Phawula. transl.: Umbhali wenqaku, u-Reuven Harrison, uneminyaka engaphezu kwe-20 yamava ekuphuhliseni isofthiwe, kwaye namhlanje yi-CTO kunye nomseki we-Tufin, inkampani eyenza izisombululo zolawulo lomgaqo-nkqubo wokhuseleko. Ngelixa ejonga imigaqo-nkqubo yenethiwekhi ye-Kubernetes njengesixhobo esinamandla sokwahlulahlula kwenethiwekhi kwiqela, ukwakholelwa ukuba akukho lula ukumilisela ekusebenzeni. Esi sixhobo (i-voluminous kakhulu) sijolise ekuphuculeni ulwazi lweengcali ngalo mba kwaye zibancede benze ulungelelwaniso oluyimfuneko.
Namhlanje, iinkampani ezininzi ziya zikhetha i-Kubernetes ukuqhuba izicelo zabo. Umdla kule software uphezulu kangangokuba abanye babiza iKubernetes "inkqubo entsha yokusebenza yeziko ledatha." Kancinci, i-Kubernetes (okanye i-k8s) iqala ukubonwa njengenxalenye ebalulekileyo yeshishini, efuna ukulungelelaniswa kweenkqubo zoshishino ezivuthiweyo, kubandakanywa ukhuseleko lwenethiwekhi.
Kubasebenzi bezokhuseleko abadidekile ngokusebenza noKubernetes, isityhilelo sokwenyani sinokuba ngumgaqo-nkqubo ongagqibekanga weqonga: vumela yonke into.
Esi sikhokelo siya kukunceda uqonde ubume bangaphakathi bemigaqo-nkqubo yenethiwekhi; baqonde ukuba zahluke njani kwimithetho yeefirewall eziqhelekileyo. Iya kugubungela imigibe ethile kwaye inike iingcebiso zokunceda ukhuseleko lwezicelo kwi-Kubernetes.
Imigaqo-nkqubo yenethiwekhi ye-Kubernetes
Inkqubo yomgaqo-nkqubo wenethiwekhi ye-Kubernetes ikuvumela ukuba ulawule ukusebenzisana kwezicelo ezisetyenzisiweyo kwiqonga kwi-network layer (yesithathu kwimodeli ye-OSI). Imigaqo-nkqubo yothungelwano ayinazo ezinye zeempawu eziphambili zomlilo zanamhlanje, ezifana nokunyanzeliswa kwe-OSI Layer 7 kunye nokufumanisa isoyikiso, kodwa zibonelela ngenqanaba elisisiseko lokhuseleko lwenethiwekhi oluyindawo efanelekileyo yokuqala.
Imigaqo-nkqubo yothungelwano ilawula unxibelelwano phakathi kweepod
Umthwalo wemisebenzi kwi-Kubernetes usasazwa kuzo zonke iipod, eziquka isikhongozeli esinye okanye ngaphezulu ezibekwe kunye. I-Kubernetes yabela ipod nganye idilesi ye-IP efumanekayo kwezinye ii-pods. Imigaqo-nkqubo yenethiwekhi ye-Kubernetes ibeka amalungelo okufikelela kumaqela e-pods ngendlela efanayo ukuba amaqela okhuseleko efini asetyenziswa ukulawula ukufikelela kwimizekelo yomatshini wenyani.
Ukuchaza iiPolisi zeNethiwekhi
Njengabanye oovimba beKubernetes, imigaqo-nkqubo yenethiwekhi ichaziwe kwi-YAML. Kulo mzekelo ungezantsi, isicelo balance ukufikelela kwi postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Phawula. transl.: lo mfanekiso wekhusi, njengazo zonke ezifanayo ezilandelayo, awuzange usebenzise izixhobo ze-Kubernetes zomthonyama, kodwa usebenzisa isixhobo seTufin Orca, esaphuhliswa yinkampani yombhali wenqaku lokuqala kwaye elikhankanywe ekupheleni kwezinto.)
Ukuchaza eyakho ipolisi yenethiwekhi, uya kufuna ulwazi olusisiseko lwe-YAML. Olu lwimi lusekwe kwi-indentation (icaciswe zizithuba kune-tab). I-elementi ehambelanayo yeyeyona element ikufutshane i-indenti ngaphezu kwayo. Isiqalelo soluhlu olutsha siqala ngekhonkco, zonke ezinye izinto zinefomu isitshixo-ixabiso.
