2024-07-12
한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina
पूर्वनिर्धारितरूपेण सर्वे Pods पूर्णतया सुलभाः सन्ति । प्रत्येकं Namespace Pods मध्ये यातायातस्य पृथक्करणार्थं स्वतन्त्रजालनीतिभिः सह विन्यस्तुं शक्यते ।
v1.7+ सर्वेषां Pods सङ्गतिं कृत्वा Network Policy निर्माय पूर्वनिर्धारितजालनीतिरूपेण कार्यं करोति
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: default-deny
- spec:
- podSelector: {}
- policyTypes:
- - Ingress
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: default-deny
- spec:
- podSelector: {}
- policyTypes:
- - Egress
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: default-deny
- spec:
- podSelector: {}
- policyTypes:
- - Ingress
- - Egress
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-all
- spec:
- podSelector: {}
- ingress:
- - {}
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-all
- spec:
- podSelector: {}
- egress:
- - {}
लेबल चयनकर्तानां उपयोगेन Pods मध्ये यातायातस्य नियन्त्रणं कुर्वन्तु, यत्र namespaceSelector तथा podSelector च सन्ति ।
- 允许 default namespace 中带有 role=frontend 标签的 Pod 访问 default
- namespace 中带有 role=db 标签 Pod 的 6379 端口
- 允许带有 project=myprojects 标签的 namespace 中所有 Pod 访问 default
- namespace 中带有 role=db 标签 Pod 的 6379 端口
-
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: test-network-policy
- namespace: default
- spec:
- podSelector:
- matchLabels:
- role: db
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- project: myproject
- - podSelector:
- matchLabels:
- role: frontend
- ports:
- - protocol: tcp
- port: 6379
- 允许 default namespace 中带有 role=frontend 标签的 Pod 访问 default
- namespace 中带有 role=db 标签 Pod 的 6379 端口
- 允许带有 project=myprojects 标签的 namespace 中所有 Pod 访问 default
- namespace 中带有 role=db 标签 Pod 的 6379 端口
- NetworkPolicy
- 238
- 允许 default namespace 中带有 role=db 标签的 Pod 访问 10.0.0.0/24 网段
- 的 TCP 5978 端口
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: test-network-policy
- namespace: default
- spec:
- podSelector:
- matchLabels:
- role: db
- policyTypes:
- - Ingress
- - Egress
- ingress:
- - from:
- - ipBlock:
- cidr: 172.17.0.0/16
- except:
- - 172.17.1.0/24
- - namespaceSelector:
- matchLabels:
- project: myproject
- - podSelector:
- matchLabels:
- role: frontend
- ports:
- - protocol: TCP
- port: 6379
- egress:
- - to:
- - ipBlock:
- cidr: 10.0.0.0/24
- ports:
- - protocol: TCP
- port: 5978
इदानीं nginx सेवा विन्यस्ता अस्ति अभिगमद्वारः 80. पूर्वनिर्धारितस्थितिः अस्ति यत् सर्वे पोड्स् एतां सेवां अभिगन्तुं शक्नुवन्ति ।
- $ kubectl get svc
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- nginx-deployment NodePort 10.102.52.246 <none> 80:31180/TCP 19d
-
- 启动一个busybox pod来访问nginx-deployment服务
- $ kubectl exec -it pod/busybox-test -- sh
- / # wget --spider --timeout=1 nginx-deployment
- Connecting to nginx-deployment (10.102.52.246:80)
- remote file exists
- / #
-
अधुना nginx-deployment सेवायाः कृते संजालनीतिं विन्यस्यताम् येन pod इत्येतत् सेवां प्राप्तुं न शक्नोति ।
- $ cat default-deny.yaml
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: default-deny
- spec:
- podSelector: {}
- policyTypes:
- - Ingress
-
- $ kubectl create -f default-deny.yaml
- networkpolicy.networking.k8s.io/default-deny created
-
- 现在busybox的pod无法访问nginx-deployment服务了
- $ kubectl exec -it pod/busybox-test -- sh
- / # wget --spider --timeout=1 nginx-deployment
- Connecting to nginx-deployment (10.102.52.246:80)
- wget: download timed out
- / # exit
-
-
- 查看networkpolicy
- $ kubectl get networkpolicy
- NAME POD-SELECTOR AGE
- default-deny <none> 102s
अन्यं संजालनीतिं रचयन्तु यत् access=true इत्यनेन सह Pod access चालयति:
- 表示所有带有 access=true label 的pods都可以访问nginx-deployment服务
- $ cat nginx-policy.yaml
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: access-nginx
- spec:
- podSelector:
- matchLabels:
- app: nginx
- ingress:
- - from:
- - podSelector:
- matchLabels:
- access: "true"
-
-
- 启动一个带有access=true label的busybox服务
- $ cat busybox-test.yaml
- apiVersion: v1
- kind: Pod
- metadata:
- annotations:
- cni.projectcalico.org/containerID: fefc92be6bb04bacdf757a0b4132d72c2133c94dbfa684296cf59772817fc939
- cni.projectcalico.org/podIP: 172.16.43.1/32
- cni.projectcalico.org/podIPs: 172.16.43.1/32
- creationTimestamp: "2024-06-28T08:39:13Z"
- labels:
- access: "true"
- purpose: demonstrate-busybox
- name: busybox-test
- namespace: default
- resourceVersion: "208006"
- uid: 2d94690d-4f16-4bb6-a540-4682334170af
- spec:
- containers:
- - command:
- - sleep
- - "3600"
- image: busybox
- imagePullPolicy: IfNotPresent
- name: busybox
- resources:
- ... ...
