Hlokomela. fetolela.: Mongoli oa sehlooho, Reuven Harrison, o na le phihlelo ea lilemo tse fetang 20 ho nts'etsopele ea software, 'me kajeno ke CTO le mothehi-'moho le Tufin, k'hamphani e etsang tharollo ea tsamaiso ea ts'ireletso ea ts'ireletso. Ha a ntse a talima maano a marang-rang a Kubernetes e le sesebelisoa se matla sa ho arola marang-rang ka har'a sehlopha, o boetse o lumela hore ha ho bonolo ho e sebelisa. Boitsebiso bona (bo matla haholo) bo reretsoe ho ntlafatsa tsebo ea litsebi mabapi le taba ena le ho ba thusa ho etsa litlhophiso tse hlokahalang.
Kajeno, lik'hamphani tse ngata li ntse li khetha Kubernetes ho tsamaisa likopo tsa tsona. Thahasello ea software ena e phahame hoo ba bang ba bitsang Kubernetes "sistimi e ncha ea ts'ebetso ea setsi sa data." Butle-butle, Kubernetes (kapa k8s) e qala ho nkoa e le karolo ea bohlokoa ea khoebo, e hlokang ho hlophisoa ha mekhoa ea khoebo e hōlileng tsebong, ho kenyelletsa le ts'ireletso ea marang-rang.
Bakeng sa litsebi tsa ts'ireletso tse hlolloang ke ho sebetsa le Kubernetes, tšenolo ea sebele e ka 'na ea e-ba leano la kamehla la sethaleng: lumella ntho e' ngoe le e 'ngoe.
Tataiso ena e tla u thusa ho utloisisa sebopeho sa ka hare sa maano a marang-rang; utloisisa hore na li fapane joang le melao ea li-firewall tse tloaelehileng. E tla boela e koahele maraba le ho fana ka likhothaletso ho thusa ho boloka lits'ebetso ho Kubernetes.
Melao ea marang-rang ea Kubernetes
Mokhoa oa leano la marang-rang oa Kubernetes o u lumella ho laola tšebelisano ea likopo tse sebelisoang sethaleng sethaleng sa marang-rang (ea boraro ka mokhoa oa OSI). Melao ea marang-rang ha e na tse ling tsa likarolo tse tsoetseng pele tsa li-firewall tsa morao-rao, tse kang ts'ebetsong ea OSI Layer 7 le ho lemoha litšokelo, empa li fana ka boemo ba motheo ba ts'ireletso ea marang-rang e leng sebaka se setle sa ho qala.
Melao ea marang-rang e laola puisano pakeng tsa pods
Meroalo ea mosebetsi ho Kubernetes e ajoa ho pholletsa le li-pods, tse nang le sejana se le seng kapa ho feta tse kentsoeng hammoho. Kubernetes e abela pod e 'ngoe le e 'ngoe aterese ea IP e fumanehang ho tsoa ho li-pods tse ling. Melao ea marang-rang ea Kubernetes e beha litokelo tsa phihlello bakeng sa lihlopha tsa li-pods ka tsela e ts'oanang le eo lihlopha tsa ts'ireletso marung li sebelisetsoang ho laola phihlello ea liketsahalo tsa mochini oa nnete.
Ho Hlalosa Maano a Marang-rang
Joalo ka lisebelisoa tse ling tsa Kubernetes, maano a marang-rang a hlalositsoe ho YAML. Mohlala o ka tlase, kopo balance phihlello ho postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Hlokomela. fetolela.: skrini sena, joalo ka tse ling tse tšoanang tse latelang, ha sea ka sa sebelisoa lisebelisoa tsa tlhaho tsa Kubernetes, empa se sebelisa sesebelisoa sa Tufin Orca, se hlahisitsoeng ke k'hamphani ea mongoli oa sengoloa sa mantlha mme se boletsoeng qetellong ea litaba.)