Emva kokuchaza umgaqo-nkqubo kwi-YAML, sebenzisa ukuyidala kwiqela:
kubectl create -f policy.yamlInkcazo yoMgaqo-nkqubo weNethiwekhi
Ukucaciswa komgaqo-nkqubo wenethiwekhi ye-Kubernetes kubandakanya izinto ezine:
-
podSelector: ichaza iipod ezichatshazelwa ngulo mgaqo-nkqubo (iithagethi) - ezifunekayo; -
policyTypes: ibonisa ukuba zeziphi iindidi zemigaqo-nkqubo ezibandakanyiweyo kule: ukungena kunye/okanye ukuphuma - ngokuzikhethela, kodwa ndincoma ukuyichaza ngokucacileyo kuzo zonke iimeko; -
ingress: ichaza kuvunyelwe engenayo i-traffic kwi-pods ekujoliswe kuyo - ngokuzikhethela; -
egress: ichaza kuvunyelwe ephumayo i-traffic esuka kwiipod ekujoliswe kuzo iyakhethwa.
Umzekelo othatyathwe kwiwebhusayithi yeKubernetes (ndiyitshintshile role phezu app), ibonisa indlela ezisetyenziswa ngayo zone:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Nceda uqaphele ukuba zonke izinto ezine akunyanzelekanga ukuba zibandakanywe. Kunyanzelekile kuphela podSelector, ezinye iiparameters zingasetyenziswa njengoko zifunwa.
Ukuba uyashiya policyTypes, umgaqo-nkqubo uya kutolikwa ngolu hlobo lulandelayo:
- Ngokungagqibekanga, kucingelwa ukuba ichaza icala lokungena. Ukuba umgaqo-nkqubo awukuchazi ngokucacileyo oku, inkqubo iya kuthatha ukuba zonke izithuthi azivumelekanga.
- Ukuziphatha kwicala le-egress kuya kugqitywa kubukho okanye ukungabikho kweparamitha ehambelanayo ye-egress.
Ukuphepha iimpazamo ndincoma soloko uyicacisa policyTypes.
Ngokwengqiqo engentla, ukuba iiparamitha ingress kunye / okanye egress ishiywe, umgaqo-nkqubo uyakukhanyela zonke izithuthi (bona "Umthetho wokuhluthwa" ngezantsi).
Umgaqo-nkqubo wokuhlala uvumelekile
Ukuba akukho migaqo-nkqubo ichaziweyo, i-Kubernetes ivumela zonke izithuthi ngokungagqibekanga. Zonke iipods zinokutshintshiselana ngokukhululekileyo ulwazi phakathi kwazo. Oku kunokubonakala kuchasene nembono yokhuseleko, kodwa khumbula ukuba iKubernetes yayiyilwe ekuqaleni ngabaphuhlisi ukwenza ukusebenzisana kwesicelo. Iipolisi zenethiwekhi zongezwa kamva.
Izithuba zamagama
Izithuba zegama yindlela yentsebenziswano yeKubernetes. Ziyilelwe ukwahlula iindawo ezinengqiqo omnye komnye, ngelixa unxibelelwano phakathi kwezithuba luvunyelwe ngokungagqibekanga.
Njengamacandelo amaninzi e-Kubernetes, imigaqo-nkqubo yenethiwekhi ihlala kwindawo ethile yamagama. Kwibhloko metadata ungaxela ukuba yeyiphi isithuba ipolisi yeyaso:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Ukuba indawo yegama ayikhankanywanga ngokucacileyo kwi metadata, inkqubo izakusebenzisa indawo yegama ekhankanyiweyo kwi kubectl (ngokungagqibekanga). namespace=default):
kubectl apply -n my-namespace -f namespace.yamlNdicebisa khankanya isithuba samagama ngokucacileyo, ngaphandle kokuba ubhala umgaqo-nkqubo ojolise kwizithuba zamagama ezininzi ngaxeshanye.
Eyona nto iphambili element podSelector kumgaqo-nkqubo izakukhetha iipod ukusuka kwindawo yegama apho umgaqo-nkqubo ungowawo (ayivulelwa ufikelelo kwiipod ukusuka kwesinye isithuba segama).
