用Calico網路策略設定主機node防火牆規則
Cloudpods的服務執行在一個Kubernetes叢集之上,該Kubernets叢集的網路方案採用了Calico。因此執行Cloudpods服務的節點的iptables規則被Calico接管。這就導致我們在Cloudpods服務節點上配置的防火牆規則會被Calico配置的iptables規則覆蓋,導致防火牆規則不生效。本文介紹如何使用Calico的HostEndpoint和GlobalNetworkPolicy來設定主機節點的防火牆規則。
1、準備calicoctl工具
下載二進位制
curl -O -L http://github.com/projectcalico/calicoctl/releases/download/v3.12.1/calicoctl
chmod +x calicoctl
設定環境變數
export DATASTORE_TYPE=kubernetes
export KUBECONFIG=/etc/kubernetes/admin.conf
2、配置HostEndpoint規則
對每一臺主機的每個需要控制防火牆規則介面,定義對應的HostEndpoint規則
- apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: <node_name>-<interface_name>
labels:
role: master
env: production
spec:
interfaceName: <interface_name>
node: <node_name>
expectedIPs: ["<interface_ip>"]
- apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: <node_name>-<interface_name>
labels:
role: master
env: production
spec:
interfaceName: <interface_name>
node: <node_name>
expectedIPs: ["<interface_ip>"]
應用該規則:
./calicoctl apply -f hep.yaml
3、定義網路規則
定義好HostEndpoint之後,採用Calico的GlobalNetworkPolicy定義防火牆規則。
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: <whitelist_gnp_name>
spec:
order: 10
preDNAT: true
applyOnForward: true
ingress:
- action: Allow
protocol: TCP
source:
nets: [<src_net_block1>, <src_net_block2>]
destination:
ports: [<dst_port1>, <dst_port2>]
selector: "role=="master""
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: drop-other-ingress
spec:
order: 20
preDNAT: true
applyOnForward: true
ingress:
- action: Deny
selector: "role=="master""
應用規則
./calicoctl apply -f gnp.yaml
4. failSafe機制
為防止使用者錯誤配置導致node無法網路訪問的風險,calico設計了failSafe機制,即在使用者編寫規則有誤的情況下,部分埠也不會被封禁,導致節點功能失效。這裡是FailSafe埠的資訊:http://docs.projectcalico.org/reference/host-endpoints/failsafe
5. 配置舉例
舉例:master節點的外網埠只允許80和443埠,其他都禁止:
HostEndpoint定義:
- apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: master1-em4
labels:
role: master
type: external
spec:
interfaceName: em4
node: master1
expectedIPs: ["120.133.60.219"]
- apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: master2-em4
labels:
role: master
type: external
spec:
interfaceName: em4
node: master2
expectedIPs: ["120.133.60.220"]
- apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: master3-em4
labels:
role: master
type: external
spec:
interfaceName: em4
node: master3
expectedIPs: ["120.133.60.221"]
GlobalNetworkPolicy定義
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-http-https-traffic-only
spec:
order: 10
preDNAT: true
applyOnForward: true
ingress:
- action: Allow
protocol: TCP
destination:
ports: [80,443]
selector: "role=="master" && type=="external""
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: drop-other-ingress
spec:
order: 20
preDNAT: true
applyOnForward: true
ingress:
- action: Deny