用Calico網路策略設定主機node防火牆規則

語言: CN / TW / HK

Cloudpods的服務執行在一個Kubernetes叢集之上,該Kubernets叢集的網路方案採用了Calico。因此執行Cloudpods服務的節點的iptables規則被Calico接管。這就導致我們在Cloudpods服務節點上配置的防火牆規則會被Calico配置的iptables規則覆蓋,導致防火牆規則不生效。本文介紹如何使用Calico的HostEndpoint和GlobalNetworkPolicy來設定主機節點的防火牆規則。

1、準備calicoctl工具

下載二進位制

curl -O -L https://github.com/projectcalico/calicoctl/releases/download/v3.12.1/calicoctl chmod +x calicoctl

設定環境變數

export DATASTORE_TYPE=kubernetes export KUBECONFIG=/etc/kubernetes/admin.conf

2、配置HostEndpoint規則

對每一臺主機的每個需要控制防火牆規則介面,定義對應的HostEndpoint規則

- apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: <node_name>-<interface_name> labels: role: master env: production spec: interfaceName: <interface_name> node: <node_name> expectedIPs: ["<interface_ip>"] - apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: <node_name>-<interface_name> labels: role: master env: production spec: interfaceName: <interface_name> node: <node_name> expectedIPs: ["<interface_ip>"]

應用該規則:

./calicoctl apply -f hep.yaml

3、定義網路規則

定義好HostEndpoint之後,採用Calico的GlobalNetworkPolicy定義防火牆規則。

- apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: <whitelist_gnp_name> spec: order: 10 preDNAT: true applyOnForward: true ingress: - action: Allow protocol: TCP source: nets: [<src_net_block1>, <src_net_block2>] destination: ports: [<dst_port1>, <dst_port2>] selector: "role=="master"" - apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: drop-other-ingress spec: order: 20 preDNAT: true applyOnForward: true ingress: - action: Deny selector: "role=="master""

應用規則

./calicoctl apply -f gnp.yaml

4. failSafe機制

為防止使用者錯誤配置導致node無法網路訪問的風險,calico設計了failSafe機制,即在使用者編寫規則有誤的情況下,部分埠也不會被封禁,導致節點功能失效。這裡是FailSafe埠的資訊:https://docs.projectcalico.org/reference/host-endpoints/failsafe

5. 配置舉例

舉例:master節點的外網埠只允許80和443埠,其他都禁止:

HostEndpoint定義:

- apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: master1-em4 labels: role: master type: external spec: interfaceName: em4 node: master1 expectedIPs: ["120.133.60.219"] - apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: master2-em4 labels: role: master type: external spec: interfaceName: em4 node: master2 expectedIPs: ["120.133.60.220"] - apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: master3-em4 labels: role: master type: external spec: interfaceName: em4 node: master3 expectedIPs: ["120.133.60.221"]

GlobalNetworkPolicy定義

- apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: allow-http-https-traffic-only spec: order: 10 preDNAT: true applyOnForward: true ingress: - action: Allow protocol: TCP destination: ports: [80,443] selector: "role=="master" && type=="external"" - apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: drop-other-ingress spec: order: 20 preDNAT: true applyOnForward: true ingress: - action: Deny