openshift 4.3 network policy demo
https://docs.openshift.com/container-platform/4.3/networking/configuring-networkpolicy.html
video
- https://youtu.be/pbV2VwIExVg
- https://www.bilibili.com/video/BV1vz411B7pC/
# 为zxcdn namespace,和demo namespace配置network policy,只放行CDN内部应用和ingress的流量,外部应用流量一律拒绝。
cat << EOF > demo.yaml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-other-namespaces
spec:
podSelector: null
ingress:
- from:
- podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress
podSelector: {}
policyTypes:
- Ingress
EOF
oc apply -n zxcdn -f demo.yaml
oc apply -n demo -f demo.yaml
# 在 demo 和 zxcdn 空间中,各创建一个测试用的pod
cat << EOF > demo.yaml
---
kind: Deployment
apiVersion: apps/v1
metadata:
annotations:
name: demo
spec:
replicas: 1
selector:
matchLabels:
app: demo
template:
metadata:
labels:
app: demo
spec:
nodeSelector:
kubernetes.io/hostname: 'infra1.hsc.redhat.ren'
restartPolicy: Always
containers:
- name: demo1
image: >-
registry.redhat.ren:5443/docker.io/wangzheng422/centos:centos7-test
env:
- name: key
value: value
command: ["/bin/bash", "-c", "--" ]
args: [ "trap : TERM INT; sleep infinity & wait" ]
imagePullPolicy: Always
EOF
oc apply -n demo -f demo.yaml
oc apply -n zxcdn -f demo.yaml
# 查找cdn的ip地址
oc get pod -o wide -n zxcdn
# 进入demo pod,ping cdn pod,应该ping不通
# 配置zxcdn namespace的network policy,放行demo namespace
oc label namespace demo name=demo
cat << EOF > demo.yaml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-other-namespaces
spec:
podSelector: null
ingress:
- from:
- podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-other
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
name: demo
podSelector: {}
policyTypes:
- Ingress
EOF
oc apply -n zxcdn -f demo.yaml
# 进入demo pod,ping cdn pod,应该可以ping通
# 进入zxcdn project里面的一个pod, ping demo pod,应该ping不通
oc get pod -n demo -o wide
# 配置 demo namespace的network policy, 放行 zxcdn namespace
oc label namespace zxcdn name=zxcdn
cat << EOF > demo.yaml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-other-namespaces
spec:
podSelector: null
ingress:
- from:
- podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-other
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
name: zxcdn
podSelector: {}
policyTypes:
- Ingress
EOF
oc apply -n demo -f demo.yaml
# 进入zxcdn project里面的一个pod, ping demo pod,应该能够ping通
oc delete -n zxcdn -f demo.yaml
oc delete -n demo -f demo.yaml