Qaphela. transl.: Umbhali we-athikili, u-Reuven Harrison, unolwazi lweminyaka engaphezu kwe-20 ekuthuthukisweni kwesofthiwe, futhi namuhla uyi-CTO kanye nomsunguli we-Tufin, inkampani edala izixazululo zokuphatha inqubomgomo yezokuphepha. Nakuba ebuka izinqubomgomo zenethiwekhi ye-Kubernetes njengethuluzi elinamandla lokuhlukanisa inethiwekhi kuqoqo, futhi ukholelwa ukuthi akulula kakhulu ukuzisebenzisa ngokwenza. Lokhu okubalulekile (okunamandla kakhulu) kuhloselwe ukuthuthukisa ukuqwashisa kochwepheshe ngale nkinga futhi babasize bakhe ukulungiselelwa okudingekayo.
Namuhla, izinkampani eziningi ziya ngokuya zikhetha i-Kubernetes ukusebenzisa izicelo zabo. Intshisekelo kule software iphezulu kangangokuthi abanye babiza i-Kubernetes ngokuthi "uhlelo olusha lokusebenza lwesikhungo sedatha." Kancane kancane, i-Kubernetes (noma i-k8s) isiqala ukubonwa njengengxenye ebalulekile yebhizinisi, edinga ukuhlelwa kwezinqubo zebhizinisi ezivuthiwe, kuhlanganise nokuphepha kwenethiwekhi.
Kochwepheshe bezokuphepha abadidwa ukusebenza no-Kubernetes, isambulo sangempela singase sibe inqubomgomo ezenzakalelayo yenkundla: vumela yonke into.
Lo mhlahlandlela uzokusiza uqonde ukwakheka kwangaphakathi kwezinqubomgomo zenethiwekhi; qonda ukuthi zihluke kanjani emithethweni yama-firewall avamile. Izophinde ihlanganise izingibe ezithile futhi inikeze izincomo zokusiza ukuvikela izinhlelo zokusebenza ku-Kubernetes.
Izinqubomgomo zenethiwekhi ye-Kubernetes
Indlela yenqubomgomo yenethiwekhi ye-Kubernetes ikuvumela ukuthi uphathe ukusebenzisana kwezinhlelo zokusebenza ezifakwe endaweni yesigcawu kusendlalelo senethiwekhi (eyesithathu kumodeli ye-OSI). Izinqubomgomo zenethiwekhi azinazo ezinye zezici ezithuthukisiwe zokuvikela umlilo zesimanje, ezifana nokusetshenziswa kwe-OSI Layer 7 kanye nokutholwa kosongo, kodwa zinikeza ileveli eyisisekelo yokuphepha kwenethiwekhi okuyisiqalo esihle.
Izinqubomgomo zenethiwekhi zilawula ukuxhumana phakathi kwama-pod
Umthwalo wemisebenzi ku-Kubernetes usatshalaliswa kuwo wonke ama-pods, ahlanganisa isiqukathi esisodwa noma eziningi ezisetshenziswe ndawonye. I-Kubernetes yabela i-pod ngayinye ikheli le-IP elifinyeleleka kwamanye ama-pod. Izinqubomgomo zenethiwekhi ye-Kubernetes zibeka amalungelo okufinyelela kumaqembu e-pods ngendlela efanayo naleyo amaqembu okuvikela efwini asetshenziswa ngayo ukulawula ukufinyelela ezimweni zemishini ebonakalayo.
Ukuchaza Izinqubomgomo Zenethiwekhi
Njengezinye izinsiza ze-Kubernetes, izinqubomgomo zenethiwekhi zicaciswe ku-YAML. Esibonelweni esingezansi, isicelo balance ukufinyelela ku postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Qaphela. transl.: lesi sithombe-skrini, njengazo zonke ezinye ezifanayo ezalandela, asidalwanga kusetshenziswa amathuluzi omdabu e-Kubernetes, kodwa kusetshenziswa ithuluzi le-Tufin Orca, elakhiwa inkampani yombhali we-athikili yoqobo futhi okukhulunywe ngayo ekugcineni kokuqukethwe.)