-
-
- $ kubectl apply -f busybox-test.yaml
-
- 此时看到busybox-test这个pod已经带有access=true的label了
- $ kubectl describe pod busybox-test
- Name: busybox-test
- Namespace: default
- Priority: 0
- Service Account: default
- Node: kevin-pc/192.168.227.129
- Start Time: Fri, 28 Jun 2024 16:39:13 +0800
- Labels: access=true
-
-
- 然后通过busybox-test访问nginx服务就可以访问到了
- $ kubectl exec -it pod/busybox-test -- sh
- / # wget --spider -timeout=1 nginx-deployment
- Connecting to nginx-deployment (10.102.52.246:80)
- remote file exists
- / #
संजालनीतिं विलोपनानन्तरं सर्वे पोड्स् पूर्वनिर्धारितरूपेण nginx-deployment सेवां प्राप्तुं शक्नुवन्ति ।
- $ kubectl get networkpolicy
- NAME POD-SELECTOR AGE
- access-nginx app=nginx 10m
- default-deny <none> 17m
- $ kubectl delete network policy access-nginx
प्रथमं nginx सेवां आरभ्य एतां सेवां लेबलं कुर्वन्तु
- kubectl run web --image=nginx --labels app=web,env=prod --expose --po
- rt 80
- (没有配置ingress,所以所有的pod都没法访问这个服务)
- kind: NetworkPolicy
- apiVersion: networking.k8s.io/v1
- metadata:
- name: web-deny-all
- spec:
- podSelector:
- matchLabels:
- app: web
- env: prod
- kubectl run apiserver --image=nginx --labels app=bookstore,role=api -
- -expose --port 80
- kind: NetworkPolicy
- apiVersion: networking.k8s.io/v1
- metadata:
- name: api-allow
- spec:
- podSelector:
- matchLabels:
- app: bookstore
- role: api
- ingress:
- - from:
- - podSelector:
- matchLabels:
- app: bookstore
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: default-deny
- namespace: default
- spec:
- podSelector: {}
- kind: NetworkPolicy
- apiVersion: networking.k8s.io/v1
- metadata:
- namespace: default
- name: web-deny-other-namespaces
- spec:
- podSelector:
- matchLabels:
- ingress:
- - from:
- - podSelector: {}
- kind: NetworkPolicy
- apiVersion: networking.k8s.io/v1
- metadata:
- name: web-allow-prod
- spec:
- podSelector:
- matchLabels:
- app: web
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- purpose: production
- kubectl run web --image=nginx --labels=app=web --port 80
- kubectl expose deployment/web --type=LoadBalancer
- kind: NetworkPolicy
- apiVersion: networking.k8s.io/v1
- metadata:
- name: web-allow-external
- spec:
- podSelector:
- matchLabels:
- app: web
- ingress:
- - ports:
- - port: 80
- from: []
सः ३० वर्षाणाम् अधिकं कालात् प्रौद्योगिक्याः शोधकार्यं कर्तुं समर्पितः अस्ति, तथा च जावा, लिनक्स, जावास्क्रिप्ट्, php, css इत्यादिषु विविधभाषासु प्रवीणः अस्ति, मुक्तस्रोतक्षेत्रे सः बहु योगदानं कृतवान् अस्ति विकासक दस्तावेजीकरणस्थानकं भविष्ये सन्दर्भार्थं प्रौद्योगिकीविकासे केचन विषयाः साझां कर्तुं सर्वे तत् पश्यन्तु
