红帽全球峰会第 8 章 保护服务网络
应用程序互联提供默认内置安全性,可跨集群和云扩展。本节描述了您可以配置的额外安全性。
如需有关为每个集群创建粒度 策略的信息,请参阅使用策略保护 服务网络。
8.1. 使用 network-policy 限制访问服务
复制链接链接已复制到粘贴板!
默认情况下,如果您在服务网络中公开服务,该服务也可以从集群中的其他命名空间访问。您可以使用 --create-network-policy 选项创建站点时避免这种情况。
流程
使用网络策略创建服务网络路由器:
skupper init --create-network-policy
$ skupper init --create-network-policyCopy to Clipboard Copied! Toggle word wrap Toggle overflow 检查站点状态:
skupper status
$ skupper statusCopy to Clipboard Copied! Toggle word wrap Toggle overflow 输出应类似以下示例:
Skupper enabled for namespace 'west'. It is not connected to any other sites.
Skupper enabled for namespace 'west'. It is not connected to any other sites.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
现在,您可以在服务网络中公开服务,且这些服务不能从集群中的其他命名空间访问。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}