Ukuze uchaze inqubomgomo yakho yenethiwekhi, uzodinga ulwazi oluyisisekelo lwe-YAML. Lolu limi lusekelwe ekuhlehleni (okucaciswa izikhala esikhundleni samathebhu). I-elementi ehlehlisiwe ingeye-elementi ehlehlisiwe eseduze ngenhla kwayo. Isici sohlu esisha siqala ngekhonco, zonke ezinye izakhi zinefomu inani elingukhiye.
Ngemva kokuchaza inqubomgomo ku-YAML, sebenzisa ukuyidala kuqoqo:
kubectl create -f policy.yamlUkucaciswa Kwenqubomgomo Yenethiwekhi
Ukucaciswa kwenqubomgomo yenethiwekhi ye-Kubernetes kufaka phakathi izinto ezine:
-
podSelector: ichaza ama-pods athintwa yile nqubomgomo (okuhlosiwe) - okudingekayo; -
policyTypes: ikhombisa ukuthi yiziphi izinhlobo zezinqubomgomo ezifakiwe kulokhu: ukungena kanye/noma ukuphuma - ngokuzikhethela, kodwa ngincoma ukuthi ngikucacise ngokusobala kuzo zonke izimo; -
ingress: ichaza kuvunyelwe engenayo i-traffic to target pods - ngokuzikhethela; -
egress: ichaza kuvunyelwe eziphumayo ithrafikhi evela kumaphodi okuqondiwe ayakhethwa.
Isibonelo esithathwe kuwebhusayithi ye-Kubernetes (ngashintsha role on app), ikhombisa ukuthi zonke izakhi ezine zisetshenziswa kanjani:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Sicela uqaphele ukuthi zonke izici ezine akudingeki zifakwe. Kuyimpoqo kuphela podSelector, amanye amapharamitha angasetshenziswa ngendlela efunwa ngayo.
Uma uyeka policyTypes, inqubomgomo izohunyushwa kanje:
- Ngokuzenzakalelayo, kucatshangwa ukuthi ichaza uhlangothi lokungena. Uma inqubomgomo ingasho lokhu ngokusobala, isistimu izothatha ngokuthi yonke ithrafikhi inqatshelwe.
- Ukuziphatha ohlangothini lwe-egress kuzonqunywa ukuba khona noma ukungabikho kwepharamitha ye-egress ehambisanayo.
Ukugwema amaphutha ngincoma njalo ukwenze kucace policyTypes.
Ngokusho kwe-logic engenhla, uma imingcele ingress futhi / noma egress isusiwe, inqubomgomo izonqabela yonke ithrafikhi (bona "Umthetho Wokuhlubula" ngezansi).
Inqubomgomo ezenzakalelayo ivunyelwe
Uma kungekho zinqubomgomo ezichaziwe, i-Kubernetes ivumela yonke ithrafikhi ngokuzenzakalelayo. Wonke ama-pods angashintshana ngokukhululekile ulwazi phakathi kwawo. Lokhu kungase kubonakale kungenangqondo ngokombono wezokuphepha, kodwa khumbula ukuthi i-Kubernetes ekuqaleni yayidizayinwe onjiniyela ukunika amandla ukusebenzisana kohlelo lokusebenza. Izinqubomgomo zenethiwekhi zengezwe kamuva.
Izikhala zamagama
Izikhala zamagama ziyindlela yokusebenzisana ye-Kubernetes. Zenzelwe ukuhlukanisa izindawo ezinengqondo ukusuka kwenye, kuyilapho ukuxhumana phakathi kwezikhala kuvunyelwe ngokuzenzakalelayo.
Njengezingxenye eziningi ze-Kubernetes, izinqubomgomo zenethiwekhi zihlala endaweni yamagama ethile. Ebhulokini metadata ungacacisa ukuthi inqubomgomo ingeyasiphi isikhala:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Uma indawo yegama ingacacisiwe ngokusobala kumethadatha, uhlelo luzosebenzisa indawo yegama eshiwo ku-kubectl (ngokuzenzakalelayo. namespace=default):
kubectl apply -n my-namespace -f namespace.yamlNgisikisela cacisa indawo yamagama ngokusobala, ngaphandle uma ubhala inqubomgomo eqondise izindawo zamagama eziningi ngesikhathi esisodwa.