Ngokufanayo, podSelectors kwiibhloko zokungena kunye nokuphuma ingakhetha kuphela iipods kwindawo yazo, ngaphandle kokuba uzidibanise nazo namespaceSelector (oku kuya kuxutyushwa kwicandelo elithi "Hlunga ngeendawo zamagama kunye neepods").
Imigaqo yoKuthiywa kwamagama
Amagama emigaqo-nkqubo awodwa kwisithuba samagama esifanayo. Akunakubakho imigaqo-nkqubo emibini enegama elifanayo kwindawo enye, kodwa kunokubakho imigaqo-nkqubo enegama elifanayo kwiindawo ezahlukeneyo. Oku kuluncedo xa ufuna ukuphinda usebenzise inkqubo efanayo kwiindawo ezininzi.
Ndiyithanda kakhulu enye yeendlela zokuthiya amagama. Iquka ukudibanisa igama lesithuba segama kunye neepod ekujoliswe kuzo. Umzekelo:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Iileyibhile
Unokuqhoboshela iilebhile zesiko kwizinto ze-Kubernetes, ezifana neepods kunye nezithuba zamagama. Iileyibhile (iilebhile - iithegi) zilingana neethegi efini. Imigaqo-nkqubo yenethiwekhi ye-Kubernetes isebenzisa iilebhile ukukhetha iipodsapho basebenza khona:
podSelector:
matchLabels:
role: db... okanye izithuba zamagamaapho basebenza khona. Lo mzekelo ukhetha zonke iipod kwizithuba zamagama ezineelebhile ezihambelanayo:
namespaceSelector:
matchLabels:
project: myproject
Isilumkiso esinye: xa usebenzisa namespaceSelector qinisekisa ukuba izithuba zamagama ozikhethileyo zineleyibhile echanekileyo. Qaphela ukuba izithuba zamagama ezakhelweyo ezifana default ΠΈ kube-system, ngokungagqibekanga aziqulathanga iilebhile.
Unokongeza ileyibhile kwindawo efana nesi:
kubectl label namespace default namespace=default
Ngexesha elifanayo, indawo yamagama kwicandelo metadata kufuneka ibhekiselele kwelona gama lesithuba, hayi ileyibhile:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Umthombo kunye nendawo ekuyiwa kuyo
Imigaqo-nkqubo ye-Firewall inemithetho enemithombo kunye neendawo. Imigaqo-nkqubo yenethiwekhi ye-Kubernetes ichazwa kwithagethi - iseti yeepods ezisebenza kuzo - kwaye emva koko ibeke imithetho yokungena kunye / okanye ukuphuma kwetrafikhi. Kumzekelo wethu, injongo yomgaqo-nkqubo iya kuba yi-pods yonke kwindawo yamagama default ngeleyibhile enesitshixo app kunye nexabiso db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Icandelwana ingress kulo mgaqo-nkqubo, ivula i-traffic engenayo kwiipod ekujoliswe kuzo. Ngamanye amazwi, i-ingress ngumthombo kwaye ithagethi yindawo ehambelana nayo. Ngokunjalo, i-egress yindawo ekuyiwa kuyo kwaye ekujoliswe kuyo ngumthombo wayo.
Oku kulingana nemithetho emibini yodonga lomlilo: Ukungena β Ithagethi; Injongo β Ukuphuma.
I-Egress kunye ne-DNS (ibalulekile!)
Ngokunciphisa itrafikhi ephumayo, nikela ingqalelo ekhethekileyo kwi-DNS - I-Kubernetes isebenzisa le nkonzo ukwenza imephu yeenkonzo kwiidilesi ze-IP. Umzekelo, le polisi ilandelayo ayizukusebenza kuba ungasivumelanga isicelo balance ukufikelela kwi-DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
Ungayilungisa ngokuvula ukufikelela kwinkonzo ye-DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Into yokugqibela to ayinanto, kwaye ngoko ikhetha ngokungathanga ngqo zonke iipod kuzo zonke izithuba zamagama, ukuvumela balance thumela imibuzo ye-DNS kwinkonzo efanelekileyo ye-Kubernetes (ehlala isebenza esithubeni kube-system).