Ho hlalosa leano la hau la marang-rang, o tla hloka tsebo ea mantlha ea YAML. Puo ena e ipapisitse le indentation (e hlalosoang ke libaka ho fapana le li-tab). Karolo e indenting ke ea karolo e haufi e indenting ka holimo ho eona. Karolo e ncha ea lenane e qala ka lehokelo, likarolo tse ling kaofela li na le sebopeho bohlokoa-boleng.
Kamora ho hlalosa leano ho YAML, sebelisa ho e theha ka har'a sehlopha:
kubectl create -f policy.yamlTlhaloso ea Leano la Marang-rang
Tlhaloso ea leano la marang-rang la Kubernetes e kenyelletsa lintlha tse 'ne:
-
podSelector: e hlalosa li-pods tse anngoeng ke leano lena (lipheo) - tse hlokahalang; -
policyTypes: e bonts'a hore na ke mefuta efe ea maano a kenyellelitsoeng ho sena: ho kenella le / kapa ho tsoa - ho ikhethela, empa ke khothaletsa ho e hlakisa ka ho hlaka maemong ohle; -
ingress: e hlalosa tumello e kenang sephethephethe ho ea liphoofotsoana ke boikhethelo; -
egress: e hlalosa tumello e tswang sephethephethe se tsoang ho li-pods tse shebiloeng ke boikhethelo.
Mohlala o nkuoeng webosaeteng ea Kubernetes (ke nkile sebaka role mabapi le app), e bontša kamoo likarolo tse 'nè li sebelisoang kateng:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Ka kopo hlokomela hore likarolo tsohle tse 'nè ha lia tlameha ho kenyelletsoa. Ke tlamo feela podSelector, likarolo tse ling li ka sebelisoa kamoo li lakatsoang kateng.
Haeba u tlohela policyTypes, pholisi e tla hlalosoa ka tsela e latelang:
- Ka ho sa feleng, ho nahanoa hore e hlalosa lehlakore la ingress. Haeba pholisi e sa bolele sena ka ho hlaka, tsamaiso e tla nka hore sephethephethe sohle se thibetsoe.
- Boitšoaro ka lehlakoreng la egress bo tla khethoa ke ho ba teng kapa ho se be teng ha parameter e tsamaisanang le egress.
Ho qoba liphoso ke khothaletsa kamehla e hlakisetse policyTypes.
Ho ea ka mabaka a ka holimo, haeba li-parameter ingress le / kapa egress e siiloe, leano le tla hana sephethephethe sohle (sheba "Tripping Rule" ka tlase).
Leano la kamehla le lumelletsoe
Haeba ha ho maano a hlalosoang, Kubernetes e lumella sephethephethe sohle ka boiketsetso. Li-pods tsohle li ka fapanyetsana litaba ka bolokolohi har'a tsona. Sena se ka 'na sa bonahala se sa lumellane le pono ea ts'ireletso, empa hopola hore Kubernetes qalong e ne e entsoe ke bahlahisi ho etsa hore ts'ebeliso e sebetse. Melao ea marang-rang e kentsoe hamorao.
Libaka tsa mabitso
Libaka tsa mabitso ke mokhoa oa tšebelisano oa Kubernetes. Li etselitsoe ho arola libaka tse utloahalang ho tloha ho tse ling, ha puisano pakeng tsa libaka e lumelloa ka ho sa feleng.
Joalo ka likarolo tse ngata tsa Kubernetes, maano a marang-rang a lula sebakeng se itseng sa mabitso. Ka bolokong metadata o ka hlakisa hore na pholisi ke ea sebaka sefe:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Haeba sebaka sa mabitso se sa hlalosoa ka ho hlaka metadata, sistimi e tla sebelisa sebaka sa mabitso se boletsoeng ho kubectl (ka ho sa feleng. namespace=default):
kubectl apply -n my-namespace -f namespace.yamlke khothaletsa hlalosa sebaka sa mabitso ka ho hlaka, ntle le haeba o ngola leano le shebaneng le libaka tse ngata tsa mabitso ka nako e le 'ngoe.
