Kubernetes 1.19.0——网络策略
时间:2022-07-26
本文章向大家介绍Kubernetes 1.19.0——网络策略,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
网络策略-------理解为防火墙
[root@vms61 chap10-net]# kubectl run pod1 --image=nginx --image-pull-policy=IfNotPresent --labels="name=pod1"
pod/pod1 created
[root@vms61 chap10-net]# kubectl run pod2 --image=nginx --image-pull-policy=IfNotPresent --labels="name=pod2"
pod/pod2 created
[root@vms61 chap10-net]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod1 1/1 Running 0 16s
pod2 1/1 Running 0 6s
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod1 1/1 Running 0 21s name=pod1
pod2 1/1 Running 0 11s name=pod2
[root@vms61 chap10-net]# kubectl expose --name=svc1 pod pod1 --port=80 --type=NodePort
service/svc1 exposed
[root@vms61 chap10-net]# kubectl expose --name=svc2 pod pod2 --port=80 --type=NodePort
service/svc2 exposed
[root@vms61 chap10-net]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc1 NodePort 10.110.91.208 <none> 80:32614/TCP 11s
svc2 NodePort 10.97.135.59 <none> 80:31706/TCP 4s
[root@vms61 chap10-net]# kubectl run pod-test --image=nginx --image-pull-policy=IfNotPresent
pod/pod-test created
[root@vms61 chap10-net]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-test 1/1 Running 0 3s
pod1 1/1 Running 0 5m33s
pod2 1/1 Running 0 5m23s
[root@vms61 chap10-net]# kubectl exec -it pod1 -- bash
root@pod1:/# echo 11111 > /usr/share/nginx/html/index.html
root@pod1:/# exit
exit
[root@vms61 chap10-net]# kubectl exec -it pod2 -- bash
root@pod2:/# echo 22222 > /usr/share/nginx/html/index.html
root@pod2:/# exit
exit
[root@vms61 chap10-net]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc1 NodePort 10.110.91.208 <none> 80:32614/TCP 6m33s
svc2 NodePort 10.97.135.59 <none> 80:31706/TCP 6m26s
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curs -s svc1
bash: curs: command not found
root@pod-test:/# curl -s svc1
11111
root@pod-test:/# curl -s svc2
22222
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
name: pod1
policyTypes:
- Ingress
ingress:
- from:
# - ipBlock:
# cidr: 172.17.0.0/16
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy created
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 51m run=pod-test
pod1 1/1 Running 0 57m name=pod1
pod2 1/1 Running 0 57m name=pod2
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc2
22222
root@pod-test:/# curl -s svc1
^C
root@pod-test:/# exit
[root@vms61 chap10-net]# kubectl label pod pod-test role=frontend
pod/pod-test labeled
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 54m role=frontend,run=pod-test
pod1 1/1 Running 0 60m name=pod1
pod2 1/1 Running 0 60m name=pod2
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc1
11111
root@pod-test:/# exit
Exit
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
app: xx
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.135.0/24
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
# - podSelector:
# matchLabels:
# role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy unchanged
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 65m run=pod-test
pod1 1/1 Running 0 70m app=xx,name=pod1
pod2 1/1 Running 0 70m app=xx,name=pod2
[root@vms61 chap10-net]# kubectl label pod pod-test role=frontend
pod/pod-test labeled
[root@vms61 chap10-net]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc1 NodePort 10.110.91.208 <none> 80:32614/TCP 68m
svc2 NodePort 10.97.135.59 <none> 80:31706/TCP 68m
[root@vms61 chap10-net]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test 1/1 Running 0 77m run=pod-test
pod1 1/1 Running 0 82m app=xx,name=pod1
pod2 1/1 Running 0 82m app=xx,name=pod2
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
policyTypes:
- Ingress
ingress:
- from:
# - ipBlock:
# cidr: 192.168.135.0/24
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy configured
[root@vms61 chap10-net]# kubectl exec -it pod-test -- bash
root@pod-test:/# curl -s svc1
^C
root@pod-test:/# curl -s svc2
^C
root@pod-test:/#
如果想要其他例如default命名空间里的pod访问,怎么办?
[root@vms61 chap10-net]# kubectl run pod-test1 --image=nginx --image-pull-policy=IfNotPresent -n default
pod/pod-test1 created
[root@vms61 chap10-net]# kubectl get pods -n default
NAME READY STATUS RESTARTS AGE
pod-test1 1/1 Running 0 9s
[root@vms61 chap10-net]# kubectl get pods -n default --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test1 1/1 Running 0 17s run=pod-test1
[root@vms61 chap10-net]# kubectl label pod pod-test1 -n default role=frontend
pod/pod-test1 labeled
[root@vms61 chap10-net]# kubectl get pods -n default --show-labels
NAME READY STATUS RESTARTS AGE LABELS
pod-test1 1/1 Running 0 5m30s role=frontend,run=pod-test1
[root@vms61 chap10-net]# kubectl label ns default aa=bb
namespace/default labeled
[root@vms61 chap10-net]# cat net1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mypolicy
spec:
podSelector:
matchLabels:
policyTypes:
- Ingress
ingress:
- from:
# - ipBlock:
# cidr: 192.168.135.0/24
# except:
# - 172.17.1.0/24
- namespaceSelector:
matchLabels:
aa: bb
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80
[root@vms61 chap10-net]# kubectl apply -f net1.yaml
networkpolicy.networking.k8s.io/mypolicy configured
[root@vms61 chap10-net]# kubectl exec -it -n default pod-test -- bash
Error from server (NotFound): pods "pod-test" not found
[root@vms61 chap10-net]# kubectl exec -it -n default pod-test1 -- bash
root@pod-test1:/# curl -s svc1
^C
root@pod-test1:/# curl -s svc1.chap10-net
11111
root@pod-test1:/# curl -s svc2.chap10-net
22222
- 10分钟搞懂TensorBoard用法
- 【最新TensorFlow1.4.0教程02】利用Eager Execution 自定义操作和梯度 (可在 GPU 运行)
- 清北集训Day1T3 LYK loves jumping(期望DP)
- C#进阶系列——WebApi 接口参数不再困惑:传参详解上
- MySQL之多表查询
- 万能pb_ds头文件—bits/extc++.h
- 区块链开发之Go语言—文件系统
- MySQL之单表查询
- C#进阶系列——WebApi 接口参数不再困惑:传参详解 下
- 区块链开发之Go语言—字符串和字节
- MySQL之表的约束
- 【NIPS2017前沿】半监督学习需要Bad GAN,清华特奖学霸与苹果AI总监提出(附Ruslan教授深度学习教程pdf下载)
- MySQL之表的数据类型
- C#注册表情缘
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- 容器技术|Docker三剑客之docker-swarm
- 【前端系列-3】layui表格使用自定义模板templet
- 【前端系列-4】layui表格集成select选择框和switch开关
- 使用docker Registry快速搭建私有镜像仓库(内附干货)
- 【前端系列-5】layui-from swtich使用小结
- Python解析变长结构体
- 如何优雅地在JS中使用枚举定义
- 【Java基础-1】 Java8新特性Stream详解
- 【Java基础-2】构造函数与构造代码块
- 【Java基础-3】数据结构之JSON浅析
- linux环境svn服务端及windows环境客户端安装配置
- 【Java集合-1】整体框架
- 【Java集合-2】HashMap简析
- 【Java集合-3】ArrayList简析
- Springboot之Security前后端分离登录