Configure namespaces
This guide will deploy pods in a Kubernetes namespace. Let’s create the Namespace object for this guide.
kubectl create ns policy-demo
Create demo pods
We’ll use Kubernetes Deployment objects to easily create pods in the namespace.
Create some nginx pods in the
policy-demonamespace.kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginxExpose them through a service.
kubectl expose --namespace=policy-demo deployment nginx --port=80Ensure the nginx service is accessible.
kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/shThis should open up a shell session inside the
accesspod, as shown below.Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ #From inside the
accesspod, attempt to reach thenginxservice.wget -q nginx -O -You should see a response from
nginx. Great! Our service is accessible. You can exit the pod now.
Enable isolation
Let’s turn on isolation in our policy-demo namespace. Calico will then prevent connections to pods in this namespace.
Running the following command creates a NetworkPolicy which implements a default deny behavior for all pods in the policy-demonamespace.
kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: policy-demo
spec:
podSelector:
matchLabels: {}
EOF
Test Isolation
This will prevent all access to the nginx service. We can see the effect by trying to access the service again.
kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
This should open up a shell session inside the access pod, as shown below.
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ #
Now from within the busybox access pod execute the following command to test access to the nginx service.
wget -q --timeout=5 nginx -O -
The request should time out after 5 seconds.
wget: download timed out
/ #
By enabling isolation on the namespace, we’ve prevented access to the service.
Allow access using a network policy
Now, let’s enable access to the nginx service using a NetworkPolicy. This will allow incoming connections from our access pod, but not from anywhere else.
Create a network policy access-nginx with the following contents:
kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-nginx
namespace: policy-demo
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels:
run: access
EOF
Note: The NetworkPolicy allows traffic from Pods with the label
run: accessto Pods with the labelrun: nginx. These are the labels automatically added to Pods started viakubectl runbased on the name of theDeployment.
We should now be able to access the service from the access pod.
kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
This should open up a shell session inside the access pod, as shown below.
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ #
Now from within the busybox access pod execute the following command to test access to the nginx service.
wget -q --timeout=5 nginx -O -
However, we still cannot access the service from a pod without the label run: access. We can verify this as follows.
kubectl run --namespace=policy-demo cant-access --rm -ti --image busybox /bin/sh
This should open up a shell session inside the cant-access pod, as shown below.
Waiting for pod policy-demo/cant-access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ #
Now from within the busybox cant-access pod execute the following command to test access to the nginx service.
wget -q --timeout=5 nginx -O -
The request should time out.
wget: download timed out
/ #
You can clean up the demo by deleting the demo namespace.
kubectl delete ns policy-demo
This was just a simple example of the Kubernetes NetworkPolicy API and how Calico can secure your Kubernetes cluster. For more information on network policy in Kubernetes, see the Kubernetes user-guide.
For a slightly more detailed demonstration of policy, check out the stars demo.
demo: https://docs.projectcalico.org/v3.6/security/stars-policy/
本文分享自微信公众号 - 云服务圈(heidcloud)。
如有侵权,请联系 support@oschina.cn 删除。
本文参与“OSC源创计划”,欢迎正在阅读的你也加入,一起分享。
来源:oschina
链接:https://my.oschina.net/u/2896230/blog/4391515