sababtoo ah ma aadan ogolayn codsiga balance geli DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
Waxaad hagaajin kartaa adigoo furaya gelitaanka adeegga DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Cunsurka u dambeeya to waa madhan, sidaas darteedna si dadban ayay u doorataa dhammaan sanduuqyada ku yaal dhammaan meelaha magacyada, oggolow balance u dir su'aalaha DNS adeegga Kubernetes ee ku habboon (badanaa ku shaqeeya meel bannaan kube-system).
Habkani wuu shaqeeyaa, si kastaba ha ahaatee ogolaansho xad dhaaf ah oo aan ammaan ahayn, sababtoo ah waxay u ogolaataa weydiimaha DNS in lagu hago meel ka baxsan kooxda.
Waxaad ku hagaajin kartaa saddex tallaabo oo xiriir ah.
1. Oggolow su'aalaha DNS oo kaliya gudaha kutlada adoo ku daraya namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Oggolow su'aalaha DNS gudahooda magaca kaliya kube-system.
Si aad tan u samayso waxaad u baahan tahay inaad ku darto summada goobta magaca kube-system: kubectl label namespace kube-system namespace=kube-system - oo ku qor siyaasadda adoo isticmaalaya namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Dadka Paranoid-ku way sii socon karaan oo waxay xaddidi karaan weydiimaha DNS adeeg gaar ah oo DNS ah kube-system. Qaybta "Ku kala shaandhayso meelo magacyo ah iyo sanduuqyo" ayaa kuu sheegi doona sida tan loo gaaro.
Doorasho kale ayaa ah in lagu xalliyo DNS heerka magaca. Xaaladdan oo kale, uma baahna in loo furo adeeg kasta:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Faaruq podSelector ku doorta dhammaan galalka magaca.
Ciyaarta koowaad iyo nidaamka nidaamka
Dab-damiska caadiga ah, ficilka (Ogolow ama Diid) ee xirmada waxaa go'aamiya qaanuunka ugu horreeya ee uu ku qanco. Kubernetes dhexdeeda, nidaamka siyaasaduhu macno ma laha.
Sida caadiga ah, marka aan wax siyaasad ah la dejin, xidhiidhka ka dhexeeya boodhadhka waa la oggol yahay oo waxay si xor ah isku dhaafsan karaan macluumaadka. Markaad bilowdo dejinta siyaasadaha, mid kasta oo ay saamayso ugu yaraan mid iyaga ka mid ah ayaa go'doominaya iyadoo loo eegayo isbarbardhigga (macnaha OR) ee dhammaan siyaasadihii doortay. Boodhadhka aanay siyaasadina saamaynin way furan yihiin.
Waxaad bedeli kartaa habdhaqankan adigoo isticmaalaya qaanuunka xarigga.
Xeerka ka qaadista ("Did")
Xeerarka Firewall waxay caadi ahaan diidaan taraafikada kasta oo aan si cad loo oggolayn.
Ma jiro wax diidmo ah oo ku saabsan Kubernetes, si kastaba ha ahaatee, saameyn la mid ah ayaa lagu gaari karaa siyaasad joogto ah (la oggol yahay) iyada oo la dooranayo koox madhan oo ah il-biyoodyo (gudista):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Nidaamkani waxa uu doortaa dhammaan baloogyada ku yaal meel-magaceedka oo ka tagaya soo gelida aan la qeexin, iyada oo diidaysa dhammaan taraafikada soo galaya.
Si la mid ah, waxaad ka xaddidi kartaa dhammaan taraafikada ka baxaya meel magaceed:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Fadlan ogow taas Siyaasad kasta oo dheeri ah oo u oggolaanaysa taraafikada in ay ku dhufato goobta magaca ayaa ka hormarin doonta sharcigan (oo la mid ah in lagu daro qaanuunka oggolaanshaha ka hor xeerka diidmada ee qaabeynta firewall).
Oggolow wax walba
Si aad u abuurto siyaasadda Allow All, waxaad u baahan tahay inaad ku darto siyaasadda diidmada ee sare oo leh shay madhan ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
Waxay u ogolaataa in laga soo galo dhammaan boodhadhka dhammaan meelaha magacyada (iyo dhammaan IP-yada) meel kasta oo magaceed ah default. Dabeecaddan waxaa loo suurtageliyay si toos ah, sidaas darteed badanaa uma baahna in la sii qeexo. Si kastaba ha ahaatee, mararka qaarkood waxaa laga yaabaa inaad u baahato inaad si ku meel gaar ah u joojiso qaar ka mid ah ogolaanshaha gaarka ah si loo ogaado dhibaatada.
