networkpolicy application scenarios
By default, the Kubernetes cluster network does not have any network restrictions. Pods can communicate with any other pods. In some scenarios, network control is required to reduce the network attack surface and improve security. This will use network policies.
network policy:
It is a K8s resource, which is used to limit pod inbound and outbound traffic, and provide pod-level and namespace-level network access control.
Application scenario:
1. Access control between applications, such as project A cannot access the pod of project B
2. The development environment namespace cannot access the test environment namespace Pod
3. When the pod is exposed to the outside world, a Pod whitelist needs to be done
4. Multi-tenant network environment isolation
yaml example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default #The policy is applied in that namespace, that is, to limit the pod s in that namespace (target)
spec:
podSelector: #Select the pods that match which tags, select a group of pods as a network policy, and write {} to indicate the pods under the partition
matchLabels:
role: db
policyTypes:
- Ingress #Network access, who accesses the pod (that is, who accesses the pod with the role=db label under the default namespace)
- Egress #Out of the network, who can the pod with role=db access
ingress:
- from:
- ipBlock: #ip control inbound
cidr: 172.17.0.0/16 #Allow this network segment to access
except:
- 172.17.1.0/24 #This network segment cannot be accessed
- namespaceSelector: #Controlled by namespace
matchLabels:
project: myproject
- podSelector: #Allow connections from Pods marked with role=client in the local namespace, or from any Pod marked with user=alice in any namespace. If not added - then connections under this namespace are only allowed from Pods marked with role=client and marked with user=alice in the namespace where the Pod is located.
matchLabels:
role: frontend
ports: #The above three can access that port
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 59785 Cases of Network Access Control
Case 1: Deny all pod inbound and outbound traffic under the namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: test
spec:
podSelector: {} #Matches all pod s in this namespace
policyTypes:
- Ingress
- Egress
#ingress and egress do not specify rules, no traffic is allowed to enter and exit the pod
When the networkpolicy is not set, inbound and outbound access is free (pod test can be started first, K8s intercommunication by default), and it will take effect after setting (inaccessible)
after apply
test access external (access denied),
[]kubectl run busybox --image=busybox -n test -- sleep 12h
[]kubectl exec busybox -n test -- ping baidu.cm
Test external pod access (access denied)
[]kubectl run web --image=nginx -n test
[]kubectl run busybox --image=busybox --sleep 12h
[]kubectl exec busybox -- ping nginxpod's ip
Test access between internal pod s (deny access)
[]kubectl exec busybox -n test -- ping nginxpod's ip
This policy is basically not used, but it can be set as the default policy
Case 2: Deny access to other namespace pod s
Requirement: All pods in the test namespace can access each other and pods in other namespaces, but pods in other namespaces cannot access pods in the test namespace
Remember to delete the strategy of 1 and then proceed to 2
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-ingress
namespace: test
spec:
podSelector: {} #All pod s under test
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {} #Matches all pod s in this namespace Case 3: Allow other namespace pod s to access specified applications
Requirements: Allow other namespaces test namespace to specify pods, pod label app=web
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-nmespace
namespace: test
spec:
podSelector:
matchLabels:
app: web #The label with app=web under the test namespace
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector: {} #Match pod s in all namespaces
#That is, pods in all namespaces can access pods of app=web under the test namespace, which is the same as K8s by default, meaningless. However, when combined with case 1, one can be accessed and the other cannot be accessed
#Default rejection without -from rejects all inbound, and then matches namespace {} table through namespaceselector
This rule alone
Use with Case 1
Case 4: Restrict access between applications under the same namespace
Requirement: isolate pods labeled run=web in the test namespace, and only allow pods labeled run=client1 in the test namespace to access port 80
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-to-app
namespace: test
spec:
podSelector:
matchLabels:
run: web
policyTypes:
- Ingress
ingress:
[]kubectl run client1 --image=busybox -n test-- sleep 12h
Case 5: Only allow applications in the specified namespace to access
Requirement: Only allow access to applications in the specified namespace and access to specified tag pod s in all other namespaces
The application policy namespace is dev, and the web pod label is env=dev
Allow access to pods in the prod namespace, and pods with the label app=client1 in other namespaces
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dev-web
namespace: dev
spec:
podSelector:
matchLabels:
env: dev
policyTypes:
- Ingress
ingress:
#Satisfied to allow pod access in the prod namespace
- from:
- namespaceSelector:
matchLabels:
env: prod
#Allow pod access with pod label app=client1, all namespaces
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: client1
[]kubectl create ns dev
[]kubectl run web --image=busybox -n dev --labels="env=dev" -- sleep 12h
[]kubectl create ns prod
[]kubectl label ns prod env=prod
[]kubectl run web --image=busybox -n prod -- sleep 12h
#Test as required