Основной motsoako podSelector pholisi e tla khetha li-pods ho tloha sebakeng sa mabitso seo pholisi e leng ho sona (e hanetsoe ho fumana li-pods ho tsoa sebakeng se seng sa mabitso).
Ka mokhoa o ts'oanang, podSelectors ka liboloko tse kenang le tse tsoang ba ka khetha feela li-pods sebakeng sa bona sa mabitso, ntle le haeba u li kopanya le namespaceSelector (sena se tla tšohloa karolong ea "Sefa ka libaka tsa mabitso le li-pods").
Melao ea ho Reha Leano
Mabitso a pholisi a ikhethile ka har'a sebaka se tšoanang sa mabitso. Ho ka se be le maano a mabeli a nang le lebitso le le leng sebakeng se le seng, empa ho ka ba le maano a nang le lebitso le le leng libakeng tse fapaneng. Sena se na le thuso ha o batla ho sebelisa leano le tšoanang libakeng tse ngata.
Ke rata haholo-holo e 'ngoe ea mekhoa ea ho reha mabitso. E kenyelletsa ho kopanya lebitso la sebaka sa mabitso le li-pods tse shebiloeng. Ka mohlala:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Labels
O ka hokela lileibole tsa tloaelo ho lintho tsa Kubernetes, joalo ka li-pods le libaka tsa mabitso. Labels (mangolo - tags) li lekana le li-tag lerung. Melao ea marang-rang ea Kubernetes e sebelisa mangolo ho khetha li-podstseo li sebetsang ho tsona:
podSelector:
matchLabels:
role: db... kapa libaka tsa mabitsotseo li sebetsang ho tsona. Mohlala ona o khetha li-pods tsohle libakeng tsa mabitso tse nang le mabitso a tšoanang:
namespaceSelector:
matchLabels:
project: myproject
Tlhokomeliso e le 'ngoe: ha u sebelisa namespaceSelector etsa bonnete ba hore libaka tsa mabitso tseo u li khethang li na le lengolo le nepahetseng. Hlokomela hore libaka tsa mabitso tse hahelletsoeng joalo ka default и kube-system, ka ho sa feleng ha e na lileibole.
U ka kenya leibole sebakeng se kang sena:
kubectl label namespace default namespace=default
Ka nako e ts'oanang, sebaka sa mabitso karolong metadata e lokela ho bua ka lebitso la sebaka sa sebele, eseng label:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Mohloli le moo ho eang teng
Melao ea li-firewall e na le melao e nang le mehloli le libaka. Melao ea marang-rang ea Kubernetes e hlalosoa bakeng sa sepheo - sete ea li-pods tseo ba li sebelisang - ebe ba beha melao ea ho kena le / kapa ho tsoa ho sephethephethe. Mohlala oa rona, sepheo sa leano e tla ba li-pods tsohle sebakeng sa mabitso default e nang le label e nang le senotlolo app le moelelo db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Karolwana ingress ka leano lena, e bula sephethephethe se kenang ho li-pods tse shebiloeng. Ka mantsoe a mang, ingress ke mohloli mme sepheo ke sebaka se tsamaisanang le sona. Ka mokhoa o ts'oanang, egress ke moo ho eang teng 'me sepheo ke mohloli oa eona.
Sena se lekana le melao e 'meli ea firewall: Ingress → Sepheo; Sepheo → Egress.
Egress le DNS (bohlokoa!)
Ka ho fokotsa sephethephethe se tsoang, ela hloko ka ho khetheha DNS - Kubernetes o sebelisa ts'ebeletso ena ho etsa 'mapa oa lits'ebeletso ho liaterese tsa IP. Ka mohlala, pholisi e latelang e ke ke ea sebetsa hobane ha ua lumella kopo balance kena ho DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
U ka e lokisa ka ho bula monyetla oa ho fumana litšebeletso tsa DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Karolo ea ho qetela to ha e na letho, ka hona e khetha ka tsela e sa tobang li-pods tsohle libakeng tsohle tsa mabitso, lumella balance romella lipotso tsa DNS ho ts'ebeletso e nepahetseng ea Kubernetes (hangata e sebetsa sebakeng kube-system).
