Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

An example Analysis of the Network Policy API to be introduced in K8S 1.3

2025-01-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)05/31 Report--

K8S 1.3 will be introduced in the network strategy API example analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

The Kubernetes SIG group has been meeting frequently since the end of last year to add a network strategy to Kubernetes and has made a lot of progress.

Many users have encountered a problem, that is, Kubernetes's open network policy is not suitable for some programs, such as those that need more precise control of traffic to access pod or service. Now, this may be a multi-tier application that only allows traffic to flow from the next layer. But with the emergence of new cloud native applications combined with micro-services, the ability to control the flow of information traffic between these service becomes more and more important.

The network SIG team strives to build, starting with identifying specific case scenarios (URLs) that require network isolation to enhance security. Getting the API of these simple use cases correctly is important for work because it is also the basis for more complex network protocols and is important for multi-tenancy in Kubernetes.

From these scenarios, some possible solutions have long been thought of, and the minimum policy specification has been defined. The basic idea is that if isolation is turned on between each namespace, then communication between special pods needs to be enabled with a specific policy.

The easiest way to quickly support API for this experiment is to go to the API server in the form of third-party resource extension (ThirdPartyResource), which is now supported by Kubernetes 1.2.

If you are not familiar with this operation, Kubernetes API can create a new API endpoint on the specified URL by defining a third-party resource (ThirdPartyResources) extension.

This allows you to create an API endpoint (one per namespace):

Third-party network controllers can listen on these endpoints and respond as necessary when resources are created, modified, or deleted. Note: kubernetes 1.3 is about to be released, and the network policy API will be released in a beta version, so there is no need to create a third-party resource API endpoint as mentioned above.

Network isolation is off by default, so all pods can normally communicate with each other. However, the point is that once network isolation is turned on, all traffic to pods will be blocked in all namespaces, that is, turning on isolation will change the behavior of your pods.

Turn on network isolation by defining network isolation annotations on the namespace, as shown in the following figure:

As long as network isolation is turned on, network protocols must be used for communication between pod.

Policy specifications can be applied to a namespace to define policy details, as shown in the following figure:

In this example, the 'tenant-a' namespace get through' pol 1, as shown in the figure. Specifically, pods with the paragraph label 'backend'' will allow TCP traffic to be received at the paragraph label 'frontend'' on port 80.

Both Romana,OpenShift,OpenContrail and Calico now support the application of network protocols to namespaces and pods. Cisco and VMware are also committed to the implementation of this area. Romana and Calico recently confirmed the performance of Kubernetes1.2 in KubeCon. You can click here to view their presentation:Romana (video address: https://www.youtube.com/watch?v=f-dLKtK6qCs slide address: http://www.slideshare.net/RomanaProject/kubecon-london-2016-ronana-cloud-native-sdn) and Calico (video address: https://www.youtube.com/watch?v=p1zfh5N4SX0 slide address: http://www.slideshare.net/kubecon/kubecon-eu-2016-secure-cloudnative-networking-with-project-calico)

How does it work

Each solution has its own implementation details. Currently, they rely on the host execution mechanism, but future implementations will also create application protocols on top of the super manager, or directly rely on the network itself.

External protocol control software (different implementation details) creates or applies new protocols for pods to view new API endpoints. When an event requires policy configuration, the listener will recognize the difference, and the controller will respond by configuring the interface and applying the policy. The framework below shows how an API listener and protocol controller applies network policies through the host and then responds to updates. The web interface above pods is configured through a CNI plug-in on the host (not shown in the figure).

If you get stuck developing a program because of network disconnection or security issues (or both), these new network protocols are helpful in providing the control you need. Because network policies are now available like an API, you don't have to wait for Kubernetes1.3.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report