-
Notifications
You must be signed in to change notification settings - Fork 449
基于Subnet的ACL实现
oilbeater edited this page Jun 27, 2022
·
6 revisions
Wiki 下的中文文档将不在维护,请访问我们最新的中文文档网站,获取最新的文档更新。
目前有细粒度实现ACL的需求,要求基于Kube-OVN Subnet提供ACL的配置,实现ACL的精细化管理。
在Kube-OVN v1.10.0 版本中,实现了该功能。
Subnet CRD更新,增加ACL的字段,定义参考如下:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: subnets.kubeovn.io
spec:
group: kubeovn.io
versions:
- name: v1
served: true
storage: true
subresources:
status: {}
additionalPrinterColumns:
- name: Provider
type: string
jsonPath: .spec.provider
- name: Vpc
type: string
jsonPath: .spec.vpc
- name: Protocol
type: string
jsonPath: .spec.protocol
- name: CIDR
type: string
jsonPath: .spec.cidrBlock
- name: Private
type: boolean
jsonPath: .spec.private
- name: NAT
type: boolean
jsonPath: .spec.natOutgoing
- name: Default
type: boolean
jsonPath: .spec.default
- name: GatewayType
type: string
jsonPath: .spec.gatewayType
- name: V4Used
type: number
jsonPath: .status.v4usingIPs
- name: V4Available
type: number
jsonPath: .status.v4availableIPs
- name: V6Used
type: number
jsonPath: .status.v6usingIPs
- name: V6Available
type: number
jsonPath: .status.v6availableIPs
- name: ExcludeIPs
type: string
jsonPath: .spec.excludeIps
schema:
openAPIV3Schema:
type: object
properties:
status:
type: object
properties:
v4availableIPs:
type: number
v4usingIPs:
type: number
v6availableIPs:
type: number
v6usingIPs:
type: number
activateGateway:
type: string
dhcpV4OptionsUUID:
type: string
dhcpV6OptionsUUID:
type: string
conditions:
type: array
items:
type: object
properties:
type:
type: string
status:
type: string
reason:
type: string
message:
type: string
lastUpdateTime:
type: string
lastTransitionTime:
type: string
spec:
type: object
properties:
vpc:
type: string
default:
type: boolean
protocol:
type: string
enum:
- IPv4
- IPv6
- Dual
cidrBlock:
type: string
namespaces:
type: array
items:
type: string
gateway:
type: string
provider:
type: string
excludeIps:
type: array
items:
type: string
vips:
type: array
items:
type: string
gatewayType:
type: string
allowSubnets:
type: array
items:
type: string
gatewayNode:
type: string
natOutgoing:
type: boolean
externalEgressGateway:
type: string
policyRoutingPriority:
type: integer
minimum: 1
maximum: 32765
policyRoutingTableID:
type: integer
minimum: 1
maximum: 2147483647
not:
enum:
- 252 # compat
- 253 # default
- 254 # main
- 255 # local
private:
type: boolean
vlan:
type: string
logicalGateway:
type: boolean
disableGatewayCheck:
type: boolean
disableInterConnection:
type: boolean
enableDHCP:
type: boolean
dhcpV4Options:
type: string
dhcpV6Options:
type: string
enableIPv6RA:
type: boolean
ipv6RAConfigs:
type: string
htbqos:
type: string
acls: // 以下参数为ACL功能新增
type: array
items:
type: object
properties:
direction:
type: string
enum:
- from-lport
- to-lport
priority:
type: integer
minimum: 0
maximum: 32767
match:
type: string
action:
type: string
enum:
- allow-related
- allow-stateless
- allow
- drop
- reject
scope: Cluster
names:
plural: subnets
singular: subnet
kind: Subnet
shortNames:
- subnet
---
新增的ACL为数组参数,对象内容包含一条ACL配置必须的参数。
创建不同的子网和测试Pod,分别分配不同子网的地址
default namespace下的Pod,分配的默认子网的地址
test namespace下的Pod,分配的private子网的地址
apple@bogon ovn-test % kubectl get subnet
NAME PROVIDER VPC PROTOCOL CIDR PRIVATE NAT DEFAULT GATEWAYTYPE V4USED V4AVAILABLE V6USED V6AVAILABLE EXCLUDEIPS
join ovn ovn-cluster IPv4 100.64.0.0/16 false false false distributed 2 65531 0 0 ["100.64.0.1"]
ovn-default ovn ovn-cluster IPv4 10.16.0.0/16 false true true distributed 6 65527 0 0 ["10.16.0.1"]
private ovn ovn-cluster IPv4 2.2.0.0/16 true true false distributed 2 65531 0 0 ["2.2.0.1"]
apple@bogon ovn-test % kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dynamic-7d8d7874f5-fxhrq 1/1 Running 0 22h 10.16.0.12 kube-ovn-worker <none> <none>
apple@bogon ovn-test %
apple@bogon ovn-test % kubectl get pod -o wide -n test
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dynamic-7d8d7874f5-8v4jd 1/1 Running 0 4h42m 2.2.0.3 kube-ovn-control-plane <none> <none>
dynamic-7d8d7874f5-fcccl 1/1 Running 0 4h42m 2.2.0.2 kube-ovn-worker <none> <none>
apple@bogon ovn-test %
修改private子网的信息,添加acl参数
spec:
acls: // ACL 参数信息
- action: reject
direction: to-lport
match: ip4.src==10.16.0.12 && ip4.dst==2.2.0.3
priority: 2022
- action: allow
direction: to-lport
match: ip4.src==10.16.0.12 && ip4.dst==2.2.0.2
priority: 2222
...
查看OVN NB DB中生成的ACL信息
root@kube-ovn-control-plane:/kube-ovn# ovn-nbctl acl-list private
to-lport 2222 (ip4.src==10.16.0.12 && ip4.dst==2.2.0.2) allow
to-lport 2022 (ip4.src==10.16.0.12 && ip4.dst==2.2.0.3) reject
root@kube-ovn-control-plane:/kube-ovn#
match参数,需要手动编写,符合OVN SB DB中Logical_Flow的描述。
exec到default namespace下的Pod中,测试到test namespace下Pod的联通性
apple@bogon ovn-test % kubectl get pod -o wide
kubectNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dynamic-7d8d7874f5-fxhrq 1/1 Running 0 22h 10.16.0.12 kube-ovn-worker <none> <none>
apple@bogon ovn-test % kubectl get pod -o wide -n test
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dynamic-7d8d7874f5-8v4jd 1/1 Running 0 4h50m 2.2.0.3 kube-ovn-control-plane <none> <none>
dynamic-7d8d7874f5-fcccl 1/1 Running 0 4h50m 2.2.0.2 kube-ovn-worker <none> <none>
apple@bogon ovn-test %
apple@bogon ovn-test % kubectl exec -it dynamic-7d8d7874f5-fxhrq -- bash
bash-5.0# ping -c 3 2.2.0.3
PING 2.2.0.3 (2.2.0.3): 56 data bytes
--- 2.2.0.3 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
bash-5.0#
bash-5.0# ping -c 3 2.2.0.2
PING 2.2.0.2 (2.2.0.2): 56 data bytes
64 bytes from 2.2.0.2: seq=0 ttl=63 time=1.924 ms
64 bytes from 2.2.0.2: seq=1 ttl=63 time=0.477 ms
64 bytes from 2.2.0.2: seq=2 ttl=63 time=0.154 ms
--- 2.2.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.154/0.851/1.924 ms
bash-5.0#
根据测试结果可以确认,测试Pod到test namespace下的Pod访问,一个可以通,另外一个不通,符合ACL的限制要求。