Okuyinhloko isici podSelector kunqubomgomo izokhetha ama-pods endaweni yegama lapho inqubomgomo iyingxenye yayo (inqatshelwe ukufinyelela kuma-pod asuka kwenye indawo yegama).
Ngokufanayo, i-podSelectors kumabhulokhi angenayo kanye ne-egress angakhetha kuphela ama-pods endaweni yawo yamagama, ngaphandle uma uwahlanganisa nawo namespaceSelector (lokhu kuzoxoxwa ngakho esigabeni βHlunga ngezikhala zamagama nama-podsβ).
Imithetho Yokuqamba Inqubomgomo
Amagama enqubomgomo ahlukile endaweni yamagama efanayo. Angeke kube nezinqubomgomo ezimbili ezinegama elifanayo endaweni efanayo, kodwa kungase kube nezinqubomgomo ezinegama elifanayo ezindaweni ezihlukene. Lokhu kuyasiza uma ufuna ukusebenzisa kabusha inqubomgomo efanayo ezindaweni eziningi.
Ngithanda kakhulu enye yezindlela zokuqamba amagama. Kuhlanganisa ukuhlanganisa igama lendawo yegama namaphodi okuqondiwe. Ngokwesibonelo:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Amalebula
Ungakwazi ukunamathisela amalebula ngokwezifiso ezintweni ze-Kubernetes, njengama-pods nezikhala zamagama. Amalebula (amalebula - omaka) balingana nomaka emafini. Izinqubomgomo zenethiwekhi ye-Kubernetes zisebenzisa amalebula ukukhetha podsasebenza kuzo:
podSelector:
matchLabels:
role: db... noma izikhala zamagamaezisebenza kuzo. Lesi sibonelo sikhetha wonke ama-pods ezindaweni zamagama ezinamalebula ahambisanayo:
namespaceSelector:
matchLabels:
project: myproject
Isexwayiso esisodwa: uma usebenzisa namespaceSelector qiniseka ukuthi izikhala zamagama ozikhethayo ziqukethe ilebula elungile. Qaphela ukuthi izindawo zamagama ezakhelwe ngaphakathi njenge default ΠΈ kube-system, ngokuzenzakalelayo ayinawo amalebula.
Ungakwazi ukwengeza ilebula esikhaleni esifana nalesi:
kubectl label namespace default namespace=default
Ngesikhathi esifanayo, indawo yamagama esigabeni metadata kufanele ibhekisele egameni lesikhala langempela, hhayi ilebula:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Umthombo nendawo
Izinqubomgomo ze-Firewall zihlanganisa imithetho enemithombo kanye nezindawo. Izinqubomgomo zenethiwekhi ye-Kubernetes zichazwa ngendlela eqondisiwe - isethi yama-pods ezisebenza kuwo - bese zimisa imithetho yokungena kanye/noma yethrafikhi yokuphuma. Esibonelweni sethu, okuhlosiwe kwenqubomgomo kuzoba wonke ama-pods endaweni yamagama default enelebula elinokhiye app kanye nencazelo db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Isigatshana ingress kule nqubomgomo, ivula ithrafikhi engenayo kumaphodi okuqondiwe. Ngamanye amazwi, i-ingress ingumthombo futhi okuhlosiwe kuyindawo ehambisanayo. Ngokunjalo, i-egress yindawo okuyiwa kuyo futhi okuhlosiwe kungumthombo wayo.
Lokhu kulingana nemithetho emibili ye-firewall: I-Ingress β Ithagethi; Umgomo β Ukuphuma.
I-Egress ne-DNS (okubalulekile!)
Ngokukhawulela ithrafikhi ephumayo, naka ngokukhethekile i-DNS - I-Kubernetes isebenzisa le sevisi ukwenza imephu yezinsizakalo kumakheli e-IP. Isibonelo, inqubomgomo elandelayo ngeke isebenze ngoba awukasivumeli isicelo balance finyelela ku-DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
Ungayilungisa ngokuvula ukufinyelela kusevisi ye-DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Isici sokugcina to ayinalutho, ngakho-ke ikhetha ngokungaqondile wonke ama-pod kuzo zonke izikhala zamagama, ukuvumela balance thumela imibuzo ye-DNS kusevisi efanele ye-Kubernetes (imvamisa isebenza esikhaleni kube-system).