Xeerka waa la soo koobi karaa si loo oggolaado gelitaanka oo keliya gogol gaar ah oo kabo ah (app:balance) meesha magaca default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Siyaasadda soo socota ayaa u oggolaanaysa dhammaan taraafikada soo galitaanka iyo ka bixista, oo ay ku jirto gelitaanka IP kasta oo ka baxsan kooxda:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Isku darka Siyaasado Badan
Siyaasadaha waxaa la isku daray iyadoo la isticmaalayo macquul AMA saddex heer; Oggolaanshaha boodhka kasta waxaa loo dejiyay si waafaqsan is dhexgalka dhammaan siyaasadaha saameeya:
1. Beeraha from ΠΈ to Saddex nooc oo walxood ayaa la qeexi karaa (dhammaantood waxaa lagu daray OR):
-
namespaceSelector- waxay doorataa dhammaan magaca; -
podSelector- waxay doorataa boodhyo; -
ipBlock- doortaa shabakad hoose.
Waxaa intaa dheer, tirada curiyeyaasha (xitaa kuwa isku midka ah) ee qaybaha hoose from/to aan xadidnayn. Dhammaantood waxaa lagu dari doonaa AMA macquul ah.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. Gudaha qaybta siyaasadda ingress wuxuu yeelan karaa walxo badan from (oo lagu daray OR macquul ah). Sidoo kale, qaybta egress waxaa ku jiri kara waxyaabo badan to (sidoo kale lagu daro kala-bax):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Siyaasado kala duwan ayaa sidoo kale lagu daray AMA macquul ah
Laakiin marka la isku daro, waxaa jira hal xaddid oo ku saabsan Kubernetes kaliya waxay isku dari kartaa siyaasado kala duwan policyTypes (Ingress ama Egress). Siyaasadaha qeexaya soo galitaanka (ama goynta) ayaa midba midka kale qori doona.
Xiriirka ka dhexeeya meelaha magacyada
Sida caadiga ah, macluumaadka wadaagga u dhexeeya meelaha magacyada waa la oggol yahay. Tan waxa lagu beddeli karaa iyadoo la isticmaalo siyaasad diidmo oo xaddidaysa taraafikada bixisa iyo/ama soo gelitaanka goobta magaca (eeg "Xeerka Ka Qaadista" ee kore).
Marka aad xannibto gelitaanka meel magaceed (eeg "Xeerka ka saarida" ee kore), waxaad samayn kartaa ka reebban siyaasadda diidmada adiga oo u oggolaanaya xiriirinta meel gaar ah adoo isticmaalaya namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
Natiijo ahaan, dhammaan sanduuqyada ku jira booska magaca default waxay marin u heli doonaan tubooyinka postgres magac ahaan database. Laakiin ka waran haddii aad rabto inaad furto gelitaanka postgres kaliya gadafyo gaar ah oo ku yaal goobta magaca default?
Ku shaandhayso meelaha magacyada ah iyo galalka
Nooca Kubernetes 1.11 iyo ka sareeya ayaa kuu ogolaanaya inaad isku darto hawlwadeenada namespaceSelector ΠΈ podSelector iyadoo la isticmaalayo macquul AND. Waxay u egtahay sidan:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Maxaa tan loogu fasiray iyo halkii laga isticmaali lahaa AMA?
Fadlan la soco taas podSelector kuma bilaabo jiitaan. Gudaha YAML tani waxay la macno tahay podSelector oo hortiisa taagan namespaceSelector Tixraac isla liiska liiska. Sidaa darteed, waxay la socdaan macquul AND.
Ku darista xaraf hore podSelector waxay keeni doontaa in ay soo baxdo curiye liis cusub, kaas oo lagu dari doono kii hore namespaceSelector isticmaalaya macquul ah OR.
