在CCE集群中使用-Network-Policy
更新时间:2025-08-21
NetworkPolicy 是 K8S 提供的一种资源,用于定义基于 Pod 的网络隔离策略。它描述了一组 Pod 能否与其它组 Pod 及其它 Endpoints 进行通信。本文主要演示如何使用开源工具 kube-router 在 CCE 上实现 NetworkPolicy 功能.
kube-router
kube-router 是一个 kubernetes 的容器网络解决方案,它的官网和代码地址如下:
kube-router 有三大功能:
- Pod Networking;
- IPVS/LVS based service proxy;
- Network Policy Controller.
CCE 有自己的容器网络实现方案,本文主要使用 kube-router 的 Network Policy Controller 的功能.
部署 kube-router
在 CCE K8S 集群上部署 kube-router ,YAML 如下:
Plain Text
1apiVersion: v1
2kind: ConfigMap
3metadata:
4 name: kube-router-cfg
5 namespace: kube-system
6 labels:
7 tier: node
8 k8s-app: kube-router
9data:
10 cni-conf.json: |
11 {
12 "name":"kubernetes",
13 "type":"bridge",
14 "bridge":"kube-bridge",
15 "isDefaultGateway":true,
16 "ipam": {
17 "type":"host-local"
18 }
19 }
20---
21apiVersion: extensions/v1beta1
22kind: DaemonSet
23metadata:
24 name: kube-router
25 namespace: kube-system
26 labels:
27 k8s-app: kube-router
28spec:
29 template:
30 metadata:
31 labels:
32 k8s-app: kube-router
33 annotations:
34 scheduler.alpha.kubernetes.io/critical-pod: ''
35 spec:
36 containers:
37 - name: kube-router
38 image: docker.io/cloudnativelabs/kube-router
39 args: ["--run-router=false", "--run-firewall=true", "--run-service-proxy=false", "--kubeconfig=/root/.kube/config"]
40 securityContext:
41 privileged: true
42 imagePullPolicy: Always
43 env:
44 - name: NODE_NAME
45 valueFrom:
46 fieldRef:
47 fieldPath: spec.nodeName
48 livenessProbe:
49 httpGet:
50 path: /healthz
51 port: 20244
52 initialDelaySeconds: 10
53 periodSeconds: 3
54 volumeMounts:
55 - name: lib-modules
56 mountPath: /lib/modules
57 readOnly: true
58 - name: cni-conf-dir
59 mountPath: /etc/cni/net.d
60 - name: kubeconfig
61 mountPath: /root/.kube/config
62 readOnly: true
63 initContainers:
64 - name: install-cni
65 image: busybox
66 imagePullPolicy: Always
67 command:
68 - /bin/sh
69 - -c
70 - set -e -x;
71 if [ ! -f /etc/cni/net.d/10-kuberouter.conf ]; then
72 TMP=/etc/cni/net.d/.tmp-kuberouter-cfg;
73 cp /etc/kube-router/cni-conf.json ${TMP};
74 mv ${TMP} /etc/cni/net.d/10-kuberouter.conf;
75 fi
76 volumeMounts:
77 - name: cni-conf-dir
78 mountPath: /etc/cni/net.d
79 - name: kube-router-cfg
80 mountPath: /etc/kube-router
81 hostNetwork: true
82 tolerations:
83 - key: CriticalAddonsOnly
84 operator: Exists
85 - effect: NoSchedule
86 key: node-role.kubernetes.io/master
87 operator: Exists
88 - effect: NoSchedule
89 key: node.kubernetes.io/not-ready
90 operator: Exists
91 volumes:
92 - name: lib-modules
93 hostPath:
94 path: /lib/modules
95 - name: cni-conf-dir
96 hostPath:
97 path: /etc/cni/net.d
98 - name: kube-router-cfg
99 configMap:
100 name: kube-router-cfg
101 - name: kubeconfig
102 hostPath:
103 path: /root/.kube/config例子说明
1 创建namespaces
Plain Text
1$kubectl create namespace production
2$kubectl create namespace staging2 启动 nginx 服务
在不同的 namespace 中创建 nginx deployment.