Le ndlela iyasebenza, noma kunjalo ukuvumela ngokweqile nokungavikeleki, ngoba ivumela imibuzo ye-DNS ukuthi iqondiswe ngaphandle kweqoqo.
Ungayithuthukisa ngezinyathelo ezintathu ezilandelanayo.
1. Vumela imibuzo ye-DNS kuphela ngaphakathi iqoqo ngokungeza namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Vumela imibuzo ye-DNS ngaphakathi kwendawo yamagama kuphela kube-system.
Ukuze wenze lokhu udinga ukwengeza ilebula endaweni yamagama kube-system: kubectl label namespace kube-system namespace=kube-system - futhi uyibhale phansi kunqubomgomo usebenzisa namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Abantu abadidekile bangadlulela phambili futhi bakhawulele imibuzo ye-DNS kusevisi ethile ye-DNS kube-system. Isigaba esithi "Hlunga ngezikhala zamagama KANYE nama-pods" sizokutshela ukuthi ukufeza kanjani lokhu.
Enye inketho ukuxazulula i-DNS ezingeni le-namespace. Kulokhu, ngeke kudingeke ukuthi kuvulwe isevisi ngayinye:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Akunalutho podSelector ikhetha wonke amaphodi esikhaleni samagama.
Umdlalo wokuqala kanye nokuhleleka komthetho
Kuzibhulamlilo ezivamile, isenzo (Vumela noma Yenqaba) ephaketheni sinqunywa umthetho wokuqala esiwenelisayo. Ku-Kubernetes, ukuhleleka kwezinqubomgomo akunandaba.
Ngokuzenzakalelayo, uma kungekho zinqubomgomo ezisethiwe, ukuxhumana phakathi kwama-pod kuvunyelwe futhi bangashintshanisa ngokukhululekile ulwazi. Uma usuqale ukwenza izinqubomgomo, i-pod ngayinye ethintwa okungenani eyodwa yazo iba yodwa ngokuya ngokuhlukana (okunengqondo NOMA) kwazo zonke izinqubomgomo ezisikhethile. Amaphodi angathinteki inoma iyiphi inqubomgomo ahlala evulekile.
Ungashintsha lokhu kuziphatha usebenzisa umthetho wokukhumula.
Umthetho wokuhlubula (βYenqabaβ)
Izinqubomgomo ze-firewall ngokuvamile ziphika noma iyiphi ithrafikhi engavunyelwe ngokusobala.
Asikho isenzo sokuphika ku-Kubernetes, nokho, umphumela ofanayo ungafinyelelwa ngenqubomgomo evamile (evumelayo) ngokukhetha iqembu elingenalutho lamaphodi omthombo (ingress):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Le nqubomgomo ikhetha wonke ama-pods endaweni yamagama futhi ishiya ukungena kungachazwanga, iphika yonke ithrafikhi engenayo.
Ngendlela efanayo, ungakwazi ukukhawulela yonke ithrafikhi ephumayo endaweni yegama:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Sicela wazi ukuthi noma yiziphi izinqubomgomo ezengeziwe ezivumela ithrafikhi ukuthi ibe yi-pods endaweni yamagama izoba ngokubaluleka ngaphezu kwalo mthetho (okufana nokwengeza umthetho wokuvumela ngaphambi komthetho wokuphika ekucushweni kocingo).
Vumela yonke into (Noma-Noma-Noma-Noma-Noma Yini-Vumela)
Ukuze udale inqubomgomo ethi Vumela Konke, udinga ukwengeza inqubomgomo ethi Yenqaba ngenhla ngento engenalutho ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
Ivumela ukufinyelela kusuka wonke ama-pod kuzo zonke izikhala zamagama (kanye nayo yonke i-IP) kunoma iyiphi i-pod endaweni yamagama default. Lokhu kuziphatha kunikwe amandla ngokuzenzakalela, ngakho ngokuvamile akudingi ukuchazwa ngokuqhubekayo. Nokho, ngezinye izikhathi kungase kudingeke ukuthi ukhubaze okwesikhashana izimvume ezithile ukuze uhlole inkinga.