Mokhoa ona oa sebetsa, leha ho le joalo ya dumellang hofeta tekanyo le ho se sireletsehe, hobane e lumella lipotso tsa DNS ho lebisoa ka ntle ho sehlopha.
U ka e ntlafatsa ka mehato e meraro e latellanang.
1. Lumella lipotso tsa DNS feela ka hare sehlopha ka ho eketsa namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Lumella lipotso tsa DNS sebakeng sa mabitso feela kube-system.
Ho etsa sena o hloka ho kenya label sebakeng sa mabitso kube-system: kubectl label namespace kube-system namespace=kube-system - 'me u e ngole fatše ka ho sebelisa leano namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Batho ba Paranoid ba ka fetela pele le ho feta mme ba fokotsa lipotso tsa DNS ho tšebeletso e itseng ea DNS kube-system. Karolo ea "Filter ka mabitso le li-pods" e tla u bolella mokhoa oa ho finyella sena.
Khetho e 'ngoe ke ho rarolla DNS boemong ba sebaka sa mabitso. Tabeng ena, ho ke ke ha hlokahala hore ho buloe bakeng sa tšebeletso ka 'ngoe:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Ha ho letho podSelector e khetha li-pods tsohle sebakeng sa mabitso.
Papali ea pele le taelo ea molao
Ho li-firewalls tse tloaelehileng, ketso (Lumella kapa Hana) ka paketeng e khethoa ke molao oa pele oo e o khotsofatsang. Ho Kubernetes, tatellano ea maano ha e na taba.
Ka nako e sa lekanyetsoang, ha ho se na maano a behiloeng, lipuisano pakeng tsa li-pods li lumelloa 'me li ka fapanyetsana tlhahisoleseding ka bolokolohi. Hang ha o qala ho theha maano, pod e 'ngoe le e' ngoe e anngoeng ke bonyane e 'ngoe ea tsona e fetoha e ikhethileng ho latela karohano (e utloahalang KAPA) ea maano ohle a e khethileng. Li-pods tse sa angoang ke pholisi efe kapa efe li lula li bulehile.
U ka fetola mokhoa ona u sebelisa molao oa ho hlobolisa.
Molao oa ho hlobola ("Latola")
Melao ea li-firewall hangata e hana sephethephethe se seng le se seng se sa lumelloeng ka ho hlaka.
Ha ho na khato ea ho hana ho Kubernetes, leha ho le joalo, phello e tšoanang e ka finyelloa ka leano le tloaelehileng (le lumellang) ka ho khetha sehlopha se se nang letho sa li-pods tsa mohloli (ingress):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Leano lena le khetha li-pods tsohle sebakeng sa mabitso mme li siea ingress e sa hlalosoa, e hana sephethephethe sohle se kenang.
Ka mokhoa o ts'oanang, o ka thibela sephethephethe sohle se tsoang sebakeng sa mabitso:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Ka kopo hlokomela hore maano afe kapa afe a tlatselletsang a lumellang sephethephethe ho ea sebakeng sa mabitso a tla tla pele ho molao ona (e ts'oanang le ho kenyelletsa molao oa tumello pele ho molao oa ho hana ho tlhophiso ea firewall).
Lumella ntho e 'ngoe le e 'ngoe (Eng kapa efe-Eng kapa Efe-Eng kapa efe-Lumella)
Ho theha leano la Lumella Tsohle, o hloka ho tlatselletsa leano la Deny ka holimo ka ntho e se nang letho ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
E lumella ho fihlella ho tloha li-pods tsohle libakeng tsohle tsa mabitso (le li-IP tsohle) ho pod efe kapa efe sebakeng sa mabitso default. Boitšoaro bona bo lumelloa ke kamehla, kahoo hangata ha bo hloke ho hlalosoa ho ea pele. Leha ho le joalo, ka linako tse ling u ka hloka ho tima tumello ea nakoana ho fumana bothata.
