除非重新启动网络插件守护程序集,否则不会强制执行 Kubernetes 网络策略。为什么?

除非重新启动网络插件守护程序集,否则不会强制执行 Kubernetes 网络策略。为什么?

我在 prod 命名空间中的集群中只有一个网络策略,该策略仅允许入口规则。网络插件是 weave-net。没有为 Egress 配置任何规则,因此我预计出口流量将被阻止。但直到我重新启动网络守护程序集 pod,该规则才生效。我知道根据最佳实践,我应该有默认的入口和出口规则。但我想了解这种行为的原因。重新启动网络插件 pod 是否始终需要此步骤?

1. 网络策略定义

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: prod
spec:
  ingress:
  - {}
  podSelector:
    matchLabels:
      run: prod-nginx
  policyTypes:
  - Ingress
  - Egress

2. 检查 netpol 对象

Name:         test-network-policy
Namespace:    prod
Created on:   2021-06-06 10:16:50 +0000 UTC
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     run=prod-nginx
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From: <any> (traffic not restricted by source)
  Allowing egress traffic:
    <none> (Selected pods are isolated for egress connectivity)
  Policy Types: Ingress, Egress

3. 测试到 nginx 服务器的出口流量(这在我的理解中是出乎意料的)

笔记:10.39.0.5 是在 'test' 命名空间中运行的 nginx 服务器的 IP

Command : kubectl -n prod exec -it prod-nginx -- curl http://10.39.0.5 | grep successfully #egress
Response: <p>If you see this page, the nginx web server is successfully installed and

4. 重启 weave-net pods

5. 重新测试与同一 nginx 服务器的出口连接(预期)

笔记:10.39.0.5 是在 'test' 命名空间中运行的 nginx 服务器的 IP

Command: kubectl -n prod exec -it prod-nginx -- curl http://10.39.0.5 | grep successfully #egress**
Response: No connection

答案1

我想向您展示,weave-net无需重新启动 Pod 即可NetworkPolicy生效。

您的test-network-policy NetworkPolicy标签应用于命名空间run=prod-nginx中的Pod prod,并允许所有入口流量并拒绝所有出口流量。

我将创建一个示例来说明它是如何工作的。


首先,我创建了prod-nginx& prod-testPods 并在没有部署的情况下测试了连接性NetworkPolicy

# kubectl run prod-nginx --image=nginx -n prod
pod/prod-nginx created

# kubectl run prod-test --image=nginx -n prod
pod/prod-test created
    
# kubectl get pod -o wide -n prod
NAME         READY   STATUS    RESTARTS   AGE   IP          LABELS
prod-nginx   1/1     Running   0          37s   10.44.0.1   run=prod-nginx
prod-test    1/1     Running   0          11s   10.44.0.2   run=prod-test

# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.1 | grep -i success
<p>If you see this page, the nginx web server is successfully installed and

# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.2 | grep -i success
<p>If you see this page, the nginx web server is successfully installed and

一切正常,所以让我们部署test-network-policy NetworkPolicy并再次测试:

# cat netpol.yml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: prod
spec:
  ingress:
  - {}
  podSelector:
    matchLabels:
      run: prod-nginx
  policyTypes:
  - Ingress
  - Egress
  
# kubectl apply -f netpol.yml 
networkpolicy.networking.k8s.io/test-network-policy created

我们可以看到该prod-nginxPod无法连接到其他Pod但是可以连接到自身:
笔记:Pod 不能阻止对其自身的访问(参见:网络策略文檔

# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.1 | grep -i success
<p>If you see this page, the nginx web server is successfully installed and
   
# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.2 | grep -i success
command terminated with exit code 7

现在让我们stage-nginx在命名空间中创建一个 Pod stage,并检查该prod-nginxPod 是否可以连接到它:

# kubectl run stage-nginx --image=nginx -n stage
pod/stage-nginx created

# kubectl get pod -o wide -n stage
NAME          READY   STATUS    RESTARTS   AGE   IP          
stage-nginx   1/1     Running   0          20s   10.44.0.6   

# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.6 | grep -i success
command terminated with exit code 7

我们已经验证出口规则正常工作,并且weave-net不需要重新启动 Pod。

相关内容