Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

K83 calico network strategy

2025-03-30 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Common CNI network plug-ins include the following:

Flannel: network plug-in for overlay networks for Kubernetes. Based on TUN/TAP tunneling technology, UDP is used to encapsulate IP packets to create overlay networks. Etcd is used to maintain network allocation. Disadvantages: Network policy access control cannot be supported.

Calico: BGP-based three-layer network plug-in that also supports network policies for network access control; it runs a virtual route on each host, uses the Linux kernel to forward network packets, and implements firewall functions with iptables. In fact, the final implementation of Calico is to turn each host into a router, connecting various networks and realizing the function of cross-host communication.

Canal: A unified network plug-in published jointly by Flannel and Calico that provides CNI network plug-ins and supports network policy implementation.

Others include Weave Net, Contiv, OpenContrail, Romana, NSX-T, kube-router, etc. Flannel and Calico are currently the most popular options.

1. apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all-egress namespace: cs1 #applies to cs1 namespace, does not write namespace applies spec: podSelector: {} ingress: egress: #defines outbound rules, does not write any policy here, means reject all. policyTypes: - Egress - Ingress #Egress here means to define outbound rules, not Egress means default access,Ingress is the same as inbound principle #It is recommended that you write both and use "podSelector:" to control whether access is possible. 2. Allow apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: allow-all-egress namespace: cs1spec: podSelector: {} ingress: - {} #This indicates all allowed traffic in the direction of "ingress" egress: - {} #This indicates all allowed traffic in the direction of "egress" policyTypes: - Egress - Ingress

This network policy only applies to namespaces, and hosts can still access it.

3. Scope apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all namespace: default #Works only on default namespace spec: podSelector: #Match pod scope If matches all POD's for that namespace Enter '{}' matchLabels: access: "true" #Match tags with access=true in POD policyTypes: - Ingress - Egress ingress: egress:4. Limit IP policies

#IP of each cs container in the figure above

apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-allspec: podSelector: {} policyTypes: - Egress - Ingress ingress: egress: - to: Egress is used to, ingress is used from - ipBlock: cidr: 192.168.0.0/16 #Release 192.168.0.0/16 Network except: - 192.168.94.134/32 Not including this IP

Exec enters pod and can see ping192.168.94.134 This IP is not available

5. namespace label based restriction apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: namespace-allow namespace: defaultspec: policyTypes: ["Ingress"] podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: cs1 #Indicates that only namespaces typed "name= cs1" are allowed to enter. 6. Multiple conditions are met based on namespace label restrictions apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: namespace-allow namespace: defaultspec: policyTypes: ["Ingress","Egress"] podSelector: {} ingress: - from: - namespaceSelector: matchExpressions: - key: name operator: In values: ["cs1","cs2"] #The parenthesized ones can communicate with default namespace ingress #indicates that namespaces with label name= cs1,name=cs2 can communicate with default namespaces

7 based on pod label

apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: namespace-allow namespace: defaultspec: policyTypes: ["Ingress"] podSelector: {} ingress: - from: - podSelector: matchLabels: access: "true" #Allow pod notes to pass with access=true

#Based on pod label experiment failed, I don't know what the problem is

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report