Molao o ka fokotsoa ho lumella ho fihlella feela ho sete e khethehileng ea li-pods (app:balance) sebakeng sa mabitso default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Leano le latelang le lumella sephethephethe sohle se kenang le se tsoang, ho kenyelletsa le phihlello ea IP efe kapa efe kantle ho sehlopha:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Ho Kopanya Maano a Mangata
Maano a kopantswe ho sebediswa ho utlwahala KAPA maemong a mararo; Litumello tsa pod e 'ngoe le e' ngoe li behiloe ho latela khaollo ea maano ohle a e amang:
1. Masimong from и to Ho ka hlalosoa mefuta e meraro ea likarolo (tseo kaofela li kopantsoeng ho sebelisoa OR):
-
namespaceSelector— khetha sebaka sohle sa mabitso; -
podSelector- khetha litholoana; -
ipBlock— o kgetha subnet.
Ho feta moo, palo ea likarolo (esita le tse tšoanang) ka likaroloana from/to ha e felle. Kaofela ha tsona li tla kopanngoa ke tse utloahalang OR.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. Ka hare ho karolo ea leano ingress e ka ba le likarolo tse ngata from (e kopantswe ke e utloahalang KAPA). Ka mokhoa o ts'oanang, karolo egress e ka kenyelletsa likarolo tse ngata to (hape e kopantsoe le disjunction):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Maano a fapaneng a boetse a kopanngoa le a utloahalang OR
Empa ha u li kopanya, ho na le moeli o le mong oo ho oona : Kubernetes e ka kopanya maano a fapaneng feela policyTypes (Ingress kapa Egress). Melao e hlalosang ho kena (kapa egress) e tla hlakola e mong.
Kamano lipakeng tsa libaka tsa mabitso
Ka kamehla, ho arolelana tlhahisoleseling lipakeng tsa libaka tsa mabitso ho lumelletsoe. Sena se ka fetoloa ka ho sebelisa leano la ho hana le tla thibela sephethephethe se tsoang le/kapa se kenang sebakeng sa mabitso (sheba "Stripping Rule" ka holimo).
Hang ha u se u thibetse ho kena sebakeng sa mabitso (sheba "Molao oa ho Hlōla" ka holimo), u ka etsa mekhelo leanong la ho hana ka ho lumella likhokahano ho tsoa sebakeng se itseng sa mabitso u sebelisa. namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
Ka lebaka leo, li-pods tsohle sebakeng sa mabitso default e tla ba le phihlello ea li-pods postgres sebakeng sa mabitso database. Empa ho thoe'ng haeba u batla ho bula phihlello ho postgres li-pods tse khethehileng feela sebakeng sa mabitso default?
Sefa ka libaka tsa mabitso le li-pods
Mofuta oa Kubernetes 1.11 le holimo o u lumella ho kopanya basebelisi namespaceSelector и podSelector sebelisa logic AND. E shebahala tjena:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Hobaneng see se tolokoa joalo ka LE ho fapana le se tloaelehileng KAPA?
lemoha hore podSelector ha e qale ka leqhama. Ho YAML sena se bolela hore podSelector le ho ema pela hae namespaceSelector bua ka karolo e tšoanang ea lenane. Ka hona, li kopantsoe le tse utloahalang LE.
Eketsa leqhubu pele podSelector e tla fella ka ho hlaha ha karolo e ncha ea lenane, e tla kopanngoa le e fetileng namespaceSelector ka ho sebedisa kelello KAPA.
