Skip to content

5.CES namespace策略配置

Jump to bottom
Oilbeater edited this page Dec 12, 2021 · 1 revision

Namespace Egress Policy Use case

namespace在k8s平台上一般会用于projects的隔离,不同的project会有不同的外部服务访问需求。在管理角色上,每个project一般又归属于平台管理员或项目组管理。因此不同project的egress策略需要归属到不同的namespace。

此功能需要特定的CNI支持。当前CES控制器支持kube-ovn的namespace base subnet。未来计划支持calico的namespace level网络。

image-20211124111140911

策略设定方法

  1. 首先创建待访问的目标服务。该服务需位于对应的namespace下。支持IP,域名,协议组合,支持仅IP的任意协议:
# kubectl get externalservices -A
NAMESPACE     NAME               ADDRESSES
ns-600        ns600-baidu-bwc    [www.baidu.com]
ns-600        ns600-linjing-io   [linjing.io]
ns-600        ns600-nginx-api    [3.125.64.247 18.193.151.235]
ns-700        ns700-icbc-api     [180.169.80.5]

动态带宽限制可基于不同的客户端。设置策略的管理员仅需要从configmap中的irules列表中选择合适的带宽限制项即可:

# kubectl get externalservices ns600-baidu-bwc -n ns-600 -o yaml
apiVersion: kubeovn.io/v1alpha1
kind: ExternalService
metadata:
  name: ns600-baidu-bwc
  namespace: ns-600
spec:
  addresses:
  - www.baidu.com
  ports:
  - bandwidth: bwc-2mbps-irule
    name: tcp-80
    port: "80"
    protocol: TCP

# kubectl get externalservices ns700-icbc-api -n ns-700 -o yaml
apiVersion: kubeovn.io/v1alpha1
kind: ExternalService
metadata:
  name: ns700-icbc-api
  namespace: ns-700
spec:
  addresses:
  - 180.169.80.5
  ports:
  - name: tcp-80
    port: "80"
    protocol: TCP
  1. 创建namespaceegressrules规则,引用上述目标服务。namespaceegressrules需要配置在对应的namespace下。
# kubectl get namespaceegressrules -A
NAMESPACE   NAME                    ACTION              STATUS
ns-600      ns600-allow-baidu-bwc   accept-decisively   Success
ns-600      ns600-allow-nginx-api   accept-decisively   Success
ns-700      ns700-allow-icbc-api    accept-decisively   Success

apiVersion: kubeovn.io/v1alpha1
kind: NamespaceEgressRule
metadata:
  name: ns600-allow-baidu-bwc
  namespace: ns-600
spec:
  action: accept-decisively
  externalServices:
  - ns600-baidu-bwc

apiVersion: kubeovn.io/v1alpha1
kind: NamespaceEgressRule
metadata:
  name: ns700-allow-icbc-api
  namespace: ns-700
spec:
  action: accept-decisively
  externalServices:
  - ns700-icbc-api

验证

在上述策略设定中,为ns-600 namespace设置容许了对www.baiud.com的访问。在全局策略中未容许对www.baidu.com的访问。因此ns-600的服务将可以访问www.baidu.com,而其它namespace则无法访问。

# kubectl get pod -n ns-600
NAME                     READY   STATUS    RESTARTS   AGE
myapp-648bc84478-d6sv2   1/1     Running   0          18d
tmp-shell-ns600          1/1     Running   1          170d
# kubectl exec -it tmp-shell-ns600 -n ns-600 -- sh
~ # curl -I www.baidu.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Wed, 24 Nov 2021 06:55:27 GMT
Etag: "575e1f59-115"
Last-Modified: Mon, 13 Jun 2016 02:50:01 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

Namespace ns-700无法访问baidu.com:

bash-5.1# curl -I www.baidu.com
^C

而ns-700内的pods可以访问icbc api:

bash-5.1# curl -H "Host: open.icbc.com.cn" 180.169.80.5
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://open.icbc.com.cn/">here</a>.</p>
</body></html>

下一步

k8s service级别策略

Clone this wiki locally