2. 首页 > Rancher教程 > 正文

Rancher教程FG023-Rancher多集群网络策略与安全隔离实战

教程整理:风哥教程  |  更新时间:2026-03-13  |  教程分类:Rancher教程  |  文档学习:33

本篇文章详细介绍Rancher多集群网络策略配置,包括NetworkPolicy网络隔离、命名空间隔离、Pod安全策略、服务网格安全等实战内容。风哥教程参考Rancher官方文档网络安全与多集群管理相关章节。

目录大纲

Part01-基础概念与理论知识

1.1 Kubernetes网络策略原理

NetworkPolicy是Kubernetes原生网络策略机制,用于控制Pod间流量。支持Ingress(入站流量)和Egress(出站流量)规则,基于标签选择器匹配Pod。策略类型包括:允许特定流量、拒绝所有流量、命名空间隔离。CNI插件如Calico、Cilium提供NetworkPolicy支持。更多视频教程www.fgedu.net.cn

1.2 多集群网络架构设计

Rancher多集群网络支持扁平网络、VPN连接、Submariner等方案。扁平网络通过VPC Peering实现集群间互通。VPN使用IPsec加密隧道,适合跨地域部署。Submariner提供跨集群Pod IP互通,支持服务发现。网络策略需要考虑集群间流量控制和安全隔离。学习交流加群风哥微信: itpux-com

Part02-生产环境规划与建议

2.1 网络策略规划原则

遵循最小权限原则,默认拒绝所有流量。按业务域划分命名空间,每个命名空间独立网络策略。生产环境严格限制跨命名空间访问,开发环境可适当放宽。定期审计网络策略,及时清理无效规则。使用标签和选择器简化策略管理。学习交流加群风哥QQ113257174

2.2 安全隔离架构设计

多层安全隔离:集群级别、命名空间级别、Pod级别。集群间使用VPN或Submariner加密通信。命名空间间使用NetworkPolicy隔离。Pod级别使用SecurityContext限制权限。敏感服务配置网络白名单,只允许特定来源访问。更多学习教程公众号风哥教程itpux_com

Part03-生产环境项目实施方案

3.1 命名空间网络隔离配置

配置命名空间级别的网络隔离策略。

namespace/fgedu-prod created
namespace/fgedu-dev created
namespace/fgedu-test created
namespace/fgedu-prod labeled
namespace/fgedu-dev labeled
namespace/fgedu-test labeled
networkpolicy.networking.k8s.io/fgedu-deny-all created
networkpolicy.networking.k8s.io/fgedu-allow-dns created
networkpolicy.networking.k8s.io/fgedu-allow-same-namespace created
NAME                     POD-SELECTOR   AGE
fgedu-deny-all                    2m
fgedu-allow-dns                   1m
fgedu-allow-same-namespace            1m

from Rancher视频:www.itpux.com

3.2 Pod间网络策略配置

配置特定Pod间的网络访问策略。

deployment.apps/fgedu-web created
deployment.apps/fgedu-api created
service/fgedu-web-svc created
service/fgedu-api-svc created
networkpolicy.networking.k8s.io/fgedu-web-to-api created
networkpolicy.networking.k8s.io/fgedu-api-egress created
NAME                         READY   STATUS    RESTARTS   AGE
fgedu-web-5d4f8b6c6-abc12   1/1     Running   0          2m
fgedu-web-5d4f8b6c6-def34   1/1     Running   0          2m
fgedu-api-7g8h9i0j1-ghi56   1/1     Running   0          2m
fgedu-api-7g8h9i0j1-jkl78   1/1     Running   0          2m

3.3 多集群网络策略配置

配置跨集群网络策略和安全隔离。

customresourcedefinition.apiextensions.k8s.io/submariners.submariner.io created
"submariner-latest" has been added to your repositories
Hang tight while we grab the latest from your chart repository...
...Successfully got an update from the "submariner-latest" chart repository
Update Complete. ⎈Happy Helming!⎈
namespace/submariner-k8s-broker created
NAME: submariner-broker
LAST DEPLOYED: Fri Apr 10 14:00:00 2026
NAMESPACE: submariner-k8s-broker
STATUS: deployed
REVISION: 1
submariner-broker-token-abc123def456
NAME: submariner
LAST DEPLOYED: Fri Apr 10 14:05:00 2026
NAMESPACE: submariner-operator
STATUS: deployed
REVISION: 1
NAME        AGE
cluster1    2m
NAME                                  READY   STATUS    RESTARTS   AGE
submariner-gateway-abc123def456        1/1     Running   0          3m
submariner-routeagent-ghi789jkl012     1/1     Running   0          3m

Part04-生产案例与实战讲解

4.1 网络策略实战验证

验证网络策略是否生效。

Welcome to nginx!


If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.


For online documentation and support please refer to
nginx.org.

Commercial support is available at
nginx.com.


