calico官网
之前安装过Flannel插件,需要清理相关信息:
kubectl delete -f kube-flannel.yml
mv /etc/cni/net.d/10-flannel.conflist /mnt/
mkdir calico
cd calico/
kubectl apply -f calico.yaml
创建带有标签:app=nginx 的服务nginx-svc
kubectl apply -f /root/ingress/nginx-svc.yml
--- apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: myapp image: myapp:v2
测试可以访问:
vim deny-nginx.yml
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-nginx spec: podSelector: matchLabels: app: nginx
kubectl apply -f deny-nginx.yml
未创建策略前pod访问app:nginx的服务被拒绝:
添加标签 app:demo: kubectl label pod demo app=demo
kubectl label pod demo app=demo
vim acces-demo.yml
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector: matchLabels: app: nginx ingress: - from: - podSelector: matchLabels: app: demo
创建策略:kubectl apply -f acces-demo.yml
kubectl apply -f acces-demo.yml
测试:访问成功
kubectl create namespace demo
kubectl run demo1 --image=radial/busyboxplus -it -n demo
kubectl run demo2 --image=radial/busyboxplus -it -n demo
vim deny-pod.yml
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: demo spec: podSelector: {}
kubectl apply -f deny-pod.yml
kubectl run nginx --image=myapp:v2
创建策略:vim deny-ns.yml
vim deny-ns.yml
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: deny-namespace spec: podSelector: matchLabels: ingress: - from: - podSelector: {}
kubectl apply -f deny-ns.yml
kubectl create namespace test
kubectl label ns test role=prod
kubectl run test1 --image=radial/busyboxplus -it -n test
vim acces-ns.yml
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-namespace spec: podSelector: matchLabels: run: nginx ingress: - from: - namespaceSelector: matchLabels: role: prod
kubectl apply -f acces-ns.yml
vim nginx.yml
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ingress-demo spec: rules: - host: www1.westos.org http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80
curl www1.westos.org
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: web-allow-external spec: podSelector: matchLabels: app: nginx ingress: - ports: - port: 80 from: []