Ho khetha li-pods tse nang le lengolo le itseng libakeng tsohle tsa mabitso, kenya letho namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Li-labels tse ngata li kopana le I
Melao ea "firewall" e nang le lintho tse ngata (li-host, marang-rang, lihlopha) li kopantsoe ka mokhoa o utloahalang OR. Molao o latelang o tla sebetsa haeba mohloli oa pakete o lumellana Host_1 Kapa Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
Ho fapana le hoo, ho Kubernetes li-label tse fapaneng ho podSelector kapa namespaceSelector li kopantsoe le tse utloahalang LE. Mohlala, molao o latelang o tla khetha li-pods tse nang le lileibole ka bobeli, role=db И version=v2:
podSelector:
matchLabels:
role: db
version: v2Monahano o tšoanang o sebetsa ho mefuta eohle ea basebelisi: ba khethang lipholisi, ba khethang li-pod, le ba khethang sebaka sa mabitso.
Subnets le liaterese tsa IP (IPBlocks)
Li-firewall li sebelisa li-VLAN, liaterese tsa IP, le li-subnet ho arola marang-rang.
Ho Kubernetes, liaterese tsa IP li abeloa li-pods ka bo eona 'me li ka fetoha khafetsa, kahoo li-labels li sebelisoa ho khetha li-pods le libaka tsa mabitso ho maano a marang-rang.
Subnets (ipBlocks) li sebelisoa ha li laola likhokahanyo tse kenang (tse kenang) kapa tse tsoang (egress) tsa kantle (Leboa-Boroa). Ka mohlala, leano lena le bula li-pods tsohle tse tsoang sebakeng sa mabitso default ho fihlella litšebeletso tsa Google DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
Khetho e se nang letho mohlaleng ona e bolela "khetha li-pods tsohle sebakeng sa mabitso."
Leano lena le lumella feela phihlello ho 8.8.8.8; phihlello ho IP efe kapa efe e 'ngoe e thibetsoe. Kahoo, ha e le hantle, u thibetse ho fihlella ts'ebeletso ea kahare ea Kubernetes DNS. Haeba u ntse u batla ho e bula, bontša sena ka ho hlaka.
Hangata ipBlocks и podSelectors li ikhethile, kaha liaterese tsa ka hare tsa IP tsa li-pods ha li sebelisoe ipBlocks. Ka ho bontsha li-pods tsa ka hare tsa IP, u tla hle u lumelle likhokahano ho/ho tloha ho li-pods tse nang le liaterese tsena. Ha e le hantle, u ke ke ua tseba hore na u sebelise aterese efe ea IP, ke ka lebaka leo ba sa lokelang ho sebelisoa ho khetha li-pods.
Joalo ka mohlala, leano le latelang le kenyelletsa li-IP tsohle mme ka hona le lumella ho fihlella li-pods tse ling kaofela:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
U ka bula phihlello ho li-IP tsa kantle feela, ntle le liaterese tsa IP tsa kahare tsa li-pods. Ka mohlala, haeba subnet ea pod ea hau e le 10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Li-ports le protocol
Ka tloaelo, li-pods li mamela koung e le 'ngoe. Sena se bolela hore o ka se hlalose linomoro tsa boema-kepe ka har'a maano ebe oa siea ntho e ngoe le e ngoe e le ea kamehla. Leha ho le joalo, ho kgothaletswa ho etsa maano a thibelang ka hohle kamoo ho ka khonehang, kahoo maemong a mang o ntse o ka hlakisa likou:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Hlokomela hore mokhethi ports e sebetsa ho likarolo tsohle tsa boloko to kapa from, e nang le. Ho hlakisa likou tse fapaneng bakeng sa lihlopha tse fapaneng tsa likarolo, arola ingress kapa egress ka har'a likaroloana tse 'maloa ka to kapa from 'me tlalehong e' ngoe le e 'ngoe ea likou tsa hau:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Ts'ebetso ea koung ea kamehla:
- Haeba u tlohela tlhaloso ea boema-kepe ka botlalo (
ports), sena se bolela liprothokholo tsohle le likou tsohle; - Haeba u siea tlhaloso ea protocol (
protocol), sena se bolela TCP; - Haeba u siea tlhaloso ea boema-kepe (
port), sena se bolela likou tsohle.
Mokhoa o motle ka ho fetisisa: Se ke oa itšetleha ka boleng ba kamehla, bolela seo u se hlokang ka ho hlaka.
Ka kopo hlokomela hore o tlameha ho sebelisa likou tsa li-pod, eseng likou tsa lits'ebeletso (ho feta ka sena serapeng se latelang).
Na maano a hlalositsoe bakeng sa li-pods kapa litšebeletso?
Ka tloaelo, li-pods tsa Kubernetes li fihlellana ka ts'ebeletso - sekala sa mojaro se tsamaisang sephethephethe ho li-pods tse kenyang ts'ebeletso. U ka nahana hore maano a marang-rang a laola phihlello ea lits'ebeletso, empa ha ho joalo. Melao ea marang-rang ea Kubernetes e sebetsa likoung tsa pod, eseng likoung tsa litšebeletso.
Ka mohlala, haeba tšebeletso e mamela port 80, empa e khutlisetsa sephethephethe ho port 8080 ea li-pods tsa eona, hantle 8080 e tlameha ho boleloa leanong la marang-rang.
Mochine o joalo o lokela ho nkoa e le oa bohlokoa: haeba sebopeho sa ka hare sa ts'ebeletso (likou tseo li-pods li mamelang) li fetoha, maano a marang-rang a tla tlameha ho ntlafatsoa.
Mokhoa o mocha oa ho aha o sebelisa Service Mesh (mohlala, bona ka Istio ka tlase - approx. transl.) e o dumella ho sebetsana le bothata bona.
Na hoa hlokahala ho ngolisa Ingress le Egress ka bobeli?
Karabo e khutšoanyane ke e, e le hore pod A e buisane le pod B, e tlameha ho lumelloa ho theha khokahanyo e tsoang (bakeng sa sena o hloka ho lokisa pholisi ea egress), 'me pod B e tlameha ho khona ho amohela khokahanyo e kenang ( bakeng sa sena, ka hona, o hloka pholisi ea ingress). leano).
Leha ho le joalo, ts'ebetsong, u ka itšetleha ka leano la kamehla ho lumella likhokahano ka lehlakoreng le le leng kapa ka bobeli.
Haeba karolo e itseng -mohloli e tla khethoa ke a le mong kapa ho feta ho tsoa- bo-ralipolotiki, lithibelo tse behiloeng ho eona li tla khethoa ke ho arohana ha bona. Tabeng ena, o tla hloka ho lumella ka ho hlaka ho hokahanya le pod -ho ea ngoloang. Haeba pod e sa khethoe ke pholisi efe kapa efe, sephethephethe sa eona se tsoang (egress) se lumelloa ka ho sa feleng.
Ka ho tšoanang, qetello ea pod keaddressee, e khethiloeng ke a le mong kapa ho feta ingress- bo-ralipolotiki, ba tla khethoa ke ho arohana ha bona. Tabeng ena, o tlameha ho e lumella ka ho hlaka hore e fumane sephethephethe ho tloha mohloling oa mohloli. Haeba pod e sa khethoa ke pholisi efe kapa efe, sephethephethe sa ingress bakeng sa eona se lumelloa ka ho sa feleng.
Sheba ea Naha kapa e se nang Naha ka tlase.
Likota
Melao ea marang-rang ea Kubernetes ha e khone ho kenya sephethephethe. Sena se etsa hore ho be thata ho fumana hore na pholisi e sebetsa joalo ka ha e reriloe mme e thatafatsa tlhahlobo ea ts'ireletso haholo.
Taolo ea sephethephethe ho ea lits'ebeletso tsa kantle
Melao ea marang-rang ea Kubernetes ha e u lumelle hore u hlalose lebitso la domain name le tšoanelehang ka botlalo (DNS) likarolong tsa egress. Taba ena e baka tšitiso e kholo ha u leka ho thibela sephethephethe ho ea libakeng tse kantle tse se nang aterese e tsitsitseng ea IP (joalo ka aws.com).
