激发 Kubernetes 安全达人热情:CKS 认证考试准备行动
最编程
2024-02-23 12:53:59
...
k run frontend --image=nginx
k run backend --image=nginx
k expose pod frontend --port 80
k expose pod backend --port 80
k get pods,svc
k exec frontend -- curl backend
k exec backend -- curl frontend
vim default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
vim frontend.yaml
# allows frontend pods to communicate with backend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend
namespace: default
spec:
podSelector:
matchLabels:
run: frontend
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
run: backend
vim backend.yaml
# allows backend pods to have incoming traffic from frontend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
k exec frontend -- curl 192.168.104.27
k exec backend -- curl 192.168.166.179
kubectl create ns cassandra
kubectl edit ns cassandra
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2021-04-20T07:19:22Z"
name: cassandra
resourceVersion: "533198"
uid: 766ae069-4dc9-4acd-a4db-ce852c293cc6
labels: #添加
ns: cassandra #添加
spec:
finalizers:
- kubernetes
status:
phase: Active
k -n cassandra run cassandra --image=nginx
k -n cassandra get pod -owide
k exec backend -- curl 192.168.104.26
vim backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
egress:
- to:
- namespaceSelector:
matchLabels:
ns: cassandra
k exec backend -- curl 192.168.104.26
cat cassandra-deny.yaml
# deny all incoming and outgoing traffic from all pods in namespace cassandra
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cassandra-deny
namespace: cassandra
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
k exec backend -- curl 192.168.104.26
(通)
cat cassandra-deny.yaml
# deny all incoming and outgoing traffic from all pods in namespace cassandra
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cassandra-deny
namespace: cassandra
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
k exec backend -- curl 192.168.104.26
(拒绝)
vim cassandra.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cassandra
namespace: cassandra
spec:
podSelector:
matchLabels:
run: cassandra
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
ns: default
k edit ns default
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2021-01-19T03:27:58Z"
labels: #添加
ns: default #添加
name: default
resourceVersion: "541475"
uid: 2d566715-f0a4-49b3-b590-dfa7df30d0ba
spec:
finalizers:
- kubernetes
status:
phase: Active
k exec backend -- curl 192.168.104.26
k run backend --image=nginx
k expose pod frontend --port 80
k expose pod backend --port 80
k get pods,svc
k exec frontend -- curl backend
k exec backend -- curl frontend
vim default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
vim frontend.yaml
# allows frontend pods to communicate with backend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend
namespace: default
spec:
podSelector:
matchLabels:
run: frontend
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
run: backend
vim backend.yaml
# allows backend pods to have incoming traffic from frontend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
k exec frontend -- curl 192.168.104.27
k exec backend -- curl 192.168.166.179
kubectl create ns cassandra
kubectl edit ns cassandra
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2021-04-20T07:19:22Z"
name: cassandra
resourceVersion: "533198"
uid: 766ae069-4dc9-4acd-a4db-ce852c293cc6
labels: #添加
ns: cassandra #添加
spec:
finalizers:
- kubernetes
status:
phase: Active
k -n cassandra run cassandra --image=nginx
k -n cassandra get pod -owide
k exec backend -- curl 192.168.104.26
vim backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
egress:
- to:
- namespaceSelector:
matchLabels:
ns: cassandra
k exec backend -- curl 192.168.104.26
cat cassandra-deny.yaml
# deny all incoming and outgoing traffic from all pods in namespace cassandra
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cassandra-deny
namespace: cassandra
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
k exec backend -- curl 192.168.104.26
(通)
cat cassandra-deny.yaml
# deny all incoming and outgoing traffic from all pods in namespace cassandra
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cassandra-deny
namespace: cassandra
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
k exec backend -- curl 192.168.104.26
(拒绝)
vim cassandra.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cassandra
namespace: cassandra
spec:
podSelector:
matchLabels:
run: cassandra
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
ns: default
k edit ns default
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2021-01-19T03:27:58Z"
labels: #添加
ns: default #添加
name: default
resourceVersion: "541475"
uid: 2d566715-f0a4-49b3-b590-dfa7df30d0ba
spec:
finalizers:
- kubernetes
status:
phase: Active
k exec backend -- curl 192.168.104.26