Thank you for using nginx.


wget: download timed out
Name:         fgedu-deny-all
Namespace:    fgedu-prod
Created on:   2026-04-10 14:00:00 +0800 CST
Labels:       
Annotations:  

Spec:
  PodSelector:      (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
     (Selected pods are isolated for ingress connectivity)
  Allowing egress traffic:
     (Selected pods are isolated for egress connectivity)
  Policy Types: Ingress, Egress
NAME                         READY   STATUS    RESTARTS   AGE   IP            NODE
fgedu-web-5d4f8b6c6-abc12   1/1     Running   0          10m   10.42.1.10    fgedu-worker-1
fgedu-web-5d4f8b6c6-def34   1/1     Running   0          10m   10.42.2.11    fgedu-worker-2
fgedu-api-7g8h9i0j1-ghi56   1/1     Running   0          10m   10.42.3.12    fgedu-worker-3
fgedu-api-7g8h9i0j1-jkl78   1/1     Running   0          10m   10.42.1.13    fgedu-worker-1

4.2 安全隔离故障排查

排查网络策略相关故障。

NAME              READY   STATUS    RESTARTS   AGE
calico-node-abc12   1/1     Running   0          1d
calico-node-def34   1/1     Running   0          1d
calico-node-ghi56   1/1     Running   0          1d
NAMESPACE       NAME
fgedu-prod      fgedu-deny-all
fgedu-prod      fgedu-allow-dns
fgedu-prod      fgedu-allow-same-namespace
fgedu-prod      fgedu-web-to-api
fgedu-prod      fgedu-api-egress
2026-04-10 14:30:00.123 [INFO] 10.42.1.10: Denied ingress from 10.42.4.14:80 to 10.42.1.10:80 (policy: fgedu-deny-all)
2026-04-10 14:30:05.456 [INFO] 10.42.2.11: Denied egress from 10.42.2.11:80 to 10.42.4.15:80 (policy: fgedu-deny-all)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.11:43251        0.0.0.0:*               LISTEN
udp        0      0 0.0.0.0:68              0.0.0.0:*
Server:    10.43.0.10
Address 1: 10.43.0.10 kube-dns.kube-system.svc.cluster.local

Name:      kubernetes.default
Address 1: 10.43.0.1 kubernetes.default.svc.cluster.local

4.3 多集群网络故障处理

排查Submariner跨集群网络故障。

NAME                        READY   STATUS    RESTARTS   AGE
submariner-gateway-abc123    1/1     Running   0          10m
GATEWAY           CLUSTER   REMOTE IP      CABLE
submariner-gateway  cluster1  192.168.1.101   submariner-cable-abc123def456
CLUSTER   ID                                   HOST IP        SUBNETS
cluster1  12345678-1234-1234-1234-123456789012  192.168.1.100   10.42.0.0/16, 10.43.0.0/16
time="2026-04-10T14:35:00Z" level=info msg="Starting submariner gateway"
time="2026-04-10T14:35:01Z" level=info msg="Cable driver loaded: libreswan"
time="2026-04-10T14:35:02Z" level=info msg="Establishing connection to cluster2"
time="2026-04-10T14:35:05Z" level=info msg="Connection established to cluster2"
time="2026-04-10T14:35:06Z" level=info msg="Globalnet disabled, using native pod IPs"
PING 10.42.4.10 (10.42.4.10): 56 data bytes
64 bytes from 10.42.4.10: seq=0 ttl=62 time=2.345 ms
64 bytes from 10.42.4.10: seq=1 ttl=62 time=2.123 ms
64 bytes from 10.42.4.10: seq=2 ttl=62 time=2.456 ms

--- 10.42.4.10 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.123/2.308/2.456 ms
pod "submariner-gateway-abc123" deleted
pod/submariner-gateway-def456 condition met

Part05-风哥经验总结与分享

5.1 生产环境最佳实践

1. 默认拒绝所有流量,按需开放访问
2. 使用标签和选择器简化策略管理
3. 定期审计和清理无效策略
4. 监控网络策略命中情况
5. 使用命名空间隔离不同环境
6. 配置跨集群加密通信
7. 实施网络流量监控和分析
8. 定期进行安全渗透测试

5.2 常见问题与解决方案

1. 网络策略不生效:检查CNI插件支持、验证策略语法
2. 跨集群通信失败:检查Submariner配置、验证网络连通性
3. DNS解析失败:检查CoreDNS配置、验证网络策略
4. 性能下降:优化策略规则、减少策略数量
5. 调试困难:使用网络抓包工具、查看CNI日志
6. 策略冲突:检查策略优先级、合并重复规则
7. 端口访问被拒绝:检查端口配置、验证协议类型
8. 跨集群延迟高:优化网络配置、使用就近节点

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html

相关推荐

联系我们

在线咨询:点击这里给我发消息

微信号:itpux-com

工作日:9:30-18:30,节假日休息