Openshift的网络策略networkpolicy

开启networkpolicy

创建新集群时，在ansible的hosts的参数列表中添加os_sdn_network_plugin_name配置
1
2
[OSEv3:vars]
os_sdn_network_plugin_name='redhat/openshift-ovs-networkpolicy
如果已存在的集群，切换网络策略，请参考Openshift网络插件动态切换
ovs-networkpolicy网络策略下，pod也支持qos网络流量控制。详情请阅读：Openshift Network QoS——Pod网络控制

说明：在Openshift容器平台只支持部分k8s networkpolicy v1版本特性，所以egress协议类型，IPBlock和podSelector与namespaceSelector的组合都不支持。

NetworkPolicy配置规则

样例：

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: test
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379

podSelector: pod选择器，指定该networkpolicy对指定pod产生作用。默认当前project下的所有pod
policyTypes: Openshift只支持Ingress协议类型
ingress[].from[].namespaceSelector：namespace选择器，带有指定label的namespace允许访问受控制的pod
ingress[].from[].podSelector：pod选择器，指定同一个project下带有指定label的pod允许访问受控制的pod
ingress[].ports：受控制的端口
一个project下可以有多条NetworkPolicy规则，同时它们是或的关系
每个NetworkPolicy可以有多条ingress策略，同时它们也是或的关系

策略设置案例

默认策略

在没有设置任何NetworkPolicy策略时，pod之间的网络与openshift-ovs-subnet一样，都是可以互相访问的

对所有pod网络隔离

对所有pod网络隔离

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-by-default
spec:
  podSelector:
  ingress: []

只允许在同一个project下的所有pod可访问

只允许在同一个project下的pod可访问

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-same-namespace
spec:
  podSelector:
  ingress:
  - from:
    - podSelector: {}

只允许同一个project下的指定pod可访问

只允许type=blue的pod访问当前project下的pod

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-same-namespace
spec:
  podSelector:
  ingress:
  - from:
    - podSelector:
          matchLabels:
              type: blue

只允许指定的namespace下的pod可访问

只允许指定的namespace下的pod可访问

1	oc label namespace project-b name=project-b

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-test-namespace
spec:
  podSelector:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: project-b

公开指定label的pod的HTTP和HTTPS端口

project-a下的type=red的pod的80和443端口对所有pod开放

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-http-and-https
spec:
  podSelector:
    matchLabels:
      type: red
  ingress:
  - ports:
    - protocol: TCP
      port: 80
    - protocol: TCP
      port: 443

NetworkPolicy与Routers网络打通

在ovs-multitenant模式下，router所在的default project对所有project中的pod都具有访问权限，但是这点在networkpolicy策略中并不适用。如果某个需要公开的服务设置了networkpolicy策略，那么也需要将它向router pod公开。

一种方法是将需要公开的服务的端口对所有project公开

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-to-database-service
spec:
  podSelector:
    matchLabels:
      role: database
  ingress:
  - ports:
    - protocol: TCP
      port: 5432

该策略不仅允许router能访问该服务，同时也允许所有的pod能够访问该服务。通常这是没有问题的，因为有这种需求的服务是对外开放的。

另一种方法是只对default namespace进行公开

$ oc label namespace default name=default
$ cat allow-from-default-namespace.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-from-default-namespace
spec:
  podSelector:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: default

给新建的project创建默认策略

在openshift project的默认配置中添加如下object

objects:
...
- apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    name: allow-from-same-namespace
  spec:
    podSelector:
    ingress:
    - from:
      - podSelector: {}
- apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    name: allow-from-default-namespace
  spec:
    podSelector:
    ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: default
...