Kubernetes网络策略
大约 5 分钟Kubernetes指南Kubernetes网络策略
Kubernetes网络策略
Kubernetes网络策略概述
Kubernetes网络策略(Network Policy)是用于控制Pod之间网络通信的规范。通过网络策略,可以实现微服务架构中的安全隔离,控制哪些Pod可以相互通信,以及通信的端口和协议。
网络策略基础
1. 网络策略的工作原理
网络策略通过标签选择器来指定策略适用的Pod,并定义允许的入站(Ingress)和出站(Egress)流量规则。
网络策略的基本结构:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # 选择策略适用的Pod
matchLabels:
role: db
policyTypes: # 策略类型
- Ingress
- Egress
ingress: # 入站规则
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
ports:
- protocol: TCP
port: 6379
egress: # 出站规则
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 59782. 网络策略的前提条件
要使用网络策略,Kubernetes集群必须具备支持网络策略的网络插件,如:
- Calico:功能最完整的网络策略实现
- Cilium:基于eBPF的高性能网络策略
- Weave Net:支持基本网络策略
- Flannel:需要额外配置才能支持网络策略
3. 默认网络行为
在没有网络策略的情况下,Kubernetes中的所有Pod都可以相互访问。网络策略通过"默认拒绝"的方式来实现访问控制。
网络策略配置详解
1. 入站流量控制(Ingress)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: database
policyTypes:
- Ingress
ingress:
- from:
# 允许特定标签的Pod访问
- podSelector:
matchLabels:
app: web
# 允许特定命名空间的Pod访问
- namespaceSelector:
matchLabels:
name: frontend
# 允许特定IP段访问
- ipBlock:
cidr: 192.168.1.0/24
ports:
- protocol: TCP
port: 33062. 出站流量控制(Egress)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress
namespace: default
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Egress
egress:
- to:
# 允许访问特定标签的Pod
- podSelector:
matchLabels:
app: database
# 允许访问特定命名空间
- namespaceSelector:
matchLabels:
name: database
ports:
- protocol: TCP
port: 33063. 组合策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
namespace: default
spec:
podSelector:
matchLabels:
app: database
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: web
ports:
- protocol: TCP
port: 3306
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53 # 允许DNS查询实际应用场景
1. 微服务隔离
# 前端服务网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: frontend
spec:
podSelector:
matchLabels:
app: frontend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0 # 允许外部访问
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: backend
ports:
- protocol: TCP
port: 8080# 后端服务网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: backend
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
name: database
ports:
- protocol: TCP
port: 3306# 数据库服务网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-policy
namespace: database
spec:
podSelector:
matchLabels:
app: database
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: backend
ports:
- protocol: TCP
port: 33062. 多环境隔离
# 开发环境网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dev-isolation
namespace: development
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
environment: development
egress:
- to:
- namespaceSelector:
matchLabels:
environment: development
- namespaceSelector:
matchLabels:
name: kube-system # 允许访问系统服务3. 安全访问控制
# 限制管理接口访问
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: admin-access
namespace: production
spec:
podSelector:
matchLabels:
role: admin
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.10.0/24 # 仅允许管理网络访问
ports:
- protocol: TCP
port: 22 # SSH
- protocol: TCP
port: 8443 # Kubernetes API高级网络策略
1. 基于端口的策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: port-based-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: web
ports:
- protocol: TCP
port: 8080
- protocol: TCP
port: 84432. 基于协议的策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: protocol-policy
spec:
podSelector:
matchLabels:
app: monitoring
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 9090 # Prometheus
- protocol: UDP
port: 9091 # Alertmanager3. 组合选择器策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: combined-selector-policy
spec:
podSelector:
matchLabels:
app: secure-service
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
tenant: team-a
podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80网络策略调试和测试
1. 策略验证工具
# 使用网络工具测试连接
kubectl run -it --rm debug --image=nicolaka/netshoot -- bash
# 在调试容器中测试网络连接
# nc -zv database-service 3306
# curl -v http://web-service:80802. 策略应用测试
# 测试策略:拒绝所有流量
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress# 测试策略:允许特定流量
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-specific
spec:
podSelector:
matchLabels:
app: test-app
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: allowed-app
ports:
- protocol: TCP
port: 803. 策略监控
# 查看网络策略
kubectl get networkpolicies
# 查看网络策略详细信息
kubectl describe networkpolicy policy-name
# 查看Pod网络状态
kubectl get pods -o wide
# 查看服务端点
kubectl get endpoints网络策略最佳实践
1. 策略设计原则
# 默认拒绝策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: secure-namespace
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress# 明确允许策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-required-traffic
namespace: secure-namespace
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: trusted-namespace
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53 # DNS2. 分层安全策略
# 应用层策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-layer-policy
spec:
podSelector:
matchLabels:
layer: application
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
layer: web# 数据层策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: data-layer-policy
spec:
podSelector:
matchLabels:
layer: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
layer: application3. 命名空间隔离策略
# 命名空间间通信控制
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: namespace-isolation
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
project: my-project常见问题和解决方案
1. 策略不生效
# 检查网络插件是否支持网络策略
kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.containerRuntimeVersion}'
# 检查策略是否正确应用
kubectl describe networkpolicy policy-name
# 检查Pod标签
kubectl get pods --show-labels2. 网络连接问题
# 测试Pod间连接
kubectl exec -it pod1 -- nc -zv pod2-service 80
# 查看网络策略日志
kubectl logs -n kube-system -l k8s-app=calico-node
# 检查网络插件状态
kubectl get pods -n kube-system | grep network3. 性能优化
# 优化策略:减少规则复杂度
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: optimized-policy
spec:
podSelector:
matchLabels:
app: optimized-app
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
trusted: "true"
ports:
- protocol: TCP
port: 80网络策略管理命令
| 命令 | 说明 |
|---|---|
kubectl get networkpolicies | 查看网络策略 |
kubectl describe networkpolicy name | 查看策略详细信息 |
kubectl apply -f policy.yaml | 应用网络策略 |
kubectl delete networkpolicy name | 删除网络策略 |
kubectl get pods --show-labels | 查看Pod标签 |
kubectl get namespaces --show-labels | 查看命名空间标签 |
总结
Kubernetes网络策略是实现微服务安全隔离的重要工具。通过合理配置网络策略,可以有效控制Pod间的网络通信,提高系统的安全性。在实际应用中,应该根据业务需求和安全要求,设计合适的网络策略,并定期审查和优化策略配置。