Skip to content

4.CES 全局策略配置

myf5 edited this page Dec 27, 2021 · 3 revisions

Global Egress Policy Use case

该策略场景用于控制整个k8s集群的策略。一般来说,各个集群需要访问一些基本的外部服务,这些策略是整个集群内所有服务需要的。整体策略采用白名单模式,对于需要访问的服务需明确设定。否则将被拒绝。

image-20211124111140911

策略设定方法

  1. 首先创建待访问的目标服务。该服务需位于CES控制运行所在的namespace下。支持IP,域名,协议组合,支持仅IP的任意协议:

    Please Note: 如果需要支持FQDN策略,请F5管理员提前在F5上配置好相关dns resolver。具体步骤如下:

    1. 首先在F5的 Network---DNS Resolvers界面配置一个resolver
    2. 在Security----options----Network Firewall--Firewall options 界面引用上述resolver
    kind: ExternalService
    apiVersion: kubeovn.io/v1alpha1
    metadata:
       name: globalextsvcdns
       namespace: kube-system
    spec:
      addresses:
        - 8.8.8.8
        - 114.114.114.114
      ports:
        - name: tcp-53
          protocol: TCP
          port: "53"
        - name: udp-53
          protocol: UDP
          port: "53"
    apiVersion: kubeovn.io/v1alpha1
    kind: ExternalService
    metadata:
      name: globalextsvchttp
      namespace: kube-system
    spec:
      addresses:
      - www.myf5.net
      - 60.28.100.46
      ports:
      - name: tcp-80
        port: "80"
        protocol: TCP
      - name: tcp-443
        port: "443"
        protocol: TCP
    apiVersion: kubeovn.io/v1alpha1
    kind: ExternalService
    metadata:
      name: test6extsvc-ip
      namespace: kube-system
    spec:
      addresses:
      - 17.171.117.17
      - 18.18.18.18
    # kubectl get externalservices.kubeovn.io -n kube-system
    NAME               ADDRESSES
    globalextsvcdns    [8.8.8.8 114.114.114.114]
    globalextsvchttp   [www.myf5.net 60.28.100.46]
    test6extsvc-ip     [17.171.117.17 18.18.18.18]
  2. 创建clusteregressrules资源。该资源无namespace概念。

    # kubectl get clusteregressrules.kubeovn.io -A
    NAME                 ACTION              STATUS
    global-policy-dns    accept-decisively   Success
    global-policy-http   accept-decisively   Success
    global-rule6-ip      accept-decisively   Success
    apiVersion: kubeovn.io/v1alpha1
    kind: ClusterEgressRule
    metadata:
      name: global-policy-dns
    spec:
      action: accept-decisively
      externalServices:
      - globalextsvcdns
    apiVersion: kubeovn.io/v1alpha1
    kind: ClusterEgressRule
    metadata:
      name: global-policy-http
    spec:
      action: accept-decisively
      externalServices:
      - globalextsvchttp
    apiVersion: kubeovn.io/v1alpha1
    kind: ClusterEgressRule
    metadata:
      name: global-rule6-ip
    spec:
      action: accept-decisively
      externalServices:
      - test6extsvc-ip
    status:
      phase: Success
    

验证

使用8.8.8.8做DNS解析可以通过

~ # dig @8.8.8.8 www.f5se.io +short
f5se.io.
185.199.109.153
185.199.110.153
185.199.111.153
185.199.108.153

但使用223.5.5.5做解析,无法通过:

~ # dig @223.5.5.5 www.f5se.io +short

; <<>> DiG 9.16.19 <<>> @223.5.5.5 www.f5se.io +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

访问www.myf5.net可以访问:

~ # curl www.myf5.net
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>~ # curl www.myf5.net
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

访问www.baidu.com无法访问:

~ # curl www.baidu.com
^C

下一步:

Namespace level策略