eBPF Cilium实战(1) – 基于团队的网络隔离

Rainbond 集群中,每个团队对应于底层 Kubernetes 的一个 Namespace ,由于之前使用的底层网络无法进行 Namespace 级别的网络管理,所以在 Rainbond 同一集群下的不同团队间,所以组件可以自由的进行互相访问,用户无法对此做出任何限制,这也导致了底层网络的安全隐患一直存在。现在由 cilium 提供网络服务的 Kubernetes 集群可以很好的解决这一问题,用户可以根据自己的需求,制定针对每个团队、每个组件的网络策略,加强底层网络管理,实现网络层的安全把控。

使用 cilium 作为 Kubernetes 网络服务

  • 使用从主机安装时,修改 network.plugin 值为 none

  • 安装 helm

wget https://goodrain-pkg.oss-cn-shanghai.aliyuncs.com/pkg/helm && chmod +x helm && mv helm /usr/local/bin/
  • 部署 cilium
helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.11.2 --namespace kube-system --set operator.replicas=1

kubectl get pods --all-namespaces -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,HOSTNETWORK:.spec.hostNetwork --no-headers=true | grep '<none>' | awk '{print "-n "$1" "$2}' | xargs -L 1 -r kubectl delete pod

  • 验证 cilium

下载 cilium 命令行工具

curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
  • 确认状态
$ cilium status --wait
/¯¯\
/¯¯\__/¯¯\    Cilium:         OK
\__/¯¯\__/    Operator:       OK
/¯¯\__/¯¯\    Hubble:         disabled
\__/¯¯\__/    ClusterMesh:    disabled
\__/

DaemonSet         cilium             Desired: 2, Ready: 2/2, Available: 2/2
Deployment        cilium-operator    Desired: 2, Ready: 2/2, Available: 2/2
Containers:       cilium-operator    Running: 2
cilium             Running: 2
Image versions    cilium             quay.io/cilium/cilium:v1.9.5: 2
cilium-operator    quay.io/cilium/operator-generic:v1.9.5: 2
  • 测试网络联通性(国内服务器测试时,涉及到外部网络的测试可能会失败,不影响正常使用)
$ cilium connectivity test
ℹ️  Monitor aggregation detected, will skip some flow validation steps
✨ [k8s-cluster] Creating namespace for connectivity check...
(...)
---------------------------------------------------------------------------------------------------------------------
📋 Test Report
---------------------------------------------------------------------------------------------------------------------
✅ 69/69 tests successful (0 warnings)

设置团队网络隔离

Cilium 的网络隔离策略遵循白名单机制,在不创建网络策略的情况下,对于网络不作任何限制,在为指定类型的 pod 集合创建网络策略后,除策略中允许的访问地址外,其它请求都会被拒绝。

  • 前期准备

    • 创建两个开发团队和测试团队,英文名称设置为 dev 和 test
    • 在开发团队和测试团队下创建 nginx-dev 和 nginx-test 组件,开启对内端口,内部域名分别设置为 nginx-dev 和 nginx-test
    • 在开发和测试团队下创建客户端组件
  • 不做任何限制

    在不做限制的情况下,各个团队之间的所有服务均可以自由通信,不受任何特殊限制

  • 限制只允许本团队内组件互相访问,隔绝其它团队访问

    在实际生产中,一个集群内部可能会同时部署开发、测试、生产等多个团队,基于安全性的考虑,需要对每个的团队做出网络隔离,禁止其它团队可以对其进行访问,下面以开发团队为例说明如何限制不允许其它团队对其访问。

  • Cilium 网络策略文件(dev-ingress.yaml)
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "dev-namespace-ingress"
spec:
endpointSelector:
matchLabels:
"k8s:io.kubernetes.pod.namespace": dev
ingress:
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": dev
  • 创建策略
kubectl create -f dev-ingress.yaml -n dev
  • 确认策略
$ kubectl get CiliumNetworkPolicy -A
NAMESPACE   NAME                    AGE
dev         dev-namespace-ingress   39s
  • 测试效果
  • 设置开发团队下的 nginx-dev 组件只允许测试团队下的组件访问

    在某些情况下,一些组件的安全要求会更为严格,可能只会允许本团队内符合要求的部分组件进行访问,下面以 nginx-dev 为例说明如何限制仅允许部分组件进行访问。

  • Cilium 网络策略文件(nginx-dev-ingress0.yaml)
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "nginx-dev-ingress"
spec:
endpointSelector:
matchLabels:
name: grc156cb
ingress:
- fromEndpoints:
- matchLabels:
name: 
  • 创建策略
kubectl create -f nginx-dev-ingress0.yaml -n dev
  • 确认策略
$ kubectl get CiliumNetworkPolicy -A
NAMESPACE   NAME                    AGE
dev         nginx-dev-ingress0       85s
  • 测试效果
  • 设置开发团队允许本团队下组件访问的同时,允许开发团队下的 nginx-dev 组件被测试团队中任意组件访问

    在设置了团队网络隔离的情况下,有时候需要临时开放一些组件给其它团队访问以便进行调试,下面以 nginx-dev 组件为例说明如何在设置网络隔离的情况下开放外部团队的访问权限。

  • Cilium 网络策略文件(nginx-dev-ingress1.yaml)
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "nginx-dev-ingress1"
spec:
endpointSelector:
matchLabels:
name: grc156cb
ingress:
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": test
  • 创建策略
kubectl create -f dev-ingress.yaml -n dev
kubectl create -f nginx-dev-ingress.yaml -n dev
  • 确认策略
$ kubectl get CiliumNetworkPolicy -A
NAMESPACE   NAME                    AGE
dev         dev-namespace-ingress   19s
dev         nginx-dev-ingress1      12s
  • 测试效果
K8S中文社区微信公众号

