-
Notifications
You must be signed in to change notification settings - Fork 7
4.CES 全局策略配置
myf5 edited this page Dec 27, 2021
·
3 revisions
该策略场景用于控制整个k8s集群的策略。一般来说,各个集群需要访问一些基本的外部服务,这些策略是整个集群内所有服务需要的。整体策略采用白名单模式,对于需要访问的服务需明确设定。否则将被拒绝。
-
首先创建待访问的目标服务。该服务需位于CES控制运行所在的namespace下。支持IP,域名,协议组合,支持仅IP的任意协议:
Please Note: 如果需要支持FQDN策略,请F5管理员提前在F5上配置好相关dns resolver。具体步骤如下:
- 首先在F5的 Network---DNS Resolvers界面配置一个resolver
- 在Security----options----Network Firewall--Firewall options 界面引用上述resolver
kind: ExternalService apiVersion: kubeovn.io/v1alpha1 metadata: name: globalextsvcdns namespace: kube-system spec: addresses: - 8.8.8.8 - 114.114.114.114 ports: - name: tcp-53 protocol: TCP port: "53" - name: udp-53 protocol: UDP port: "53"
apiVersion: kubeovn.io/v1alpha1 kind: ExternalService metadata: name: globalextsvchttp namespace: kube-system spec: addresses: - www.myf5.net - 60.28.100.46 ports: - name: tcp-80 port: "80" protocol: TCP - name: tcp-443 port: "443" protocol: TCP
apiVersion: kubeovn.io/v1alpha1 kind: ExternalService metadata: name: test6extsvc-ip namespace: kube-system spec: addresses: - 17.171.117.17 - 18.18.18.18
# kubectl get externalservices.kubeovn.io -n kube-system NAME ADDRESSES globalextsvcdns [8.8.8.8 114.114.114.114] globalextsvchttp [www.myf5.net 60.28.100.46] test6extsvc-ip [17.171.117.17 18.18.18.18]
-
创建
clusteregressrules
资源。该资源无namespace概念。# kubectl get clusteregressrules.kubeovn.io -A NAME ACTION STATUS global-policy-dns accept-decisively Success global-policy-http accept-decisively Success global-rule6-ip accept-decisively Success
apiVersion: kubeovn.io/v1alpha1 kind: ClusterEgressRule metadata: name: global-policy-dns spec: action: accept-decisively externalServices: - globalextsvcdns
apiVersion: kubeovn.io/v1alpha1 kind: ClusterEgressRule metadata: name: global-policy-http spec: action: accept-decisively externalServices: - globalextsvchttp
apiVersion: kubeovn.io/v1alpha1 kind: ClusterEgressRule metadata: name: global-rule6-ip spec: action: accept-decisively externalServices: - test6extsvc-ip status: phase: Success
使用8.8.8.8做DNS解析可以通过
~ # dig @8.8.8.8 www.f5se.io +short
f5se.io.
185.199.109.153
185.199.110.153
185.199.111.153
185.199.108.153
但使用223.5.5.5做解析,无法通过:
~ # dig @223.5.5.5 www.f5se.io +short
; <<>> DiG 9.16.19 <<>> @223.5.5.5 www.f5se.io +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
访问www.myf5.net可以访问:
~ # curl www.myf5.net
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>~ # curl www.myf5.net
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
访问www.baidu.com无法访问:
~ # curl www.baidu.com
^C
下一步: