17.8. 使用网络策略配置多租户隔离
作为集群管理员,您可以配置网络策略以为多租户网络提供隔离功能。
如果使用 OpenShift SDN 集群网络供应商,请按照本节所述配置网络策略,提供类似于多租户模式的网络隔离,但具有设置网络策略模式。
17.8.1. 使用网络策略配置多租户隔离
您可以配置项目,使其与其他项目命名空间中的 pod 和服务分离。
先决条件
-
集群使用支持
NetworkPolicy
对象的集群网络供应商,如设置了mode: NetworkPolicy
的 OpenShift SDN 网络供应商。此模式是 OpenShift SDN 的默认模式。 -
已安装 OpenShift CLI(
oc
)。 -
您可以使用具有
admin
权限的用户登陆到集群。
流程
创建以下
NetworkPolicy
对象:名为
allow-from-openshift-ingress
的策略。$ cat << EOF| oc create -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-openshift-ingress spec: ingress: - from: - namespaceSelector: matchLabels: policy-group.network.openshift.io/ingress: "" podSelector: {} policyTypes: - Ingress EOF
注意policy-group.network.openshift.io/ingress: ""
是 OpenShift SDN 的首选命名空间选择器标签。您可以使用network.openshift.io/policy-group: ingress
命名空间选择器标签,但这是一个比较旧的用法。名为
allow-from-openshift-monitoring
的策略:$ cat << EOF| oc create -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-openshift-monitoring spec: ingress: - from: - namespaceSelector: matchLabels: network.openshift.io/policy-group: monitoring podSelector: {} policyTypes: - Ingress EOF
名为
allow-same-namespace
的策略:$ cat << EOF| oc create -f - kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-same-namespace spec: podSelector: ingress: - from: - podSelector: {} EOF
名为
allow-from-kube-apiserver-operator
的策略:$ cat << EOF| oc create -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-kube-apiserver-operator spec: ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: openshift-kube-apiserver-operator podSelector: matchLabels: app: kube-apiserver-operator policyTypes: - Ingress EOF
如需了解更多详细信息,请参阅 新的
kube-apiserver-operator
Webhook 控制器验证 Webhook 的健康状况。
可选: 要确认当前项目中存在网络策略,请输入以下命令:
$ oc describe networkpolicy
输出示例
Name: allow-from-openshift-ingress Namespace: example1 Created on: 2020-06-09 00:28:17 -0400 EDT Labels: <none> Annotations: <none> Spec: PodSelector: <none> (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic: To Port: <any> (traffic allowed to all ports) From: NamespaceSelector: network.openshift.io/policy-group: ingress Not affecting egress traffic Policy Types: Ingress Name: allow-from-openshift-monitoring Namespace: example1 Created on: 2020-06-09 00:29:57 -0400 EDT Labels: <none> Annotations: <none> Spec: PodSelector: <none> (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic: To Port: <any> (traffic allowed to all ports) From: NamespaceSelector: network.openshift.io/policy-group: monitoring Not affecting egress traffic Policy Types: Ingress