Le ndlela iyasebenza, nangona kunjalo ukuvumela ngokugqithisileyo nokungazithembi, kuba ivumela imibuzo ye-DNS ukuba iqondiswe ngaphandle kweqela.
Ungayiphucula ngamanyathelo amathathu alandelelanayo.
1. Vumela imibuzo ye-DNS kuphela ngaphakathi iqela ngokudibanisa namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Vumela imibuzo ye-DNS kwisithuba samagama kuphela kube-system.
Ukwenza oku kufuneka udibanise ileyibhile kwindawo yegama kube-system: kubectl label namespace kube-system namespace=kube-system - kwaye uyibhale phantsi kwipolisi usebenzisa namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Abantu beParanoid banokuya ngakumbi kwaye banciphise imibuzo ye-DNS kwinkonzo ethile ye-DNS kube-system. Icandelo elithi "Hlunga ngezithuba zamagama KUNYE neepods" liya kukuxelela indlela yokufezekisa oku.
Enye inketho kukusombulula iDNS kwinqanaba lendawo yegama. Kule meko, akuyi kufuneka kuvulwe kwinkonzo nganye:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Yize podSelector ikhetha zonke iipod kwisithuba samagama.
Umdlalo wokuqala kunye nomyalelo womgaqo
Kwiifirewall eziqhelekileyo, isenzo (Vumela okanye Chala) kwipakethi simiselwa ngumgaqo wokuqala owanelisayo. Kwi-Kubernetes, umyalelo wemigaqo-nkqubo awunamsebenzi.
Ngokungagqibekanga, xa kungekho migaqo-nkqubo isekiweyo, unxibelelwano phakathi kweepod luvunyelwe kwaye banokutshintshana ngokukhululekileyo ngolwazi. Nje ukuba uqalise ukuqulunqa imigaqo-nkqubo, iphodi nganye echatshazelwa nokuba ngomnye wayo iba yodwa ngokohlukana (okusengqiqweni OKANYE) kuyo yonke imigaqo-nkqubo eyikhethileyo. Iipods ezingachatshazelwanga yiyo nayiphi na ipolisi zihlala zivulekile.
Ungayitshintsha le ndlela yokuziphatha usebenzisa umthetho wokuhluba.
Umthetho wokuhlubula (βYalaβ)
Imigaqo-nkqubo yeFirewall ikholisa ukukhanyela nakuphi na ukugcwala okungavunyelwanga ngokucacileyo.
Akukho ntshukumo yokuphika kwi-Kubernetes, nangona kunjalo, umphumo ofanayo unokufezekiswa ngomgaqo-nkqubo oqhelekileyo (ovumelekileyo) ngokukhetha iqela elingenanto leepod zomthombo (ukungena):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Lo mgaqo-nkqubo ukhetha zonke iipod kwisithuba samagama kwaye ushiya ukungena kungachazwanga, ukwala zonke iitrafikhi ezingenayo.
Ngendlela efanayo, unokunqanda zonke iitrafikhi eziphumayo kwindawo yegama:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Nceda uqaphele ukuba nayiphi na imigaqo-nkqubo eyongezelelweyo evumela itrafikhi ukuba ibekho kwindawo yegama iya kuthatha indawo yokuqala kulo mgaqo (okufana nokongeza umthetho wokuvumela phambi komgaqo wokukhanyela kuqwalaselo lomlilo).
Vumela yonke into (Nayiphi na-Nayiphi na-Nayiphi na-Vumela)
Ukwenza i-Vumela Konke umgaqo-nkqubo, kufuneka uncedise i-Deny policy engentla ngento engenanto ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
Ivumela ukufikelela ukusuka zonke iipod kuzo zonke izithuba zamagama (kunye nayo yonke i-IP) kuyo nayiphi na i-pod kwindawo yamagama default. Le ndlela yokuziphatha yenziwe ngokungagqibekanga, ngoko ke ayifuni kuchazwa ngokubhekele phaya. Nangona kunjalo, ngamanye amaxesha unokufuna ukuvala okwethutyana iimvume ezithile zokuxilonga ingxaki.