Umthetho ungancishiswa ukuze uvumele ukufinyelela kuphela ku isethi ethile yama-pods (app:balance) endaweni yamagama default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Inqubomgomo elandelayo ivumela yonke ithrafikhi yokungena nokuphuma, okuhlanganisa ukufinyelela kunoma iyiphi i-IP ngaphandle kweqoqo:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Ukuhlanganisa Izinqubomgomo Eziningi
Izinqubomgomo zihlanganiswa kusetshenziswa okunengqondo NOMA emazingeni amathathu; Izimvume ze-pod ngayinye zisethwa ngokuhambisana nokuhlukaniswa kwazo zonke izinqubomgomo ezithinta yona:
1. Emasimini from ΠΈ to Izinhlobo ezintathu zezinto zingachazwa (zonke ezihlanganiswe kusetshenziswa NOMA):
-
namespaceSelectorβ ukhetha yonke indawo yamagama; -
podSelector- ukhetha izintambo; -
ipBlockβ ukhetha inethi encane.
Ngaphezu kwalokho, inani lama-elementi (ngisho nalawo afanayo) ezigatshaneni from/to akunqunyelwe. Zonke zizohlanganiswa ngokunengqondo NOMA.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. Ngaphakathi kwesigaba senqubomgomo ingress ingaba nezakhi eziningi from (kuhlanganiswe okunengqondo NOMA). Ngokufanayo, isigaba egress ingase ihlanganise izici eziningi to (futhi kuhlanganiswe ne-dijunction):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Izinqubomgomo ezihlukene nazo zihlanganiswa nezinengqondo NOMA
Kodwa lapho uzihlanganisa, kunomkhawulo owodwa lapho : I-Kubernetes ingahlanganisa kuphela izinqubomgomo nezihlukile policyTypes (Ingress noma Egress). Izinqubomgomo ezichaza ukungena (noma ukuphuma) zizobhala ngaphezulu.
Ubudlelwano phakathi kwezikhala zamagama
Ngokuzenzakalelayo, ukwabelana ngolwazi phakathi kwezikhala zamagama kuvunyelwe. Lokhu kungashintshwa ngokusebenzisa inqubomgomo yokuphika ezokhawulela ithrafikhi ephumayo kanye/noma engenayo endaweni yamagama (bona "Umthetho Wokuhlubula" ngenhla).
Uma usuvimbe ukufinyelela endaweni yamagama (bona "Umthetho Wokuhlubula" ngenhla), ungenza okuhlukile kunqubomgomo yokwenqaba ngokuvumela ukuxhumana okuvela endaweni ethile yamagama usebenzisa namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
Ngenxa yalokho, wonke ama-pods endaweni yamagama default izokwazi ukufinyelela kuma-pods postgres endaweni yamagama database. Kodwa kuthiwani uma ufuna ukuvula ukufinyelela ku postgres ama-pod athile kuphela endaweni yamagama default?
Hlunga ngezikhala zamagama namaphodi
I-Kubernetes version 1.11 nangaphezulu ikuvumela ukuthi uhlanganise opharetha namespaceSelector ΠΈ podSelector usebenzisa okunengqondo KANYE. Kubukeka kanjena:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Kungani lokhu kuhunyushwa NJENGOBA esikhundleni sokuthi okujwayelekile NOMA?
Uyacelwa ukuthi uqaphele lokho podSelector ayiqali nge-hyphen. Ku-YAML lokhu kusho ukuthi podSelector futhi emi phambi kwakhe namespaceSelector bhekisela entweni efanayo yohlu. Ngakho-ke, zihlanganiswa ne-logic KANYE.
Yengeza i-hyphen ngaphambili podSelector kuzophumela ekuveleni kwento entsha yohlu, ezohlanganiswa nedlule namespaceSelector usebenzisa okunengqondo NOMA.
