Shulou(Shulou.com)05/31 Report--

Editor to share with you what is the use of NetworkPolicy in kubernetes. I hope you will get something after reading this article. Let's discuss it together.

One: brief introduction

An important feature of 1.Kubernetes is to connect the pod of different node nodes, regardless of the limitations of physical nodes. However, in some application environments, such as the public cloud, the pod of different tenants should not be interconnected, so network isolation is needed. Fortunately, Kubernetes provides NetworkPolicy, which supports network isolation by Namespace level. Network Policy provides policy-based network control to isolate applications and reduce attack surfaces. It uses label selectors to simulate traditional segmented networks and uses policies to control the traffic between them and from outside.

2.Kubernetes provides NetworkPolicy to support network access control by Namespace and by Pod level. It uses label to specify namespaces or pod, and the underlying implementation is implemented in iptables. Not all Kubernetes network schemes support Network Policy. For example, Flannel does not support it, but Calico does.

3.

a. Create network policy resources through kubectl client

The policy-controller of b.calico listens for network policy resources and writes to the etcd database of calico after it is obtained

Calico-felix on c.node acquires policy resources from etcd database and calls iptables to configure accordingly.

Second: NetworkPolicy resource allocation

ApiVersion: networking.k8s.io/v1

Kind: NetworkPolicy

Metadata:

Name: test-network-policy

Namespace: default

Spec:

PodSelector:

MatchLabels:

Role: db

Ingress:

-from:

-namespaceSelector:

MatchLabels:

Project: myproject

-podSelector:

MatchLabels:

Role: frontend

Ports:

-protocol: TCP

Port: 6379

1.podSelector: each NetworkPolicy contains a podSelector that can select a set of Pod with network policies applied. Since NetworkPolicy currently only supports defining ingress rules, this podSelector actually defines a set of "target Pod" for the policy. The policy in the example selects the Pod labeled "role=db". An empty podSelector selects all the Pod in that Namespace.

2.ingress: each NetworkPolicy contains a list of whitelist ingress rules. Each rule allows only traffic that can match the from and ports configuration segments. The example policy contains a single rule that matches traffic on a single port from these two sources, the first through namespaceSelector and the second through podSelector.

3. The Pod of the label "role=db" is isolated in the "default" Namespace (if they are not already quarantined); in the "default" Namespace, any Pod with "role=frontend" is allowed to connect to TCP port 6379 of the Pod labeled "role=db"; any Pod with the label "project=myproject" in Namespace is allowed to connect to TCP port 6379 of the Pod labeled "role=db" in the "default" Namespace.

Three: default policy

1. By creating a NetworkPolicy that selects all Pod but does not allow any traffic, you can create a "default" isolation policy for a Namespace.

ApiVersion: networking.k8s.io/v1

Kind: NetworkPolicy

Metadata:

Name: default-deny

Spec:

PodSelector:

two。 In Namespace, if you want to allow all traffic to all Pod (even if some policies have been added so that some Pod are treated as "isolated"), you can explicitly specify that all traffic is allowed by creating a policy.

ApiVersion: networking.k8s.io/v1

Kind: NetworkPolicy

Metadata:

Name: allow-all

Spec:

PodSelector:

Ingress:

-{}

After reading this article, I believe you have a certain understanding of "what is the use of NetworkPolicy in kubernetes". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.