Shulou(Shulou.com)06/02 Report--

This article mainly introduces what is the canal-based network strategy of k8s in docker, which has a certain reference value. Interested friends can refer to it. I hope you will gain a lot after reading this article. Let's take a look at it.

prerequisite

1. Kubelet must be configured as a CNI network plug-in (that is,-- network-plugin-cni. The default new version is CNI).

2. Kube-proxy must be started in iptables mode, not in ipvs mode

3. Kube-proxy cannot be started in-- masquerade-all mode because it conflicts with calico policy

4. K8s version must be at least v1.3.0

Deploy canal

1 、

[root@master] # kubectl apply-f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/rbac.yaml

2 、

[root@master] # kubectl apply-f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/canal.yaml

3 、

[root@master] # kubectl get pods-n kube-system-o wideNAME READY STATUS RESTARTS AGE IP NODEcanal-7q4k7 3 Running 0 4m 172.16.1.101 node1canal-dk2tc 3 Running 0 4m 172.16.1.102 node2canal-zr8l4 3/3 Running 0 4m 172.16.1.100 master

See that there are three containers on each pod, and these three containers have different functions.

Egres: outbound, indicating that pod is a client and accesses others.

Ingress: inbound, which means that Pod is the target, and others will visit you.

In general, the client port is random and the server port is fixed.

Network Policy: used to control which pod communicates with the external or internal.

PodSelecto:pod selector

PolicyTypes: used to control which Ingres or Egres takes effect.

Examples

Create two namespaces, one for testing and one for production.

[root@master ~] # kubectl create namespace devnamespace/dev created [root@master ~] # kubectl create namespace prodnamespace/prod created

Establish a network policy:

[root@master ~] # mkdir networkpolicy [root@master ~] # cd networkpolicy/ [root@master networkpolicy] # vim ingress-def.yamlapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all-ingressspec: podSelector: {} # pod selector is set to empty, which means to select all pod, that is, to control the entire namespace policyTypes:-Ingress # means it only works for ingress, but we set podSelector to empty again It means that ingress rejects all # by default, but we don't add egress here, so the default egress allows all [root@master networkpolicy] # kubectl apply-f ingress-def.yaml-n dev #-n to indicate which namespace networkpolicy.networking.k8s.io/deny-all-ingress created [root@master networkpolicy] # kubectl get netpol-n devNAME POD-SELECTOR AGEdeny-all-ingress 1m is valid for.

Create a container and put it in the dev namespace:

[root@master networkpolicy] # cat pod-a.yamlapiVersion: v1kind: Podmetadata: name: pod1spec: containers:-name: myapp image: ikubernetes/myapp:v1 [root@master networkpolicy] # kubectl apply-f pod-a.yaml-n devpod/pod1 createdroot@master networkpolicy] # kubectl get pods-n dev-o wideNAME READY STATUS RESTARTS AGE IP NODEpod1 1 Running 01m 10.244.2. 2 node2 [root@master networkpolicy] # curl 10.244.2.2 # see that we cannot access the pod10.244.2.2 in the dev namespace on the host machine This is because there is a deny-all-ingress network policy in the dev namespace that rejects any inbound requests.

Next, let's create a pod in the prod namespace:

[root@master networkpolicy] # kubectl apply-f pod-a.yaml-n prodpod/pod1 created [root@master networkpolicy] # kubectl get pods-n prod-o wideNAME READY STATUS RESTARTS AGE IP NODEpod1 1 Running 0 1m 10.244.2.3 node2 [root@master networkpolicy] # curl 10.244.2.4 # We see that the prod name can be accessed on the host PodHello MyApp in space | Version: V1 | Pod Name [root@master networkpolicy] # cat ingress-def.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all-ingressspec: podSelector: {} # pod selector is set to empty Means to select all pod, that is, to control the entire namespace ingress:-{} # null means to allow all inbound access to policyTypes:-Ingress # means it is only valid for ingress # but we do not add egress here So the default egress is to allow all [root@master networkpolicy] # kubectl apply-f ingress-def.yaml-n devnetworkpolicy.networking.k8s.io/deny-all-ingress configured [root@master networkpolicy] # curl 10.244.2.2 # then we can access the container in the dev namespace on the host Hello MyApp | Version: V1 | Pod Name

Next, we will revert to the original network policy, that is, deny all inbound requests:

[root@master networkpolicy] # cat ingress-def.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all-ingressspec: podSelector: {} # pod selector is set to empty, which means to select all pod, that is, to control the entire namespace policyTypes:-Ingress # means it is only valid for ingress # but we don't add egress here So the default egress allows all [root@master networkpolicy] # kubectl apply-f ingress-def.yaml-n devnetworkpolicy.networking.k8s.io/deny-all-ingress unchanged [root@master networkpolicy] # curl 10.244.2.2 # to find that the pod in the dev cannot be accessed on the host.