Umgaqo unokucuthwa ukuze uvumele ufikelelo kuphela ku iseti ethile yeepods (app:balance) kwindawo yamagama default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Lo mgaqo-nkqubo ulandelayo uvumela konke ukungena nokuphuma kwetrafikhi, kuquka ukufikelela kuyo nayiphi na i-IP ngaphandle kweqela:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Ukudibanisa iiPolisi ezininzi
Imigaqo-nkqubo idityanisiwe kusetyenziswa ingqiqo OKANYE kumanqanaba amathathu; Iimvume zepod nganye zisetwe ngokungqinelana nokwahlulwa kwayo yonke imigaqo-nkqubo eyichaphazelayo:
1. Emasimini from ΠΈ to Zintathu iindidi zezinto ezinokuchazwa (zonke zidityanisiwe kusetyenziswa OKANYE):
-
namespaceSelectorβ khetha isithuba samagama siphela; -
podSelector- khetha iipod; -
ipBlockβ khetha i-subnet.
Ngaphezu koko, inani lee-elementi (kwanazo ziyafana) kumacandelwana from/to ayikhawulelwanga. Zonke ziya kudityaniswa ngengqiqo OKANYE.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. Ngaphakathi kwicandelo lomgaqo-nkqubo ingress inokuba nezinto ezininzi from (idityaniswe nengqiqo OKANYE). Ngokufanayo, icandelo egress inokubandakanya izinto ezininzi to (ikwadityaniswe ne-dijunction):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Imigaqo-nkqubo eyahlukeneyo ikwadityaniswe nengqiqo OKANYE
Kodwa xa uzidibanisa, kukho umda omnye apho : I-Kubernetes inokudibanisa kuphela imigaqo-nkqubo eyahlukileyo policyTypes (Ingress okanye Egress). Imigaqo-nkqubo echaza ukungena (okanye ukuphuma) iya kubhala enye kwenye.
Ubudlelwane phakathi kwezithuba zamagama
Ngokungagqibekanga, ukwabelana ngolwazi phakathi kwezithuba zamagama kuvumelekile. Oku kunokutshintshwa ngokusebenzisa umgaqo-nkqubo wokukhanyela oza kuthintela i-traffic ephumayo kunye/okanye engenayo kwindawo yegama (jonga "Umthetho wokuhluthwa" ngasentla).
Nje ukuba uvale ufikelelo kwisithuba segama (bona "uMthetho wokuhluba" ngasentla), ungenza imikhethe kumgaqo-nkqubo wokwala ngokuvumela imidibano esuka kwindawo ethile yegama usebenzisa namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
Ngenxa yoko, zonke iipods kwindawo yamagama default iya kuba nofikelelo kwiipod postgres kwindawo yamagama database. Kodwa kuthekani ukuba ufuna ukuvula ukufikelela kuyo postgres iipod ezithile kuphela kwindawo yamagama default?
Hlunga ngezithuba zamagama kunye neepods
I-Kubernetes version 1.11 nangaphezulu ikuvumela ukuba udibanise abaqhubi namespaceSelector ΠΈ podSelector usebenzisa ingqiqo KUNYE ibonakala ngolu hlobo:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Kutheni le nto itolikwa NJENGOKO endaweni yesiqhelo OKANYE?
Qaphela oko podSelector ayiqalisi ngeqhagamshela. Kwi-YAML oku kuthetha ukuba podSelector wema phambi kwakhe namespaceSelector bhekisa kuluhlu olufanayo. Ke ngoko, zidityaniswe nengqiqo KUNYE.
Yongeza iqhagamshela ngaphambili podSelector kuya kubangela ukuvela koluhlu olutsha, oluya kudibaniswa noludlulileyo namespaceSelector usebenzisa ingqiqo OKANYE.
Ukukhetha iipod ezineleyibhile ethile kuzo zonke izithuba zamagama, ngenisa akungenanto namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Iilebhile ezininzi zidibana no-I
Imithetho ye-firewall enezinto ezininzi (inginginya, uthungelwano, amaqela) zidityanisiwe kusetyenziswa ingqiqo OKANYE. Lo mgaqo ulandelayo uya kusebenza ukuba umthombo wepakethi uhambelana Host_1 Okanye Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
Ngokuchasene noko, kwi-Kubernetes iilebhile ezahlukeneyo kwi podSelector okanye namespaceSelector zidityaniswe nengqiqo KUNYE Umzekelo, lo mgaqo ulandelayo uza kukhetha ii-pods ezineelebhile zombini, role=db Π version=v2:
podSelector:
matchLabels:
role: db
version: v2Ingqiqo efanayo iyasebenza kuzo zonke iindidi zabasebenzisi: abakhethi ekujoliswe kubo bomgaqo-nkqubo, abakhethi bepod, kunye nabakhethi bezithuba zamagama.