Ukuze ukhethe ama-pods anelebula elithile kuzo zonke izikhala zamagama, faka akunalutho namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Amalebula amaningi ahlangana no-I
Imithetho ye-firewall enezinto eziningi (ababungazi, amanethiwekhi, amaqembu) ihlanganiswa kusetshenziswa okunengqondo NOMA. Umthetho olandelayo uzosebenza uma umthombo wephakethe ufana Host_1 OK Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
Ngokuphambene nalokho, ku-Kubernetes amalebula ahlukahlukene ku podSelector noma namespaceSelector kuhlanganiswa nokunengqondo KANYE. Isibonelo, umthetho olandelayo uzokhetha ama-pods anamalebula womabili, role=db Π version=v2:
podSelector:
matchLabels:
role: db
version: v2Umqondo ofanayo uyasebenza kuzo zonke izinhlobo zama-opharetha: izikhethi eziqondiwe zenqubomgomo, izikhethi ze-pod, nezikhethi ze-namespace.
Ama-Subnets namakheli e-IP (IPBlocks)
Ama-firewall asebenzisa ama-VLAN, amakheli e-IP, nama-subnet ukuze ahlukanise inethiwekhi.
Ku-Kubernetes, amakheli e-IP anikezwa kuma-pods ngokuzenzakalelayo futhi angashintsha njalo, ngakho amalebula asetshenziselwa ukukhetha ama-pods nezikhala zamagama kuzinqubomgomo zenethiwekhi.
Amanethi angaphansi (ipBlocks) asetshenziswa lapho ulawula ukuxhumana okungenayo (okungenayo) noma okuphumayo (okuphumayo) kwangaphandle (eNyakatho-Ningizimu). Isibonelo, le nqubomgomo ivula wonke ama-pod asuka endaweni yamagama default ukufinyelela kusevisi ye-Google DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
Isikhethi se-pod esingenalutho kulesi sibonelo sisho "khetha wonke ama-pods endaweni yamagama."
Le nqubomgomo ivumela kuphela ukufinyelela ku-8.8.8.8; ukufinyelela kunoma iyiphi enye i-IP akuvunyelwe. Ngakho-ke, empeleni, uvimbele ukufinyelela kusevisi yangaphakathi ye-Kubernetes DNS. Uma usafuna ukuyivula, bonisa lokhu ngokucacile.
Imvamisa ipBlocks ΠΈ podSelectors azifani, njengoba amakheli e-IP angaphakathi e-pod awasetshenziswa kuwo ipBlocks. Ngokubonisa ama-IP pods angaphakathi, uzovumela ukuxhumeka ku/kusuka kuma-pod analawa makheli. Empeleni, ngeke wazi ukuthi iyiphi ikheli le-IP okufanele ulisebenzise, ββyingakho kungafanele lisetshenziselwe ukukhetha ama-pods.
Njengesibonelo esiphikisayo, inqubomgomo elandelayo ihlanganisa wonke ama-IP ngakho-ke ivumela ukufinyelela kuwo wonke amanye ama-pod:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Ungakwazi ukuvula ukufinyelela kuma-IP angaphandle kuphela, ungafaki amakheli e-IP angaphakathi wama-pod. Isibonelo, uma i-subnet ye-pod yakho ingu-10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Amachweba namaphrothokholi
Ngokuvamile ama-pods alalela imbobo eyodwa. Lokhu kusho ukuthi awukwazi ukumane ungazicacisi izinombolo zembobo kuzinqubomgomo futhi ushiye yonke into njengokuzenzakalelayo. Kodwa-ke, kuyanconywa ukwenza izinqubomgomo zibe nemikhawulo ngangokunokwenzeka, ngakho-ke kwezinye izimo usengacacisa izimbobo:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Qaphela ukuthi isikhethi ports isebenza kuzo zonke izakhi kubhulokhi to noma from, equkethe. Ukuze ucacise izimbobo ezihlukene zamasethi ahlukene wezinto, hlukanisa ingress noma egress zibe izigatshana eziningana nge to noma from futhi kurejista ngayinye izimbobo zakho:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Ukusebenza kwembobo okuzenzakalelayo:
- Uma ushiya incazelo yembobo ngokuphelele (
ports), lokhu kusho zonke izivumelwano nawo wonke amachweba; - Uma ushiya incazelo yephrothokholi (
protocol), lokhu kusho i-TCP; - Uma ushiya incazelo yembobo (
port), lokhu kusho wonke amachweba.
Ukwenza okungcono kakhulu: Unganciki kumanani azenzakalelayo, cacisa okudingayo ngokusobala.