Si aad u dooratid boodhadhyo leh calaamad gaar ah dhammaan magacyada, gali meel banaan namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Calaamado badan oo la socda I
Xeerarka dab-damiska oo leh walxo badan (martigeliyayaal, shabakado, kooxo) ayaa la isku daraa iyadoo la adeegsanayo AMA macquul ah. Xeerka soo socdaa wuu shaqayn doonaa haddii isha baakidhku iswaafaqdo Host_1 Ama Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
Taas lidkeeda, gudaha Kubernetes calaamadaha kala duwan ee ku jira podSelector ama namespaceSelector waxaa lagu daraa macquul IYO.Tusaale ahaan, qaanuunkan soo socdaa waxa uu dooran doonaa boodhyo leh labada calaamadood, role=db Π version=v2:
podSelector:
matchLabels:
role: db
version: v2Isla caqli-galku waxa uu quseeyaa dhammaan noocyada hawl-wadeennada: siyaasadda bartilmaameed-doorayaasha, door-doorayaasha, iyo xulayaasha meel-magaca.
Shabakadaha hoose iyo ciwaanka IP-ga (IPBlocks)
Firewalls waxay isticmaalaan VLAN-yada, ciwaanka IP-ga, iyo shabakadaha hoose si ay u kala gooyaan shabakad.
Kubernetes gudaheeda, ciwaanka IP-ga waxaa si toos ah loogu meeleeyaa baloofyada oo si isdaba joog ah ayey isu beddeli karaan, sidaa darteed calaamaduhu waxa loo isticmaalaa in lagu xusho boodhadhka iyo meelaha magacyada ee siyaasadaha shabakadda.
Subnets (ipBlocks) waxaa loo isticmaalaa marka la maamulayo soo galitaanka (guditaanka) ama ka baxaya (goynta) xidhiidhada dibadda (Waqooyi-Koonfureed). Tusaale ahaan, siyaasaddani waxay u furan tahay dhammaan boodhadhka magaca default gelida adeega Google DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
Xulashada boodhka madhan ee tusaalahan macneheedu waxa weeye "ku dooro dhammaan galalka magaca."
Xeerkani waxa uu ogolyahay gelitaanka 8.8.8.8; Helitaanka IP-ga kale waa mamnuuc. Marka, nuxur ahaan, waxaad xannibtay gelitaanka adeegga Kubernetes DNS ee gudaha. Haddii aad weli rabto inaad furto, u muuji tan si cad.
Badanaa ipBlocks ΠΈ podSelectors waa kuwo gooni u ah, maadaama ciwaanka IP-ga gudaha ee pods aan la isticmaalin ipBlocks. Iyagoo tilmaamaya pods IP gudaha, waxaad dhab ahaantii u oggolaan doontaa in lagu xidho/ka-soo-baxo pods-yada ciwaanadan. Ficil ahaan, ma ogaan doontid ciwaanka IP-ga ee aad isticmaalayso, taas oo ah sababta aan loo isticmaalin in lagu xusho pods.
Tusaale ahaan, siyaasadda soo socota waxaa ku jira dhammaan IP-yada oo sidaas darteed waxay ogolaataa gelitaanka dhammaan boodhadhka kale:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Waxaad u furi kartaa gelitaanka IP-yada dibadda oo keliya, marka laga reebo ciwaannada IP-ga gudaha ee pods-yada. Tusaale ahaan, haddii subnet-ka boodhkaagu yahay 10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Dekadaha iyo borotokoolka
Caadi ahaan, boodhadhku waxay dhegaystaan ββhal deked. Tani waxay ka dhigan tahay inaadan si fudud u qeexi karin nambarada dekedaha siyaasadaha oo aad uga tagi kartid wax walba sidii hore. Si kastaba ha ahaatee, waxaa lagu talinayaa in la sameeyo siyaasadaha u xaddidan sida ugu macquulsan, sidaas darteed xaaladaha qaarkood waxaad weli cayimi kartaa dekedaha:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Ogow in doorashada ports waxay khusaysaa dhammaan walxaha ku jira blockka to ama from, oo ka kooban. Si loo qeexo dekedo kala duwan qaybaha kala duwan ee walxaha, kala qaybsan ingress ama egress dhowr qaybood oo kala duwan oo leh to ama from oo mid walba ku diiwaan geli dekedahaaga:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Hawlgalka dekedda ee caadiga ah:
- Haddii aad gabi ahaanba ka tagto qeexida dekedda (
ports), tani waxay ka dhigan tahay dhammaan borotokoolka iyo dhammaan dekedaha; - Haddii aad ka tagto qeexida borotokoolka (
protocol), tani waxay ka dhigan tahay TCP; - Haddii aad ka tagto qeexida dekedda (
port), tani macnaheedu waa dhammaan dekedaha.