Ii-subnets kunye needilesi ze-IP (IPBlocks)
Iifirewall zisebenzisa iiVLAN, iidilesi zeIP, kunye nee subnets ukwahlula inethiwekhi.
Kwi-Kubernetes, iidilesi ze-IP zinikezelwa kwii-pods ngokuzenzekelayo kwaye zinokutshintsha rhoqo, ngoko iilebhile zisetyenziselwa ukukhetha ii-pods kunye neendawo zamagama kwimigaqo-nkqubo yenethiwekhi.
Iminatha esezantsi (ipBlocks) zisetyenziswa xa kulawula udibaniso olungenayo (ukungena) okanye oluphumayo (oluphumayo) lwangaphandle (kuMntla-Mazantsi). Umzekelo, lo mgaqo-nkqubo uvula kuzo zonke iipod ukusuka kwindawo yamagama default ukufikelela kwinkonzo yeDNS kaGoogle:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
Isikhethi sepod esingenanto kulo mzekelo sithetha "khetha zonke iipod kwindawo yamagama."
Lo mgaqo-nkqubo uvumela ukufikelela kuphela ku-8.8.8.8; ukufikelela kuyo nayiphi na enye IP akuvumelekanga. Ke, eneneni, uthintele ukufikelela kwinkonzo yangaphakathi ye-Kubernetes DNS. Ukuba usafuna ukuyivula, bonisa oku ngokucacileyo.
Ngokwesiqhelo ipBlocks ΠΈ podSelectors azibalulekanga, kuba iidilesi ze-IP zangaphakathi zeepod azisetyenziswanga ipBlocks. Ngokubonisa iipod zangaphakathi ze-IP, uyakuvumela ngenene udibaniso ukuya/ukusuka kwiipod ngezi dilesi. Xa usenza, awuzukwazi ukuba yeyiphi idilesi ye-IP oza kuyisebenzisa, yiyo loo nto kungafuneki isetyenziswe ekukhetheni ii-pods.
Njengomzekelo ochaseneyo, lo mgaqo-nkqubo ulandelayo ubandakanya zonke ii-IP kwaye ngoko ke uvumela ukufikelela kuzo zonke ezinye ii-pods:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Unokuvula ukufikelela kuphela kwii-IP zangaphandle, ngaphandle kweedilesi ze-IP zangaphakathi zeepod. Umzekelo, ukuba i-subnet ye-pod yakho yi-10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Amazibuko kunye neeprothokholi
Ngokuqhelekileyo iipods zimamela izibuko elinye. Oku kuthetha ukuba awukwazi ukukhankanya amanani ezibuko kwimigaqo-nkqubo kwaye ushiye yonke into njengokungagqibekanga. Nangona kunjalo, kuyacetyiswa ukuba kwenziwe imigaqo-nkqubo ibe ngumqobo kangangoko kunokwenzeka, ngoko ke kwezinye iimeko usenokukhankanya amazibuko:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Qaphela ukuba umkhethi ports isebenza kuzo zonke izinto ezikwibloko to okanye from, equlathe. Ukukhankanya izibuko ezahlukeneyo zeeseti ezahlukeneyo zezinto, yahlula ingress okanye egress kumacandelwana amaninzi nge to okanye from kwaye kwirejista nganye amazibuko akho:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Umsebenzi wezibuko omiselweyo:
- Ukuba uyayishiya inkcazo yezibuko ngokupheleleyo (
ports), oku kuthetha zonke iiprothokholi nawo onke amazibuko; - Ukuba uyayishiya inkcazo yomthetho (
protocol), oku kuthetha i-TCP; - Ukuba uyayishiya inkcazo yezibuko (
port), oku kuthetha onke amazibuko.
Eyona ndlela ilungileyo: Musa ukuxhomekeka kumaxabiso angagqibekanga, cacisa into oyifunayo ngokucacileyo.
Nceda uqaphele ukuba kufuneka usebenzise izibuko ze-pod, hayi izibuko zenkonzo (ngaphezulu koku kumhlathi olandelayo).
