Security assurance is based on software life cycle - networkpolicy application

NetworkPolicy It can be downloaded from IP Address or port level controls network traffic , Network policy is implemented through network plug-ins , If you want to use network policy , Support... Must be used networkPolicy The network solution . Create a NetworkPolicy Resource objects , If there is no controller to use , So this NetworkPolicy It won't work . When the network strategy selects some Pod after , These are the selected ones Pod Will follow NetworkPolicy Rules defined in . in addition , Network testing will not conflict , If one or more strategies choose one Pod, Then the Pod A sum set that uses multiple policies . In defining NetworkPolicy There are some key fields in the rule , The specific field meanings are as follows ：
spec： Included in a namespace All the information needed to define a specific network policy .
podSelector： Used to select a group Pod, If podSelector Field is empty , For choice namespace All under Pod
policyTypes：policyType contain Ingress perhaps Egress Or both , If policyTypes Is not specified , So the default is Ingress.
Ingress：Ingress Rule white list , Each allows simultaneous matching from and ports Part of the flow
Egress：Egress White list of rules , Each rule allows matching to and port Part of the flow

For example, the following rule is ： Choose to label role=db Of pod.

podSelector:
  matchLabels:
    role:db

The following rule is to allow all traffic , If ingress There is no -{}, Is to reject all traffic .

spec:
  podSelector:{}
  policyType:
  - Ingress
spec:
  podSelector:{}
  ingress:
  -{}
  policyTypes:
  -Ingress  

NetworkPolicy It's a namespace level resource , The rule applies the endpoint Set .GlobalNetworkPolicy And NetworkPolicy Function as , It is a resource at the whole cluster level ,GlobalNetworkPolicy All in the cluster Namespace take effect , And can limit the host (HostEndpoint).

Next, a practical example is given to demonstrate NetworkPolicy working process , The network plug-in used by the cluster is Calico. First deploy two applications , The deployment of yaml The documents are as follows ,toolbox Is used to access deployment calico-demo Of pod Of .

apiVersion: v1
kind: Namespace
metadata:
  name: calico-demo
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: calico-demo
  name: calico-demo
  labels:
    app: calico-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: calico-demo
  template:
    metadata:
      labels:
        app: calico-demo
        access: "true"
    spec:
      containers:
        - name: calico-demo
          image: nginx
          ports:
            - containerPort: 80

apiVersion: apps/v1
kind: Deployment
metadata:
#  namespace: default
  name: toolbox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: toolbox
  template:
    metadata:
      labels:
        app: toolbox
        access: "true"
    spec:
      containers:
        - name: toolbox
          image: centos
          command:
            - tail
            - -f
            - /dev/null

toolbox One is deployed at calico-demo Of namespace Next , One is deployed at default Of namespace below , After deployment , Log in to toolbox pod Inside , use curl and ping Command access calico-demo service , You can see that all the visits are successful . Similarly, enter in default namespace Under the toolbox,curl and ping All can succeed .

  At this time let NetworkPolicy take effect ,NetworkPolicy The rules are as follows , Indicates that no traffic is allowed .NetworkPolicy Come into force after , In two namespace Under the toolbox pod Reuse inside curl and ping command , It doesn't work

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny
  namespace: calico-demo
spec:
  podSelector: {}

Then let the following GlobalNetworkPolicy take effect , This rule is open ping command . the reason being that Global Of policy, So in two namespace Next use ping Orders can succeed ,curl The command still fails .

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-ping-in-cluster
spec:
  selector: all()
  types:
    - Ingress
  ingress:
    - action: Allow
      protocol: ICMP
      source:
        selector: all()
      icmp:
        type: 8 # Ping request
    - action: Allow
      protocol: ICMPv6
      source:
        selector: all()
      icmp:
        type: 128 # Ping request

Then open 80 port , But the traffic of this port should come from default namespace Medium pod Talent . So the following NetworkPolicy Come into force after , stay default namespace Under the toolbox of use curl Command access calico-demo The service is accessible .

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-http
  namespace: calico-demo
spec:
  podSelector: {}
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: default
      ports:
        - protocol: TCP
          port: 80

It shows NetworkPolicy working process , and NetworkPolicy In fact, it is controlled by firewall rules , and Iptables The project was first launched to solve firewall rule configuration . So check Calico Of Iptables You can know the logic behind the control . see Calico The firewall rules of will see cali-INPUT Of chain.

  Through the command ip a Command to view the network configuration , You can see that there is cali Configuration at the beginning . Actually, if cali Network plug-in , Then the request through the network plug-in , with cali start .

Here is the first added NetworkPolicy after Iptables Main content . Here to cali The initial request is labeled 0x0/0x20000, And for the request with these labels ,-j The treatment of is DROP, That is, abandoned , Don't deal with . In this way, it shows that the request is rejected NetworkPolicy.

It's opening ICMP after , Firewall rules have been changed , The change points are as follows . about matchle icmp-type 8 Your request is called 0x10000 label , And for the request with such a label ,-j Operation is RETURN, That is to say, return directly to , Rather than being DROP fall .

That's all NetworkPolicy working principle , You can see through configuration NetworkPolicy You can customize the control of requests at the network level , Ensure cluster security .