Sicela uqaphele ukuthi kufanele usebenzise izimbobo ze-pod, hhayi izimbobo zesevisi (ngaphezulu kulokhu endimeni elandelayo).
Ingabe izinqubomgomo zichazelwe ama-pod noma amasevisi?
Ngokuvamile, ama-pod ku-Kubernetes afinyelela wodwa ngesevisi - isilinganisi esibonakalayo somthwalo esiqondisa kabusha ithrafikhi kuma-pods afaka isevisi. Ungase ucabange ukuthi izinqubomgomo zenethiwekhi zilawula ukufinyelela kumasevisi, kodwa akunjalo. Izinqubomgomo zenethiwekhi ye-Kubernetes zisebenza kuma-pod port, hhayi ezimbobeni zesevisi.
Isibonelo, uma isevisi ilalela i-port 80, kodwa iqondisa kabusha ithrafikhi ku-port 8080 yama-pod ayo, kufanele ucacise ncamashi 8080 kunqubomgomo yenethiwekhi.
Indlela enjalo kufanele ibhekwe njengencane kakhulu: uma isakhiwo sangaphakathi sesevisi (izimbobo ezilalela ama-pods) sishintsha, izinqubomgomo zenethiwekhi kuzodingeka zibuyekezwe.
Indlela entsha yezakhiwo isebenzisa i-Service Mesh (isibonelo, bona nge-Istio ngezansi - cishe. transl.) ikuvumela ukuthi ubhekane nale nkinga.
Ingabe kuyadingeka ukubhalisa kokubili i-Ingress ne-Egress?
Impendulo emfushane ithi yebo, ukuze i-pod A ixhumane ne-pod B, kufanele ivunyelwe ukudala uxhumano oluphumayo (ngalokhu udinga ukulungisa inqubomgomo ye-egress), futhi i-pod B kumele ikwazi ukwamukela uxhumano olungenayo ( ngalokhu, ngokufanele, udinga inqubomgomo yokungena).
Kodwa-ke, ekusebenzeni, ungathembela kunqubomgomo ezenzakalelayo ukuze uvumele ukuxhumana endaweni eyodwa noma zombili.
Uma enye i-pod-umthombo izokhethwa ngoyedwa noma ngaphezulu ukuphuma-osopolitiki, imikhawulo ebekiwe kuyo izonqunywa ukuhlukaniswa kwabo. Kulokhu, uzodinga ukuvumela ngokucacile uxhumano ku-pod -ikheli. Uma i-pod ingakhethiwe nganoma iyiphi inqubomgomo, ithrafikhi yayo ephumayo (ephumayo) ivunyelwe ngokuzenzakalelayo.
Ngokufanayo, isiphetho se-pod siikheli, ekhethwe ngoyedwa noma ngaphezulu ingress-osopolitiki, bazonqunywa ngokuhlukana kwabo. Kulesi simo, kufanele uyivumele ngokucacile ukuthi ithole ithrafikhi kusuka ku-pod yomthombo. Uma i-pod ingakhethiwe nganoma iyiphi inqubomgomo, yonke i-traffic engenayo yayo ivunyelwe ngokuzenzakalela.
Bheka I-stateful noma i-stateless ngezansi.
Izingodo
Izinqubomgomo zenethiwekhi ye-Kubernetes azikwazi ukungena ngethrafikhi. Lokhu kwenza kube nzima ukunquma ukuthi ingabe inqubomgomo isebenza ngendlela ehlosiwe futhi yenza kube nzima kakhulu ukuhlaziya ukuphepha.
Ukulawulwa kwethrafikhi kumasevisi angaphandle
Izinqubomgomo zenethiwekhi ye-Kubernetes azikuvumeli ukuthi ucacise igama lesizinda elifaneleke ngokugcwele (i-DNS) ezigabeni zokuphuma. Leli qiniso liholela ekuphazamisekeni okukhulu lapho uzama ukukhawulela ithrafikhi ezindaweni zangaphandle ezingenalo ikheli le-IP eligxilile (njenge-aws.com).