Ngaba imigaqo-nkqubo echaziweyo yeepod okanye iinkonzo?
Ngokuqhelekileyo, i-pods e-Kubernetes ifikelela enye kwenye ngenkonzo - i-balancer yomthwalo obonakalayo ohambisa i-traffic kwiipods eziphumeza inkonzo. Unokucinga ukuba imigaqo-nkqubo yenethiwekhi ilawula ukufikelela kwiinkonzo, kodwa oku akunjalo. Imigaqo-nkqubo yenethiwekhi ye-Kubernetes isebenza kumazibuko e-pod, hayi amazibuko eenkonzo.
Ngokomzekelo, ukuba inkonzo imamela i-port 80, kodwa iphinda iqondise i-traffic kwi-port 8080 yeepod zayo, kufuneka uchaze ngokuthe ngqo i-8080 kumgaqo-nkqubo wenethiwekhi.
Isixhobo esinjalo kufuneka sithathwe njengesona siphezulu: ukuba ubume bangaphakathi benkonzo (amazibuko apho iipods eziphulaphuleyo) ziyatshintsha, imigaqo-nkqubo yothungelwano kuya kufuneka ihlaziywe.
Indlela entsha yokwakha kusetyenziswa iService Mesh (umzekelo, bona malunga ne-Istio ngezantsi - malunga ne-transl.) ikuvumela ukuba umelane nale ngxaki.
Ngaba kuyimfuneko ukubhalisa zombini i-Ingress kunye ne-Egress?
Impendulo emfutshane nguewe, ukwenzela ukuba i-pod A inxibelelane ne-pod B, kufuneka ivunyelwe ukwenza uxhulumaniso oluphumayo (kule nto kufuneka uqwalasele umgaqo-nkqubo we-egress), kunye ne-pod B kufuneka ikwazi ukwamkela uxhumano olungenayo ( ukwenzela oku, ngokufanelekileyo, udinga ipolisi yokungena).
Nangona kunjalo, ekusebenzeni, unokuthembela kumgaqo-nkqubo ongagqibekanga ukuvumela uqhagamshelo kwicala elinye okanye omabini.
Ukuba enye i-pod-umthombo iyakunyulwa ngumntu omnye okanye ngaphezulu ukuphuma-bezopolitiko, izithintelo ezibekwe kuyo ziya kugqitywa ngokuhlukana kwabo. Kule meko, kuya kufuneka ukuba uvumele ngokucacileyo uxhulumaniso kwi-pod -kumntu othunyelweyo. Ukuba i-pod ayikhethwanga nayiphi na ipolisi, i-traffic yayo ephumayo (i-egress) ivunyelwe ngokungagqibekanga.
Ngokufanayo, isiphelo sepodidilesi, ekhethwe ngumntu omnye okanye ngaphezulu ingress-abapolitiki, baya kugqitywa ngokuhlukana kwabo. Kule meko, kufuneka uyivumele ngokucacileyo ukuba ifumane i-traffic kwi-pod yomthombo. Ukuba i-pod ayikhethwanga nayiphi na inkqubo, yonke i-traffic yokungena kwayo ivunyelwe ngokungagqibekanga.
Jonga iStateful or Stateless ngezantsi.
Izigodo
Imigaqo-nkqubo yenethiwekhi ye-Kubernetes ayinakuloga itrafikhi. Oku kwenza kube nzima ukugqiba ukuba ngaba umgaqo-nkqubo usebenza njengoko kucetywayo kwaye unzima kakhulu uhlalutyo lokhuseleko.
Ukulawulwa kwetrafikhi kwiinkonzo zangaphandle
Imigaqo-nkqubo yenethiwekhi ye-Kubernetes ayikuvumeli ukuba uchaze igama le-domain efanelekileyo (DNS) kumacandelo e-egress. Le nyaniso ikhokelela kukuphazamiseka okubalulekileyo xa uzama ukunciphisa i-traffic kwiindawo zangaphandle ezingenayo idilesi ye-IP esisigxina (efana ne-aws.com).