Let's label the pod1 in the dev namespace as app=myapp.

[root@master networkpolicy] # kubectl label pods pod1 app=myapp-n devpod/pod1 labeled [root@master networkpolicy] # cat allow-netpol-demo.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: allow-myapp-ingressspec: podSelector: matchLabels: app: myapp ingress: # inbound-from:-ipBlock: cidr: 10.244.0.0amp 16 # specify network segment Allow inbound from 10.244.0.0root@master networkpolicy 16 to pod:-10.244.1.2 pod 32 # exclude this address ports:-protocol: TCP port: 80 [root@master networkpolicy] # kubectl apply-f allow-netpol-demo.yaml-n devnetworkpolicy.networking.k8s.io/allow-myapp-ingress created [root@master networkpolicy] # kubectl get netpol- n devNAME POD-SELECTOR AGEallow -myapp-ingress app=myapp 1mdeny-all-ingress 5h [root@master networkpolicy] # curl 10.244.2.2 # after adding allow-myapp-ingress network policy You can immediately access the pod in dev Hello MyApp | Version: V1 | Pod Name

Above we introduced the ingress inbound rules, and below we introduce the egress outbound rules.

[root@master networkpolicy] # cat egress-def.yamlapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all-egressspec: podSelector: {} # pod selector is set to empty, indicating that all pod are selected That is, to control the entire namespace policyTypes:-Egress # means only for egress [root@master networkpolicy] # kubectl apply-f egress-def.yaml-n prodnetworkpolicy.networking.k8s.io/deny-all-egress created [root@master ~] # kubectl get pods-n kube-system-o wideNAME READY STATUS RESTARTS AGE IP NODEcanal-7q4k7 3 Running 0 6h 172.16.1.101 node1canal-dk2tc 3 node1canal-dk2tc 3 Running 0 6h 172.16.1.102 node2canal-zr8l4 3 Running 0 6h 172.16.1.100 mastercoredns-78fcdf6894-2l2cf 1/1 Running 18 24d 10.244.0.46 mastercoredns-78fcdf6894-dkkfq 1/1 Running 17 24d 10.244.0.45 masteretcd-master 1/1 Running 18 24d 172.16.1.100 masterkube-apiserver-master 1 / 1 Running 19 24d 172.16.1.100 masterkube-controller-manager-master 1 Running 18 24d 172.16.1.100 master [root@master networkpolicy] # kubectl get pods-n prodNAME READY STATUS RESTARTS AGEpod1 1 Running 01h [root@master networkpolicy] # kubectl exec pod1-it-n prod-/ Bin/sh/ # ping 10.244.0.45 # saw that containers from other ping namespaces were rejected This is because of the role of the network policy deny-all-egress, which denies all egress traffic of the container PING 10.244.0.45 (10.244.0.45): 56 data bytes [root@master networkpolicy] # cat egress-def.yaml apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all-egressspec: podSelector: {} # pod selector is set to empty, indicating that all pod are selected That is, to control the entire namespace egress:-{} # means to allow all egress outbound traffic policyTypes:-Egress # means only valid for egress [root@master networkpolicy] # kubectl apply-f egress-def.yaml-n prod [root@master networkpolicy] # kubectl exec pod1-it-n prod-/ bin/sh # see after release The container can ping the external container / # ping 10.244.0.45PING 10.244.0.45 (10.244.0.45): 56 data bytes64 bytes from 10.244.0.45: seq=0 ttl=62 time=0.227 ms64 bytes from 10.244.0.45: seq=1 ttl=62 time=0.284 ms

To be more secure, we can set each namespace to deny all inbound, deny all outbound, and then release it separately. However, there is also a problem that all pod cannot communicate with each other in a namespace. So add a policy that allows pod in this namespace to communicate with each other (release all outbound targets all pod in this namespace), but not with external namespaces.

Thank you for reading this article carefully. I hope the article "what is the network strategy of K8s based on canal in docker" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.