# Kubernetes网络模型
[root@k8s-master ~]# cat > /root/k8s-network.txt << 'EOF' Kubernetes网络模型 ================= 1. 网络要求 - 所有Pod不使用NAT即可通信 - 所有Node不使用NAT即可与Pod通信 - Pod看到的IP与其他看到的一致 2. 网络插件(CNI) - Calico: 性能好,支持网络策略 - Flannel: 简单易用,Overlay网络 - Cilium: eBPF技术,高性能 - Weave: 简单配置,加密通信 3. 网络类型 - Pod网络: 容器间通信 - Service网络: 服务发现与负载均衡 - Ingress网络: 外部访问入口 4. 网络策略 - 入站规则 - 出站规则 - 命名空间隔离 EOF

# 下载Calico清单
[root@k8s-master ~]# curl https://raw.githubusercontent.com/projectcalico/calico/v3.26.0/manifests/calico.yaml -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 23456 100 23456 0 0 12345 0 0:00:01 0:00:01 –:–:– 12345

# 安装Calico
[root@k8s-master ~]# kubectl apply -f calico.yaml
poddisruptionbudget.policy/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
serviceaccount/calico-node created
configmap/calico-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/caliconodestatuses.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.更多视频教程www.fgedu.net.cnorg created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinit学习交流加群风哥微信: itpux-comion.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectc学习交流加群风哥QQ113257174alico.org created
customresourcedefinition.apiextensions.k8s.io/ipreservations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-node created
daemonset.apps/calico-node created
deployment.apps/calico-kube-controllers created

# 查看Calico状态
[root@k8s-master ~]# kubectl get pods -n kube-system -l k8s-app=calico-node
NAME READY STATUS RESTARTS AGE
calico-node-abc12 1/1 Running 0 2m
calico-node-def34 1/1 Running 0 2m
calico-node-ghi56 1/1 Running 0 2m

# 查看节点网络状态
[root@k8s-master ~]# kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-master Ready control-plane 10d v1.28.3 192.168.1.100 Oracle Linux Server 9.3 5.15.0-200.131.2.el9uek.x86_64 containerd://1.from PG视频:www.itpux.com7.2
k8s-node1 Ready 10d v1.28.3 192.168.1.101 Oracle Linux Server 9.3 5.15.0-200.131.2.el9uek.x86_64 containerd://1.7.2
k8s-node2 Ready 10d v1.28.3 192.168.1.102 Oracle Linux Server 9.3 5.15.0-200.131.2.el9uek.x86_64 containerd://1.7.2

# 查看IP池配置
[root@k8s-master ~]# kubectl get ippool -o yaml
apiVersion: v1
items:
– apiVersion: crd.projectcalico.org/v1
kind: IPPool
metadata:
name: default-ipv4-ippool
spec:
blockSize: 26
cidr: 192.168.0.0/16
ipipMode: Always
natOutgoing: true
nodeSelector: all()
vxlanMode: Never
kind: List

# 创建命名空间
[root@k8s-master ~]# kubectl create namespace fgedu-prod
namespace/fgedu-prod created

[root@k8s-master ~]# kubectl create namespace fgedu-dev
namespace/fgedu-dev created

# 默认拒绝所有入站流量
[root@k8s-master ~]# cat > default-deny-ingress.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: fgedu-prod spec: podSelector: {} policyTypes: - Ingress EOF [root@k8s-master ~]# kubectl apply -f default-deny-ingress.yaml networkpolicy.networking.k8s.io/default-deny-ingress created # 允许特定流量 [root@k8s-master ~]# cat > fgedu-allow-web.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-web-traffic namespace: fgedu-prod spec: podSelector: matchLabels: app: fgedu-web policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: fgedu-prod - ipBlock: cidr: 192.168.1.0/24 ports: - protocol: TCP port: 80 - protocol: TCP port: 443 EOF [root@k8s-master ~]# kubectl apply -f fgedu-allow-web.yaml networkpolicy.networking.k8s.io/allow-web-traffic created # 允许特定Pod访问数据库 [root@k8s-master ~]# cat > fgedu-allow-db.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access namespace: fgedu-prod spec: podSelector: matchLabels: app: fgedu-database policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: access: database ports: - protocol: TCP port: 3306 EOF [root@k8s-master ~]# kubectl apply -f fgedu-allow-db.yaml networkpolicy.networking.k8s.io/allow-db-access created # 查看网络策略 [root@k8s-master ~]# kubectl get networkpolicy -n fgedu-prod NAME POD-SELECTOR AGE allow-db-access app=fgedu-database 1m allow-web-traffic app=fgedu-web 2m default-deny-ingress 3m

# 部署Nginx Ingress Controller
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
serviceac更多学习教程公众号风哥教程itpux_comcount/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
configmap/ingress-nginx-controller created
service/ingress-nginx-controller created
service/ingress-nginx-controller-admission created
deployment.apps/ingress-nginx-controller created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
ingressclass.networking.k8s.io/nginx created

# 查看Ingress Controller状态
[root@k8s-master ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-abc12 0/1 Completed 0 2m
ingress-nginx-admission-patch-def34 0/1 Completed 0 2m
ingress-nginx-controller-ghi56-xyz78 1/1 Running 0 2m

# 创建Ingress规则
[root@k8s-master ~]# cat > fgedu-ingress.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: fgedu-ingress namespace: fgedu-prod annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: ingressClassName: nginx tls: - hosts: - fgedu.net.cn secretName: fgedu-tls rules: - host: fgedu.net.cn http: paths: - path: / pathType: Prefix backend: service: name: fgedu-web port: number: 80 - path: /api pathType: Prefix backend: service: name: fgedu-api port: number: 8080 EOF [root@k8s-master ~]# kubectl apply -f fgedu-ingress.yaml ingress.networking.k8s.io/fgedu-ingress created # 查看Ingress状态 [root@k8s-master ~]# kubectl get ingress -n fgedu-prod NAME CLASS HOSTS ADDRESS PORTS AGE fgedu-ingress nginx fgedu.net.cn 192.168.1.100 80, 443 1m # 测试访问 [root@k8s-master ~]# curl -H "Host: fgedu.net.cn" http://192.168.1.100

Welcome to fgedu!