Ukujongwa kwePolisi
Iifirewall ziya kukulumkisa okanye zale nokwamkela ipolisi engalunganga. U-Kubernetes naye wenza isiqinisekiso. Xa useta umgaqo-nkqubo wenethiwekhi nge-kubectl, i-Kubernetes inokubhengeza ukuba ayilunganga kwaye yale ukuyamkela. Kwezinye iimeko, i-Kubernetes iya kuthatha ipolisi kwaye igcwalise kunye neenkcukacha ezingekhoyo. Zinokubonwa kusetyenziswa lo myalelo:
kubernetes get networkpolicy <policy-name> -o yamlGcina ukhumbule ukuba inkqubo yokuqinisekisa ye-Kubernetes ayifezekanga kwaye inokuphosakela ezinye iintlobo zeempazamo.
Ukubulawa
I-Kubernetes ayiphumezi imigaqo-nkqubo yothungelwano ngokwayo, kodwa lisango nje le-API elinikezela ngomthwalo wolawulo kwinkqubo ephantsi ebizwa ngokuba yi-Container Networking Interface (CNI). Ukuseta imigaqo-nkqubo kwiqela le-Kubernetes ngaphandle kokwabela i-CNI efanelekileyo kuyafana nokudala imigaqo-nkqubo kwiseva yolawulo lomlilo ngaphandle kokuyifakela kwiifirewall. Kukuwe ukuba uqinisekise ukuba une-CNI efanelekileyo okanye, kwimeko yamaqonga e-Kubernetes, abanjwe efini (ungalubona uluhlu lwababoneleli - malunga. utshintshe.), yenza iinkqubo zenethiwekhi ezizakuseta i-CNI.
Qaphela ukuba i-Kubernetes ayiyi kukulumkisa ukuba ubeka umgaqo-nkqubo wenethiwekhi ngaphandle komncedisi ofanelekileyo we-CNI.
Unobuzwe okanye ongenammiselo?
Zonke ii-Kubernetes CNIs endikhe ndadibana nazo zinengxelo (umzekelo, iCalico isebenzisa i-Linux conntrack). Oku kuvumela i-pod ukuba ifumane iimpendulo kuqhagamshelwano lwe-TCP oluqaliswe ngaphandle kokuphinda luyimise kwakhona. Nangona kunjalo, andiwazi umgangatho we-Kubernetes oya kuqinisekisa ukuba semthethweni.
Ulawulo loMgaqo-nkqubo woKhuseleko oluPhezulu
Nazi ezinye iindlela zokuphucula ukunyanzeliswa komgaqo-nkqubo wokhuseleko eKubernetes:
- Ipateni yoyilo ye-Service Mesh isebenzisa izikhongozeli ze-sidecar ukubonelela nge-telemetry eneenkcukacha kunye nolawulo lwezithuthi kwinqanaba lenkonzo. Njengomzekelo esinokuwuthatha .
- Abanye babathengisi be-CNI baye bandisa izixhobo zabo ukuya ngaphaya kwemigaqo-nkqubo yenethiwekhi ye-Kubernetes.
- Ibonelela ngokubonakala kunye nokuzenzekelayo kwemigaqo-nkqubo yenethiwekhi ye-Kubernetes.
Iphakheji ye-Tufin Orca ilawula iinkqubo zenethiwekhi ye-Kubernetes (kwaye imvelaphi yemifanekiso yekhusi ngaphezulu).
ulwazi olongezelelweyo
- ;
- ;
- ;
- .
isiphelo
Imigaqo-nkqubo yenethiwekhi ye-Kubernetes ibonelela ngeseti elungileyo yezixhobo zokwahlulahlula amaqela, kodwa azinangqiqo kwaye zinezinto ezininzi ezifihlakeleyo. Ngenxa yobu bunzima, ndiyakholelwa ukuba uninzi lwemigaqo-nkqubo ekhoyo yeqela ibuggy. Izisombululo ezinokwenzeka kule ngxaki ziquka ukuzenzekelayo iinkcazo zomgaqo-nkqubo okanye ukusebenzisa ezinye izixhobo zokwahlula.
Ndiyathemba ukuba esi sikhokelo siyakunceda ukucacisa imibuzo ethile kunye nokusombulula imiba onokudibana nayo.
PS evela kumguquleli
Funda nakwibhlog yethu:
- "Buyela kwiinkonzo ezincinci kunye ne-Istio": , , ;
- "Isikhokelo esineMizobo kwiNethiwekhi eKubernetes": , ;
- Β«";
- Β«";
- «».
umthombo: www.habr.com