Dhaqanka ugu fiican: Ha isku hallayn qiyamka caadiga ah, cadee waxaad u baahan tahay si cad.
Fadlan ogow in ay tahay in aad isticmaasho dekedaha, ma aha in aad isticmaasho dekedaha adeega (wax badan oo arrintan ku saabsan cutubka xiga).
Xeerarka ma loo qeexaa pods ama adeegyada?
Caadi ahaan, boodhadhka Kubernetes waxay isku galaan adeeg - isku dheellitirka culeyska dalwaddii kaas oo u jiheeya taraafikada galalka fulinta adeegga. Waxaa laga yaabaa inaad u maleyso in siyaasadaha shabakadu ay xakameeyaan gelitaanka adeegyada, laakiin xaaladdu sidaas maaha. Siyaasadaha shabakada Kubernetes waxay ka shaqeeyaan dekedaha, ma aha dekedaha adeega.
Tusaale ahaan, haddii adeeggu dhegeysto dekedda 80, laakiin uu u jiheeyo taraafikada dekedda 8080 ee boodhkeeda, 8080 waa in lagu qeexaa siyaasadda shabakadda.
Habka noocan oo kale ah waa in loo tixgeliyo mid hooseeya: haddii qaab-dhismeedka gudaha ee adeegga (dekedaha ay dhegaystaan ββββdhismaha) isbeddelaan, siyaasadaha shabakada waa in la cusbooneysiiyaa.
Qaab dhismeed cusub oo la isticmaalayo Mesh Service (tusaale ahaan, hoos ka eeg wax ku saabsan Istio - qiyaastii. transl.) wuxuu kuu ogolaanayaa inaad la qabsato dhibaatadan.
Ma lama huraan baa in la diwaan galiyo soo galitaanka iyo ka bixista labadaba?
Jawaabta gaaban waa haa, si pod A ay ula xiriirto pod B, waa in loo oggolaadaa in la abuuro xiriir baxaya (tan waxaad u baahan tahay inaad dejiso siyaasadda egress), iyo pod B waa inuu awood u leeyahay inuu aqbalo xiriirka soo socda ( Taas awgeed, sidaas darteed, waxaad u baahan tahay siyaasad galmo).
Si kastaba ha noqotee, ficil ahaan, waxaad ku tiirsanaan kartaa siyaasadda caadiga ah si aad ugu oggolaato isku xirka hal ama labada dhinacba.
Haddii qaar ka mid ah -ilaha waxaa dooran doona mid ama ka badan gogol dhaaf-Siyaasiyiinta, xayiraadaha lagu soo rogay waxaa lagu go'aamin doonaa sida ay u kala qaybsan yihiin. Xaaladdan oo kale, waxaad u baahan doontaa inaad si cad u oggolaato ku xidhidhiyaha boodhka -ku ciwaanka. Haddii boodhka aan la dooran siyaasad kasta, taraafikada bixisa (guditaanka) waa la oggol yahay si aan toos ahayn.
Si la mid ah, qaddarka boodhka ayaa ahaddressee, oo lagu doortay mid ama ka badan galid-Siyaasiyiinta, waxaa lagu go'aamin doonaa kala qaybsanaantooda. Xaaladdan oo kale, waa inaad si cad u oggolaataa inuu ka helo taraafikada isha isha. Haddii boodhka aan la dooran siyaasad kasta, dhammaan taraafikada soo galitaanka waa la oggol yahay si toos ah.
Hoos ka eeg Dawlad Goboleed ama Dawlad la'aan.
Logs
Xeerarka shabakada Kubernetes ma geli karaan taraafikada. Tani waxay adkeyneysaa in la go'aamiyo in siyaasadu u shaqeyneyso sidii loogu talagalay waxayna si weyn u adkeyneysaa falanqaynta amniga.
Xakamaynta taraafikada adeegyada dibadda
Xeerarka shabakada Kubernetes kuma oggola inaad ku qeexdo magac domain oo dhamaystiran (DNS) qaybaha egress. Xaqiiqadani waxay keenaysaa dhib la'aan weyn marka la isku dayayo in la xaddido taraafikada meelaha dibadda ah ee aan lahayn ciwaanka IP go'an (sida aws.com).
