Kubernetes网络策略深度解析与安全实践
引言
网络策略是Kubernetes中实现微分段和零信任安全模型的关键组件。本文将深入探讨Kubernetes网络策略的原理、配置和最佳实践。
一、网络策略概述
1.1 网络策略架构
┌─────────────────────────────────────────────────────────────┐ │ 网络策略架构 │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────┐ │ │ │ Pod A │ │ Pod B │ │ Pod C │ │ │ │ (app=api) │──────│ (app=db) │ │(app=cache)│ │ │ └──────────────┘ └──────────────┘ └──────────┘ │ │ │ │ │ │ ▼ ▼ │ │ ┌──────────────────────────────────────┐ │ │ │ NetworkPolicy │ │ │ │ - 允许api访问db │ │ │ │ - 拒绝所有其他访问 │ │ │ └──────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────┘1.2 网络策略类型
| 类型 | 说明 | 方向 |
|---|---|---|
| Ingress | 入站流量控制 | 进入Pod |
| Egress | 出站流量控制 | 离开Pod |
| Ingress + Egress | 双向流量控制 | 双向 |
1.3 默认网络行为
| 场景 | 默认行为 | 启用NetworkPolicy后 |
|---|---|---|
| Ingress | 允许所有入站 | 默认拒绝所有 |
| Egress | 允许所有出站 | 默认拒绝所有 |
二、网络策略配置
2.1 基本Ingress策略
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress namespace: default spec: podSelector: {} policyTypes: - Ingress2.2 允许特定流量
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: default spec: podSelector: matchLabels: app: database policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: api ports: - protocol: TCP port: 33062.3 Egress策略
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: restrict-egress namespace: default spec: podSelector: matchLabels: app: frontend policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: api ports: - protocol: TCP port: 8080 - to: - namespaceSelector: matchLabels: name: kube-system ports: - protocol: UDP port: 53三、高级网络策略
3.1 基于命名空间的策略
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-monitoring namespace: default spec: podSelector: matchLabels: app: backend policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: monitoring ports: - protocol: TCP port: 80803.2 IP块策略
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-external-access namespace: default spec: podSelector: matchLabels: app: api policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 10.0.0.0/8 except: - 10.0.0.0/24 ports: - protocol: TCP port: 803.3 组合策略
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: comprehensive-policy namespace: default spec: podSelector: matchLabels: app: payment-service policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: app: order-service - namespaceSelector: matchLabels: name: trusted ports: - protocol: TCP port: 443 egress: - to: - podSelector: matchLabels: app: database ports: - protocol: TCP port: 5432 - to: - ipBlock: cidr: 10.0.0.0/8 ports: - protocol: TCP port: 443四、网络策略实现
4.1 Calico网络策略
apiVersion: crd.projectcalico.org/v1 kind: NetworkPolicy metadata: name: calico-policy namespace: default spec: selector: app == 'web' ingress: - action: Allow source: selector: app == 'api' destination: ports: - port: 80 egress: - action: Allow destination: selector: app == 'db' ports: - port: 33064.2 Cilium网络策略
apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: cilium-policy namespace: default spec: endpointSelector: matchLabels: app: backend ingress: - fromEndpoints: - matchLabels: app: frontend toPorts: - ports: - port: "8080" protocol: TCP五、网络策略最佳实践
5.1 默认拒绝策略
# 首先创建默认拒绝策略 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress # 然后创建允许规则 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns namespace: default spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: name: kube-system ports: - protocol: UDP port: 535.2 分层策略
# 第一层:基础策略 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: base-policy namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress egress: - to: - namespaceSelector: matchLabels: name: kube-system ports: - protocol: UDP port: 53 # 第二层:应用策略 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: api-policy namespace: default spec: podSelector: matchLabels: app: api policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 80805.3 命名空间隔离
# 为每个命名空间创建隔离策略 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: namespace-isolation namespace: team-a spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: team-a egress: - to: - namespaceSelector: matchLabels: name: team-a六、网络策略监控
6.1 策略状态监控
#!/bin/bash # 检查网络策略状态 echo "=== Network Policies ===" kubectl get networkpolicy # 检查策略详细信息 echo "" echo "=== Network Policy Details ===" kubectl describe networkpolicy allow-api-to-db # 检查Pod网络状态 echo "" echo "=== Pod Network Status ===" kubectl get pods -o wide # 测试网络连通性 echo "" echo "=== Network Connectivity Test ===" kubectl exec -it api-pod -- ping -c 3 db-pod6.2 流量可视化
# Calico流量可视化配置 apiVersion: operator.tigera.io/v1 kind: Monitor metadata: name: monitor spec: logCollection: flowLogs: enabled: true destination: elasticsearch prometheusMetrics: enabled: true七、故障排查
7.1 策略不生效
# 问题:网络策略不生效 # 解决方案:检查网络插件支持 kubectl get pods -n kube-system -l k8s-app=calico-node # 检查策略配置 kubectl get networkpolicy -o yaml # 检查Pod标签 kubectl get pods --show-labels7.2 流量被意外阻止
# 问题:合法流量被阻止 # 解决方案:检查策略规则 kubectl describe networkpolicy default-deny-all # 添加临时允许规则进行测试 kubectl apply -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: debug-allow-all namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - {} egress: - {} EOF7.3 DNS解析失败
# 问题:Pod无法解析DNS # 解决方案:确保允许DNS流量 kubectl apply -f - <<EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns namespace: default spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: UDP port: 53 EOF八、网络策略清单
#!/bin/bash echo "=== Network Policy Checklist ===" echo "" echo "[ ] 默认拒绝所有入站流量" echo "[ ] 默认拒绝所有出站流量" echo "[ ] 允许DNS流量" echo "[ ] 允许监控系统访问" echo "[ ] 定义数据库访问规则" echo "[ ] 定义API访问规则" echo "[ ] 实施命名空间隔离" echo "[ ] 定期审查策略" echo "[ ] 测试策略效果"结论
网络策略是Kubernetes安全体系的重要组成部分,通过合理配置网络策略可以实现微分段和零信任安全模型。在实施网络策略时,建议采用默认拒绝、分层配置和持续监控的策略,确保集群的网络安全。