Ukuhlola Inqubomgomo
I-firewall izokuxwayisa noma yenqabe ukwamukela inqubomgomo engalungile. I-Kubernetes nayo yenza ukuqinisekiswa okuthile. Lapho usetha inqubomgomo yenethiwekhi nge-kubectl, i-Kubernetes ingase ivume ukuthi ayilungile futhi inqabe ukuyamukela. Kwezinye izimo, u-Kubernetes uzothatha inqubomgomo ayigcwalise ngemininingwane engekho. Bangabonakala besebenzisa umyalo:
kubernetes get networkpolicy <policy-name> -o yamlKhumbula ukuthi uhlelo lokuqinisekisa lwe-Kubernetes alunaphutha futhi lungase luphuthelwe ezinye izinhlobo zamaphutha.
Ukubulawa
I-Kubernetes ayisebenzisi izinqubomgomo zenethiwekhi ngokwayo, kodwa imane iyisango le-API elithumela umthwalo wokulawula ohlelweni oluyisisekelo olubizwa nge-Container Networking Interface (CNI). Ukusetha izinqubomgomo kuqoqo le-Kubernetes ngaphandle kokwabela i-CNI efanelekile kuyafana nokudala izinqubomgomo kuseva yokulawula i-firewall ngaphandle kokuzifaka ezindongeni zomlilo. Kukuwe ukuthi uqinisekise ukuthi une-CNI ehloniphekile noma, endabeni yamapulatifomu e-Kubernetes, esingethwe emafini (ungabona uhlu lwabahlinzeki - cishe. trans.), nika amandla izinqubomgomo zenethiwekhi ezizosethela i-CNI.
Qaphela ukuthi i-Kubernetes ngeke ikuxwayise uma usetha inqubomgomo yenethiwekhi ngaphandle komsizi ofanelekile we-CNI.
Isho noma Izwe?
Wonke ama-Kubernetes CNIs engihlangabezane nawo anesimo esihle (isibonelo, i-Calico isebenzisa i-Linux conntrack). Lokhu kuvumela i-pod ukuthi ithole izimpendulo ekuxhumekeni kwe-TCP eqalwe ngaphandle kokuyisungula kabusha. Kodwa-ke, angilazi izinga le-Kubernetes elingaqinisekisa ubuzwe.
Ukuphathwa Kwenqubomgomo Yezokuphepha Okuthuthukisiwe
Nazi ezinye izindlela zokuthuthukisa ukusetshenziswa kwenqubomgomo yezokuphepha e-Kubernetes:
- Iphethini yezakhiwo ye-Service Mesh isebenzisa iziqukathi ze-sidecar ukuze inikeze i-telemetry enemininingwane kanye nokulawulwa kwethrafikhi ezingeni lesevisi. Njengesibonelo esingasithatha .
- Abanye babathengisi be-CNI banwebe amathuluzi abo ukuze badlulele ngale kwezinqubomgomo zenethiwekhi ye-Kubernetes.
- Ihlinzeka ngokubonakala nokuzenzakalela kwezinqubomgomo zenethiwekhi ye-Kubernetes.
Iphakheji ye-Tufin Orca ilawula izinqubomgomo zenethiwekhi ye-Kubernetes (futhi iwumthombo wezithombe-skrini ezingenhla).
ulwazi olwengeziwe
- ;
- ;
- ;
- .
isiphetho
Izinqubomgomo zenethiwekhi ye-Kubernetes zinikeza isethi enhle yamathuluzi okuhlukanisa amaqoqo, kodwa awahlakaniphile futhi anobuqili obuningi. Ngenxa yalobu bunzima, ngikholwa ukuthi izinqubomgomo eziningi ezikhona zeqoqo ziyiziphazamisi. Izixazululo ezingaba khona zale nkinga zihlanganisa izincazelo zenqubomgomo ezizenzakalelayo noma ukusebenzisa amanye amathuluzi okuhlukanisa.
Ngethemba ukuthi lo mhlahlandlela usiza ekucaciseni imibuzo ethile futhi uxazulule izinkinga ongahlangabezana nazo.
I-PS evela kumhumushi
Funda futhi kubhulogi yethu:
- "Buyela kuma-microservices nge-Istio": , , ;
- "Umhlahlandlela Onemifanekiso Wokuxhumana Nenethiwekhi ku-Kubernetes": , ;
- Β«";
- Β«";
- Β«".
Source: www.habr.com