Hubinta Siyaasadda
Firewalls ayaa kuu digaya ama xitaa diidi doona inaad aqbasho siyaasadda khaldan. Kubernetes sidoo kale wuxuu sameeyaa xoogaa xaqiijin ah. Marka la dejinayo siyaasada shabakada kubectl, Kubernetes waxaa laga yaabaa inay ku dhawaaqdo inay khaldan tahay oo ay diido inay aqbasho. Xaaladaha kale, Kubernetes ayaa qaadan doona siyaasadda oo ku buuxin doona faahfaahinta maqan. Waxaa lagu arki karaa iyadoo la adeegsanayo amarka:
kubernetes get networkpolicy <policy-name> -o yamlMaskaxda ku hay in nidaamka ansaxinta Kubernetes aanu ahayn mid khalad ah oo laga yaabo inuu seego noocyada khaladaadka.
Bixinta
Kubernetes ma fuliso siyaasadaha shabakada lafteeda, laakiin waa uun albaabka API kaas oo u wakiisha culayska xakamaynta nidaamka hoose ee loo yaqaan Interface Networking Container (CNI). Dejinta siyaasadaha kooxda Kubernetes iyada oo aan la meelayn CNI-da ku habboon waxay la mid tahay abuurista siyaasadaha server-ka maaraynta dab-damiska iyada oo aan markaa lagu rakibin dabka. Adiga ayay kugu xiran tahay inaad hubiso inaad haysato CNI hufan ama, marka laga hadlayo goobaha Kubernetes, lagu martigeliyo daruuraha (waxaad arki kartaa liiska bixiyayaasha - qiyaastii. trans.), awood siyaasadaha shabakada kuwaas oo kuu dejin doona CNI adiga.
Ogsoonow in Kubernetes uusan kuu digi doonin haddii aad dejiso siyaasad shabakad la'aanteed caawiye ku habboon CNI.
Dawladeed mise Dawlad laβaan?
Dhammaan Kubernetes CNI-yada aan la kulmay waa kuwo dawladeed (tusaale ahaan, Calico waxay isticmaashaa Linux conntrack). Tani waxay u oggolaanaysaa in boodhka uu helo jawaabaha xidhiidhka TCP ee uu bilaabay isaga oo aan dib u soo celin. Si kastaba ha ahaatee, anigu kama warqabo heerka Kubernetes kaas oo dammaanad qaadi kara dawladnimada.
Maamulka Siyaasadda Sare ee Amniga
Waa kuwan qaar ka mid ah siyaabaha lagu hagaajin karo fulinta siyaasadda amniga ee Kubernetes:
- Habka qaab dhismeedka Mesh Service wuxuu isticmaalaa weelasha dhinac-dhinta si ay u bixiyaan telemetry tafatiran iyo xakamaynta taraafikada heerka adeegga. Tusaale ahaan waxaan soo qaadan karnaa .
- Qaar ka mid ah iibiyeyaasha CNI ayaa kordhiyay qalabkooda si ay uga gudbaan siyaasadaha shabakada Kubernetes.
- Waxay bixisaa muuqalka iyo toosinta siyaasadaha shabakada Kubernetes.
Xirmada Tufin Orca waxay maamushaa siyaasadaha shabakada Kubernetes (oo waa isha sawirada kore).
macluumaad dheeraad ah
- ;
- ;
- ;
- .
gunaanad
Siyaasadaha shabakada Kubernetes waxay bixiyaan qalab wanaagsan oo lagu kala qaybiyo kooxaha, laakiin maaha kuwo dareen leh oo waxay leeyihiin khiyaamo badan. Kakanaantan awgeed, waxaan rumaysanahay in siyaasado badan oo kooxeedka jira ay dhib badan yihiin. Xalka suurtagalka ah ee dhibaatadan waxaa ka mid ah toosinta qeexitaannada siyaasadda ama isticmaalka qalabka kale ee qaybinta.
Waxaan rajeynayaa in hagahan uu kaa caawiyo nadiifinta su'aalaha qaar iyo xallinta arrimaha laga yaabo inaad la kulanto.
PS ka turjumaan
Sidoo kale ka akhri boggayaga:
- "Ku laabo adeegaha yaryar ee Istio": , , ;
- "Hagaha Sharaxan ee Isku-xidhka Kubernetes": , ;
- Β«";
- Β«";
- Β«".
Source: www.habr.com