当前位置：首页 > news >正文

Cilium Network Policy

news 2025/5/7 7:25:43

安装Cilium CLI

CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}

安装Cilium

cilium install --version 1.16.3

验证安装(需要保证其他cni资源被删除，如flannel）

$ cilium status/¯¯\/¯¯\__/¯¯\    Cilium:             OK\__/¯¯\__/    Operator:           OK/¯¯\__/¯¯\    Envoy DaemonSet:    OK\__/¯¯\__/    Hubble Relay:       disabled\__/       ClusterMesh:        disabledDaemonSet              cilium             Desired: 1, Ready: 1/1, Available: 1/1
DaemonSet              cilium-envoy       Desired: 1, Ready: 1/1, Available: 1/1
Deployment             cilium-operator    Desired: 1, Ready: 1/1, Available: 1/1
Containers:            cilium             Running: 1cilium-envoy       Running: 1cilium-operator    Running: 1
Cluster Pods:          2/2 managed by Cilium
Helm chart version:    1.16.3
Image versions         cilium             quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28: 1cilium-envoy       quay.io/cilium/cilium-envoy:v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd@sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba: 1cilium-operator    quay.io/cilium/operator-generic:v1.16.3@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b: 1

# 创建测试namespace
$ kubectl create ns cilium-netpol-test
# 创建Pod
$ kubectl run whoami --image=traefik/whoami -n cilium-netpol-test --labels='app=whoami'$ kubectl get pod -n cilium-netpol-test -o wide --show-labels
NAME     READY   STATUS    RESTARTS   AGE     IP          NODE         NOMINATED NODE   READINESS GATES   LABELS
whoami   1/1     Running   0          5m37s   10.0.0.40   custom-api   <none>           <none>            app=whoami

默认情况下Pod运行任何Pod的流量进入

$ kubectl run -it --rm --image=curlimages/curl --restart=Never -n cilium-netpol-test curl-test -- curl 10.0.0.40
Hostname: whoami
IP: 127.0.0.1
IP: ::1
IP: 10.0.0.40
IP: fe80::34db:21ff:fe83:f03
RemoteAddr: 10.0.0.21:49660
GET / HTTP/1.1
Host: 10.0.0.40
User-Agent: curl/8.10.1
Accept: */*pod "curl-test" deleted

Overview of Network Policy — Cilium 1.17.0-dev documentation

Layer 3 Examples — Cilium 1.17.0-dev documentation

现在设置CiliumNetworkPolicy，只允许带有app=curl标签的Pod进行访问

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:name: "l3-rule"namespace: cilium-netpol-test
spec:endpointSelector:matchLabels:app: whoamiingress:- fromEndpoints:- matchLabels:app: curl

进行测试

$ kubectl run -it --rm --image=curlimages/curl --restart=Never -n cilium-netpol-test curl-test -- curl -m 0.1 10.0.0.40
curl: (28) Connection timed out after 100 milliseconds
pod "curl-test" deleted
pod cilium-netpol-test/curl-test terminated (Error)

curl命令超时，现在给Pod添加上labels='app=curl'

$ kubectl run -it --rm --image=curlimages/curl --restart=Never -n cilium-netpol-test --labels='app=curl' curl-test -- curl -m 0.1 10.0.0.40
Hostname: whoami
IP: 127.0.0.1
IP: ::1
IP: 10.0.0.40
IP: fe80::34db:21ff:fe83:f03
RemoteAddr: 10.0.0.161:49298
GET / HTTP/1.1
Host: 10.0.0.40
User-Agent: curl/8.10.1
Accept: */*pod "curl-test" deleted

成功执行

查看全文

http://www.mrgr.cn/news/57024.html