備忘録/にわかエンジニアが好きなように書く

個人的にとりあえず仕組みを知るために、触りたように好きにとりあえず動くような構築してみる 個人用の備忘録となるので内容の保証はないのでその点はご了承ください。 ※変な内容や間違いを書いているなどありましたらコメントやご指摘いただけると幸いです。

Calico / Kubernetes Simple Policy Demo(チュートリアル)を実施

 

calicoのチュートリアル"Simple Policy Demo"の手順を実施しただけの内容です。

Calico チュートリアル

Simple Policy Demo | calico

calicoctl pod作成

calicoctl pod追加

# kubectl apply -f \
> https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/calicoctl.yaml
pod "calicoctl" created
#

calicoctl pod確認

# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
~ 省略 ~
kube-system calicoctl 1/1 Running 0 23s
~ 省略 ~

# kubectl exec -ti -n kube-system calicoctl -- /calicoctl get profiles -o wide
NAME LABELS
kns.default map[]
kns.kube-public map[]
kns.kube-system map[]
 
#

Namespacesの作成

# kubectl create ns policy-demo
namespace "policy-demo" created
#
# kubectl get namespace
NAME STATUS AGE
default Active 2d
kube-public Active 2d
kube-system Active 2d
policy-demo Active 16s
#

デモ用Pod作成

nginx(pod)を2個作成

# kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx
deployment.apps "nginx" created
#

nginxのpod確認

[root@k8s-master calico]# kubectl get pods --all-namespaces -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE
~ 省略 ~
policy-demo nginx-65899c769f-4mr2n 1/1 Running 0 4m 192.168.180.193 worker-node1
policy-demo nginx-65899c769f-8m4r7 1/1 Running 0 4m 192.168.203.129 worker-node2
#

service作成

# kubectl expose --namespace=policy-demo deployment nginx --port=80
service "nginx" exposed
#

接続確認

namespace : policy-demoにpodを作成し、BusyBox(pod)内からシェルを実行してみる。

# kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -q nginx -O -
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
 
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
 
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
/ # exit
Session ended, resume using 'kubectl attach access-54c8b564d8-ctp2r -c access -i -t' command when the pod is running
#

exitするとpodも終了

isolation(分離)の有効

policy-demoネームスペース内のすべてのポッドに対してデフォルトのアクセス拒否する動作となる

# kubectl create -f - <<EOF
> kind: NetworkPolicy
> apiVersion: networking.k8s.io/v1
> metadata:
> name: default-deny
> namespace: policy-demo
> spec:
> podSelector:
> matchLabels: {}
> EOF
networkpolicy.networking.k8s.io "default-deny" created
#
# kubectl get networkpolicies --all-namespaces
NAMESPACE NAME POD-SELECTOR AGE
policy-demo default-deny <none> 11m
#

isolation(分離)の動作テスト

# kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -q --timeout=5 nginx -O -
wget: download timed out
/ # exit
Session ended, resume using 'kubectl attach access-54c8b564d8-ks85z -c access -i -t' command when the pod is running
#

wget実行後の5秒後、タイムアウトした。

isolation(分離)によってアクセス拒否設定が有効であることが分かる。

 

NetworkPolicyを使ってアクセス許可

ネットワークポリシー作成

# kubectl create -f - <<EOF
> kind: NetworkPolicy
> apiVersion: networking.k8s.io/v1
> metadata:
> name: access-nginx
> namespace: policy-demo
> spec:
> podSelector:
> matchLabels:
> run: nginx
> ingress:
> - from:
> - podSelector:
> matchLabels:
> run: access
> EOF
networkpolicy.networking.k8s.io "access-nginx" created
#
# kubectl get networkpolicies --all-namespaces
NAMESPACE NAME POD-SELECTOR AGE
policy-demo access-nginx run=nginx 11s
policy-demo default-deny <none> 14m
#

--
NetworkPolicyは、"run:nginx"のラベル付きポッドからのトラフィックを許可する
--

ラベル無

namespace : policy-demoからはアクセスできない。

# kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -q --timeout=5 nginx -O -
wget: download timed out
/ # exit
Session ended, resume using 'kubectl attach access-54c8b564d8-2nr6p -c access -i -t' command when the pod is running
#

ラベル有

nodeへラベルを付与する

# kubectl label nodes worker-node1 run=nginx
node "worker-node1" labeled
# kubectl label nodes worker-node2 run=nginx
node "worker-node2" labeled
# kubectl label nodes worker-node3 run=nginx
node "worker-node3" labeled

ラベルを付与することでnamespace : policy-demoからはアクセスできたことがわかる。

# kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget -q --timeout=5 nginx -O -
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
 
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
 
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
/ # exit
Session ended, resume using 'kubectl attach access-54c8b564d8-ztn2k -c access -i -t' command when the pod is running
#

--

デモ設定削除

# kubectl delete ns policy-demo
namespace "policy-demo" deleted
#
# kubectl get pods --all-namespaces -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE
kube-system calico-etcd-2z69c 1/1 Running 1 2d 10.10.0.201 k8s-master
kube-system calico-kube-controllers-685755779f-zmjqx 1/1 Running 1 2d 10.10.0.201 k8s-master
kube-system calico-node-5cqwf 2/2 Running 3 2d 10.20.0.202 worker-node2
kube-system calico-node-l5pp6 2/2 Running 3 2d 10.10.0.201 k8s-master
kube-system calico-node-svnnz 2/2 Running 3 2d 10.20.0.201 worker-node1
kube-system calico-node-v8d9q 2/2 Running 2 2d 10.30.0.201 worker-node3
kube-system calicoctl 1/1 Running 0 50m 10.20.0.202 worker-node2
kube-system etcd-k8s-master 1/1 Running 1 2d 10.10.0.201 k8s-master
kube-system kube-apiserver-k8s-master 1/1 Running 1 2d 10.10.0.201 k8s-master
kube-system kube-controller-manager-k8s-master 1/1 Running 1 2d 10.10.0.201 k8s-master
kube-system kube-dns-86f4d74b45-sfwv5 3/3 Running 3 2d 192.168.50.2 worker-node3
kube-system kube-proxy-d8ctw 1/1 Running 1 2d 10.20.0.201 worker-node1
kube-system kube-proxy-ds8qf 1/1 Running 1 2d 10.20.0.202 worker-node2
kube-system kube-proxy-ffptl 1/1 Running 1 2d 10.30.0.201 worker-node3
kube-system kube-proxy-lq4xh 1/1 Running 1 2d 10.10.0.201 k8s-master
kube-system kube-scheduler-k8s-master 1/1 Running 1 2d 10.10.0.201 k8s-master
#
# kubectl get namespaces
NAME STATUS AGE
default Active 2d
kube-public Active 2d
kube-system Active 2d
[root@k8s-master calico]#


※ラベル削除
# kubectl label nodes worker-node1 run-
node "worker-node1" labeled
# kubectl label nodes worker-node2 run-
node "worker-node2" labeled
# kubectl label nodes worker-node3 run-
node "worker-node3" labeled
#

namespace:policy-demoとnginxのpodが削除された。