Search

Calico

개념

namespace에 적용하는 network policy는 아래처럼 NetworkPolicy 를 사용

apiVersion: projectcalico.org/v3 kind: NetworkPolicy metadata: name: this-is-sample namespace: sample-namespace
YAML
복사

namespace에 제한되지 않고 모든 종류의 엔드포인트에 적용하는 규칙은 아래처럼 GlobalNetworkPolicy 를 사용

apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: this-is-sample
YAML
복사

sepc.order 필드로 순서를 적용하고 숫자가 낮은 것부터 적용

apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: this-is-sample spec: order: 20 #...deny policy rules here... --- apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: this-is-sample spec: order: 10 #...allow policy rules here...
YAML
복사

기본적으로 모든 통신 차단 (dns 제외)

apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: deny-all-except-dns spec: order: 0 namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "tigera-system"} types: - Ingress - Egress egress: # allow all namespaces to communicate to DNS pods - action: Allow protocol: UDP destination: selector: 'k8s-app == "kube-dns"' ports: - 53 - action: Allow protocol: TCP destination: selector: 'k8s-app == "kube-dns"' ports: - 53
YAML
복사

Install Calico

helm repo add projectcalico https://docs.tigera.io/calico/charts helm repo update kubectl create namespace tigera-operator helm install calico projectcalico/tigera-operator --version v3.29.2 --namespace tigera-operator kubectl patch installation default --type='json' -p='[{"op": "replace", "path": "/spec/cni", "value": {"type":"Calico"} }]'
Shell
복사

Install Calicoctl

curl -L https://github.com/projectcalico/calico/releases/download/v3.29.2/calicoctl-linux-amd64 -o kubectl-calico chmod +x kubectl-calico sudo mv kubectl-calico /usr/local/bin/calicoctl
Shell
복사
apiVersion: projectcalico.org/v3 kind: NetworkPolicy metadata: name: allow-communication-for-a-pod spec: selector: app == 'a-pod' egress: - action: Allow ingress: - action: Allow source: selector: app == 'b-pod' - action: Deny source: selector: app == 'c-pod'
YAML
복사
kubectl apply -f networkpolicy.yaml
Shell
복사

a-pod.yaml

apiVersion: v1 kind: Pod metadata: name: a-pod labels: app: a-pod spec: containers: - name: a-container image: nginx:latest
YAML
복사

b-pod.yaml

apiVersion: v1 kind: Pod metadata: name: b-pod labels: app: b-pod spec: containers: - name: b-container image: nginx:latest
YAML
복사

c-pod.yaml

apiVersion: v1 kind: Pod metadata: name: c-pod labels: app: c-pod spec: containers: - name: c-container image: nginx:latest
YAML
복사
kubectl apply -f a-pod.yaml && kubectl apply -f b-pod.yaml && kubectl apply -f c-pod.yaml
Shell
복사

Response Test

kubectl exec -it a-pod -- curl <b-pod-ip> kubectl exec -it c-pod -- curl <c-pod-ip>
Shell
복사
a → b 로는 통신이 되는것을 확인 할 수 있고 c → a 에서의 통신은 안되는 것을 볼 수 있다.