Plain Text
1$kubectl apply -f nginx.yaml --namespace=production
2$kubectl apply -f nginx.yaml --namespace=stagingnginx.yaml 的 YAML 如下:
Plain Text
1apiVersion: extensions/v1beta1
2kind: Deployment
3metadata:
4 name: nginx-deployment
5 labels:
6 app: nginx
7spec:
8 replicas: 3
9 selector:
10 matchLabels:
11 app: nginx
12 template:
13 metadata:
14 labels:
15 app: nginx
16 spec:
17 containers:
18 - name: nginx
19 image: hub.baidubce.com/cce/nginx-alpine-go:latest
20 ports:
21 - containerPort: 80验证 Pod 启动成功:
Plain Text
1# staging 环境
2$kubectl get pods -n staging
3NAME READY STATUS RESTARTS AGE
4nginx-deployment-7fbd5f4c55-2xgd4 1/1 Running 0 45s
5nginx-deployment-7fbd5f4c55-5xr75 1/1 Running 0 45s
6nginx-deployment-7fbd5f4c55-fn6lr 1/1 Running 0 20m
7
8# productionn 环境
9$kubectl get pods -n production
10NAME READY STATUS RESTARTS AGE
11nginx-deployment-7fbd5f4c55-m764f 1/1 Running 0 10s
12nginx-deployment-7fbd5f4c55-pdhhz 1/1 Running 0 10s
13nginx-deployment-7fbd5f4c55-r98w5 1/1 Running 0 20m没有设置 NetworkPolicy 的时候,所有的 Pod 是可以相互访问的,可以直接 ping PodIP.
Network Policy 策略测试
1. Default deny all ingress traffic
禁止 namespace=staging 中 pod 被访问.
Plain Text
1apiVersion: networking.k8s.io/v1
2kind: NetworkPolicy
3metadata:
4 name: default-deny
5 namespace: staging
6spec:
7 podSelector: {}
8 policyTypes:
9 - Ingress各个字段含义说明:
- PodSelector:选中需要隔离的 Pod;
- policyTypes: 策略类型,NetworkPolicy 将流量分为 ingress 和 egress,即入方向和出方向。如果没有指定则表示不闲置;
- ingress:入方向,白名单,需要指定 from、ports,即来源、目的端口号,from有三种类型,ipBlock/namespaceSelector/podSelector;
- egress:出方向,白名单,类似 ingress,egress 需要指定 to、ports,即目的、目的端口号。
上述 NetworkPolicy 创建完成后,可以在任意 Pod 中访问 namespace=staging 下的 PodIP,发现是无法访问,比如从 production 中的 pod 进行访问 :
Plain Text
1$kubectl exec -it nginx-deployment-7fbd5f4c55-m764f /bin/sh -n production
2/ # ping 172.16.0.92
3PING 172.16.0.92 (172.16.0.92): 56 data bytes2. Default allow all ingress traffic
允许 namespace=staging 中 pod 被访问.
Plain Text
1apiVersion: networking.k8s.io/v1
2kind: NetworkPolicy
3metadata:
4 name: allow-all
5 namespace: staging
6spec:
7 podSelector: {}
8 ingress:
9 - {}
10 policyTypes:
11 - Ingress3. Default deny all egress traffic
禁止 namespace=production 中 pod 对外访问.
Plain Text
1apiVersion: networking.k8s.io/v1
2kind: NetworkPolicy
3metadata:
4 name: default-deny
5 namespace: production
6spec:
7 podSelector: {}
8 policyTypes:
9 - Egress4. Default allow all egress traffic
允许 namespace=production 中 pod 对外访问.
Plain Text
1apiVersion: networking.k8s.io/v1
2kind: NetworkPolicy
3metadata:
4 name: allow-all
5 namespace: production
6spec:
7 podSelector: {}
8 egress:
9 - {}
10 policyTypes:
11 - Egress5. Default deny all ingress and all egress traffic
禁止所有 pod 的入和出的流量:
Plain Text
1apiVersion: networking.k8s.io/v1
2kind: NetworkPolicy
3metadata:
4 name: default-deny
5spec:
6 podSelector: {}
7 policyTypes:
8 - Ingress
9 - Egress