current position:Home>Yyds dry goods inventory k8s network strategy

Yyds dry goods inventory k8s network strategy

2022-01-27 02:48:26 key_ 3_ feng

The network strategy is to control Pod Specification of how to communicate between resource groups and with other network endpoints , It uses tags to group Pod, And in this group Pod Define rules to control its traffic , Thus for Kubernetes Provide more refined flow control and tenant isolation mechanism .NetworkPolicy Resources are Kubernetes API Top priority , Administrators or users can use NetworkPolicy This standard resource type defines network access control policies on demand .

Kubernetes The default is not for Pod Above the flow as any limit ,Pod Object can communicate with any other on the cluster Pod signal communication , It can also interact with network endpoints outside the cluster .NetworkPolicy Is a resource at the namespace level , Allows the user to use the tag selector in a filtered group Pod Objects are managed separately Ingress and Egress Traffic . Once the Network Policy Introduced into the namespace , Is selected by the tag selector “ Choose ” Of Pod All traffic will be rejected by default , And release only by specific NetworlPolicy Clear resources “ allow ” Of traffic . However , Not by any NetworkPolicy The resource's label selector is selected Pod The traffic of the object is not affected .

Pod Group : from NetworkPolicy Resources through Pod tag chooser (spec.podSelector) A dynamically selected group Pod Resource collection , They are also the targets of the network policy rules , It can be done by macthLabel or matchExpression Type of label selector selected .

Egress The rules : Rules related to outbound traffic , Responsible for controlling the selected Pod Group traffic to other network endpoints , The destination network endpoint that can be by traffic ( And port (spec.egress.ports) To define .

Ingress The rules : Rules related to inbound traffic , Responsible for the control of selected Pod The traffic received by the group , It can be sent by traffic to the source endpoint (spec.ingress.from) And the target port of traffic (spec.ingress.ports) To define .

Peer endpoint (to, from): With the selected Pod Peer hosts for group interaction , It can be CIDR Format IP Address block (ipBlock)、 Network namespace selector (namespaceSelector) To match all... In the namespace Pod object , It can even be by Pod Selectors (podSelector) A specific set of objects selected in a specified namespace Pod Object etc. .

Calico The project can independently serve Kubernetes The cluster provides network plug-ins and network policies , Can also be with Flannel Bind together , from Flannel Provide network solutions , and Calico Used only to provide network policy , The solution is independent Canal project .

Namespace separated multi tenant or even multi project Kubernetes On the cluster , Communication isolation between each other should usually be set , To improve the overall safety of the system . However, these namespaces should usually allow internal Pod Communication between , And allow requests from the private namespace of the management class application on the cluster , Include kube-system and kubernetes-dashboard, And a namespace dedicated to the clustered log collection system ( for example logs) And monitoring system specific namespaces ( for example monitoring) etc. . meanwhile , These namespaces usually request DNS service , as well as Kubernetes Of API etc. .

copyright notice
author[key_ 3_ feng],Please bring the original link to reprint, thank you.

Random recommended