Tlhahlobo ea Leano
Li-firewall li tla u lemosa kapa li hane ho amohela pholisi e fosahetseng. Kubernetes le eona e etsa netefatso. Ha u beha leano la marang-rang ka kubectl, Kubernetes a ka phatlalatsa hore ha e nepahale mme a hana ho e amohela. Maemong a mang, Kubernetes o tla nka pholisi ebe o e tlatsa ka lintlha tse sieo. Li ka bonoa ho sebelisoa taelo:
kubernetes get networkpolicy <policy-name> -o yamlHopola hore Sistimi ea netefatso ea Kubernetes ha e fose ebile e kanna ea hloloheloa mefuta e meng ea liphoso.
Polao
Kubernetes ha e sebelise maano a marang-rang ka bo eona, empa e mpa e le monyako oa API o fanang ka moroalo oa taolo ho sistimi e teng e bitsoang Container Networking Interface (CNI). Ho beha maano ho sehlopha sa Kubernetes ntle le ho abela CNI e nepahetseng ho tšoana le ho theha maano ho seva sa taolo ea li-firewall ntle le ho li kenya ho li-firewall. Ho ho uena ho etsa bonnete ba hore u na le CNI e ntle kapa, molemong oa sethala sa Kubernetes, se tšoaretsoeng marung. (o ka bona lenane la bafani - hoo e ka bang. trans.), nolofalletsa maano a marang-rang a tla u etsetsa CNI.
Hlokomela hore Kubernetes e ke ke ea u lemosa haeba u beha leano la marang-rang ntle le mothusi ea loketseng CNI.
E na le Naha Kapa ha e na Naha?
Li-CNIs tsohle tsa Kubernetes tseo ke kopaneng le tsona li ntle (mohlala, Calico e sebelisa Linux contrack). Sena se lumella pod ho fumana likarabo ho khokahanyo ea TCP eo e e qalileng ntle le ho e tsosolosa hape. Leha ho le joalo, ha ke tsebe maemo a Kubernetes a ka netefatsang boemo.
Tsamaiso e tsoetseng pele ea Leano la Tšireletso
Mona ke mekhoa e meng ea ho ntlafatsa ts'ebetso ea leano la ts'ireletso ho Kubernetes:
- Mokhoa oa meralo oa Mesh oa Mesh o sebelisa lijana tsa li-sidecar ho fana ka telemetry e felletseng le taolo ea sephethephethe maemong a ts'ebeletso. E le mohlala oo re ka o nkang .
- Ba bang ba barekisi ba CNI ba ekelitse lisebelisoa tsa bona ho feta maano a marang-rang a Kubernetes.
- E fana ka ponahalo le boiketsetso ba maano a marang-rang a Kubernetes.
Sephutheloana sa Tufin Orca se laola maano a marang-rang a Kubernetes (mme ke mohloli oa li-screenshots tse ka holimo).
boitsebiso bo eketsehileng
- ;
- ;
- ;
- .
fihlela qeto e
Melao ea marang-rang ea Kubernetes e fana ka lisebelisoa tse ntle tsa ho arola lihlopha, empa ha li na maikutlo ebile li na le lintho tse ngata tse poteletseng. Ka lebaka la ho rarahana hona, ke lumela hore maano a mangata a teng a lihlopha a na le mathata. Litharollo tse ka bang teng bothateng bona li kenyelletsa litlhaloso tsa maano a boiketsetso kapa ho sebelisa lisebelisoa tse ling tsa ho arola.
Ke tšepa hore tataiso ena e tla u thusa ho araba lipotso tse ling le ho rarolla mathata ao u ka kopanang le 'ona.
PS ho tsoa ho mofetoleli
Bala hape ho blog ea rona:
- "Khutlela ho li-microservices le Istio": , , ;
- "An Illustrated Guide to Networking in Kubernetes": , ;
- «";
- «";
- «".
Source: www.habr.com