评论 11

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
  1. #11

    nice

    John8个月前 (04-11)回复
  2. #10

    I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact on: Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp him on +18134211326…

    Eliott Sharon2个月前 (09-19)回复
  3. #9

    Hello Guys, I just completed my divorce with my cheating husband of 10 years with two beautiful kids when i got a solid evidence of his unfaithfulness on extra marital affairs and his infidelity lifestyle, And the various applications he used to hide chats and lot of secret on his cell phone. Then, i decided to hire (Henry clark) an hacker and a PI just to be 100% sure because i don’t want to confront him or take any kinda step without proof, fact and figures because that could leads to defamation… It was with this great, honest, professional and trustworthy Man i got to know my husband is a professional cheater and has been using this app to hide most of his chats. This great hacker helped me broke to into his cell phone activities and wired everything he does on his cell phone directly to my phone and i was able to monitor and track him directly from my phone remotely without him knowing,
    Contact the Ethical hacker via email, Henryclarkethicalhacker@gmail.com you can also reach him on Whatsapp 18134211326..

    Steve Jenna2个月前 (09-19)回复
  4. #8

    Joe Engressia Thank you for Helping me in changing my grade and credit score in good shape, Now am a graduate finally, reach out to him of you need his service related to hacking service, His a very good one. reach him here
    DIGITALDAWGPOUNDHACKERGROUP@GMAIL.COM
    whatsapp no. : +1 732 639 1527

    Ivan Jefferey2个月前 (10-14)回复
  5. #7

    Joe Engressia Thank you for Helping me in changing my grade and credit score in good shape, Now am a graduate finally, reach out to him of you need his service related to hacking service, His a very good one. reach him here
    DIGITALDAWGPOUNDHACKERGROUP@GMAIL.COM
    whatsapp no. : +1 732 639 1527.

    Ivan Jefferey2个月前 (10-17)回复
  6. #6

    People find it hard to stay committed again. It’s becoming a difficult thing. Getting information & data you need is quite not a big deal. Sometimes the truth needs to be unveiled by whatsoever means necessary. The latter of the case should always be reckoned with, of which it would be known eventually what would be the data at hand afterwards. definitely contact Thomas would do justice on this intercepting with wares and you will have me to thank later.
    I finally caught him red handed…
    They also have a refund policy if you wish not to go further with your job.
    Contact him via
    Email; tomcyberghost@gmail.com Text/Call +17207941811, WhatsApp +1 3047457645

    Tested and trusted.

    florence jenny1个月前 (10-25)回复
  7. #5

    I always thought I was the bad one and I wasn’t doing enough for my relationship till I discovered it was because my partner was cheating on me and wasn’t putting energy into building what we had and it’s all thanks to Fred hacker who helped me with hacking his cellphone and I was able to keep track on him and found out many things: contact him on fredvalcyberghost@gmail.com and you can text/call him on +14236411452 and you can WhatsApp him on +15177981808

    Monica Regina1个月前 (10-28)回复
  8. #4

    I was able to catch my cheating husband red handed with a lady he has been having a love affair with and this was made possible by Fred hacker that I met through a comment posted by Kimberly Jane on Reddit about his good and professional services. I started getting suspicious of my husband since he became too possessive of his phone which wasn’t the way he did prior before now. He used to be very carefree when it comes to his phone. but now he’s become obsessed and overtly possessive. I knew something was wrong somewhere which was why i did my search for a professional hacker online and contacted the hacker for help so he could penetrate his phone remotely and grant me access to his phones operating system, he got the job done perfectly without my husband knowing about it although it came quite expensive more than i thought of.i was marveled at the atrocities my husband has been committing. Apparently he is a chronic cheat and never really ended things with his ex.. contact him here. Fredvalcyberghost@gmail.com and you can text, call him on +14236411452 and you can WhatsApp him on +15177981808.

    Monica Regina1个月前 (10-28)回复
  9. #3

    My husband has been frequently deleting all messages for the last couple of days from his phone and he didn’t know i was peeping at him, then i asked him why he was deleting all messages from his phone but he claimed that his phone memory was full and needed more space. Immediately I went in search of a hacker who can get me deleted information and contents from my husband’s phone and luckily for me i came across this reputable ethical hacker Me Fred, this hacker got the job done for me and provided me with results and i saw that my husband has been lying to me. He was simply deleting all pictures, call logs, chats and text messages between him and his secret lover so i wont get to see what he has been doing at my back. Thank God for reputable hackers who are ready to help. I must say am really impressed with the services i got from The hacker Detective and am here to say a very big thank you: contact him on fredvalcyberghost@gmail.com and you can text, call him on +;;1- (;;4;;23)641 1452 and whatsapp him on +15177981808

    Stephanie Duran1个月前 (10-28)回复
  10. #2

    Tracking cellphones and getting an accurate report has been a bit worrisome, thanks to Jeffrey whose service helped me locate certain cellphones without breaking a sweat. His service made me know that the internet has become the most common method of cheating nowadays, either emotionally or physically. Taking a few extra steps in getting what would serve as proof for leaving a toxic relationship, to see who your spouse texts or chats with on social media isn’t a bad idea, I’d recommend you reach out to Jeffreyethicalhacker@gmail.com
    Text,call or whatsapp on: +1 (747)345-9036
    75556

    dda liey5541周前 (11-23)回复
  11. #1

    Imagine losing your life savings of almost half a million dollars to a group of African scammers thinking you are going to earn more from cryptocurrency investment, that would have been disaster but Cyber Genie made that not to happen thereby rescuing me from life of torture and regrets that could have led to suicide. Don’t ever give up on trying to recover your lost investment to those African crooks, write them on [Cybergenie AT cyberservices .com] Whatspp [+1-252-512-0391]

    Fernando6天前回复