ACK GlobalNetworkPolicy-Container Service for Kubernetes(ACK)-阿里云帮助中心

A Kubernetes NetworkPolicy uses a label selector to define network policies at the Pod level. ACK GlobalNetworkPolicy extends this capability with cluster-level network policies, allowing you to manage network security for an entire cluster. This guide shows you how to use ACK GlobalNetworkPolicy to implement fine-grained network policies for your cluster.

Prerequisites

You have created an ACK Pro cluster that uses the Terway network plugin. For more information, see Create an ACK managed cluster.
The Terway network plugin is version 1.9.4 or later, and the network policy feature is enabled. For more information, see Enable network policies.
You have obtained the KubeConfig file for your cluster and used kubectl to connect to the cluster.
Nodes must run the Terway network plugin. Nodes in exclusive ENI mode, virtual nodes, hybrid nodes, and other non-Alibaba Cloud nodes are not supported.

Step 1: Install the Poseidon component

Poseidon is a container network policy component that supports the standard Kubernetes NetworkPolicy resource.

Install Poseidon version 0.5.1 or later and enable the ACK NetworkPolicy feature.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Add-ons.
On the Add-ons page, click the Network tab. In the lower-right corner of the Poseidon card, click Install.
In the Install Poseidon dialog box, select Enable ACK NetworkPolicy, and then click Confirm.

Step 2: ACK GlobalNetworkPolicy

The definition and usage of ACK GlobalNetworkPolicy are similar to those of Kubernetes NetworkPolicy. By default, its rules apply to all nodes and Pods in the cluster.

Syntax

The basic structure of an ACK GlobalNetworkPolicy is as follows:

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy
metadata:
  name: example
spec:
  podSelector:      # Selects the Pods to which this policy applies. If empty, the policy applies to all Pods in the selected namespaces.
    matchLabels:
      foo: bar      # Selects Pods with the label foo:bar.
  namespaceSelector:   # Selects the namespaces to which this policy applies. If empty, the policy applies to all namespaces.
    matchLabels:
      foo: bar      # Selects namespaces with the label foo:bar.
  policyTypes:      # Specifies the traffic direction (Ingress, Egress, or both) that this policy enforces.
    - Ingress       # The policy applies to inbound traffic.
    - Egress        # The policy applies to outbound traffic.
  ingress: []       # Ingress rules.
  egress: []        # Egress rules.

Limitations

In a single cluster, the following limits apply:

The number of GlobalNetworkPolicy resources cannot exceed 100.
The number of inbound ingress and outbound egress rules in a single GlobalNetworkPolicy should be less than 20.
The number of ports ports in a single inbound or egress rule should be fewer than 10.

Ingress and egress rules

ingress and egress rules define the source and destination addresses for traffic allowed by a NetworkPolicy. Both rule types have the same structure and use from (for ingress) and to (for egress) to specify the scope of allowed communication.

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy
metadata:
  name: example                          # Policy name
spec:
  podSelector: {}                       
  namespaceSelector: null                     
  policyTypes:
    - Ingress                            # The policy includes ingress rules.
    - Egress                             # The policy includes egress rules.
  ingress:
    - from:
        - namespaceSelector:             # Allows ingress traffic from Pods in namespaces with matching labels.
            matchLabels:
              foo: bar
          podSelector:                   # Allows ingress traffic from Pods with matching labels.
            matchLabels:
              foo: bar
      ports:
        - protocol: TCP                # Allows TCP traffic. Valid values: TCP, UDP.
          port: 443                    # Allows traffic on port 443.
    - from:
        - ipBlock:                       # Specifies the CIDR range for allowed ingress traffic from outside the cluster.
            cidr: "172.16.0.0/16"
            except:
              - "172.16.1.0/24"          # Excludes a specific CIDR range from the allowed sources.
  egress:
    - to:
        - namespaceSelector:             # Allows egress traffic to Pods in namespaces with matching labels.
            matchLabels:
              foo: bar
          podSelector:                   # Allows egress traffic to Pods with matching labels.
            matchLabels:
              foo: bar
    - to:
        - ipBlock:                       # Specifies the CIDR range for allowed egress traffic to outside the cluster.
            cidr: "172.16.0.0/16"
            except:
              - "172.16.1.0/24"          # Excludes a specific CIDR range from the allowed egress destinations.

Parameter	Description
ipBlock	Specifies a CIDR block for traffic from sources or to destinations outside the cluster.
podSelector	Selects Pods within the cluster by using a label selector.

When you create a network policy, you cannot use ipBlock and podSelector or namespaceSelector in the same rule. The correct way is to separate ipBlock and podSelector as follows:

ingress:
  - from:
      - ipBlock:               # The first source is an ipBlock.
          cidr: "192.168.0.0/16"
      - podSelector:           # The second source is a podSelector.
          matchLabels:
            key: value
    ports:
      - protocol: TCP
        port: 80

The following is an invalid example and causes a conflict.

Expand the invalid example.

ingress:
  - from:
      - ipBlock:                  # Defines a CIDR range.
          cidr: "192.168.0.0/16"
        podSelector:              # Invalid: cannot be used together with ipBlock in the same item.
          matchLabels:
            key: value
    ports:
      - protocol: TCP
        port: 443

Examples

The examples in this topic include a podSelector configuration, which you can adjust based on your specific requirements.

Important

Exercise caution when you configure GlobalNetworkPolicy. If you do not specify podSelector and namespaceSelector, the policy applies to all Pods in the cluster.

Deny all traffic for specific Pods

The following YAML file defines a GlobalNetworkPolicy that applies only to Pods with the foo: bar label and denies all inbound and outbound network traffic.

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector:
    matchLabels:
      foo: bar
  namespaceSelector: null
  policyTypes:
    - Ingress
    - Egress
  ingress: []
  egress: []

Allow specific Pods to access DNS

The following YAML file defines a GlobalNetworkPolicy that applies only to Pods with the foo: bar label and allows these Pods to communicate with the DNS service running in the cluster.

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy                     
metadata:
  name: allow-dns                            
spec:
  podSelector:                                
    matchLabels:
      foo: bar                                
  namespaceSelector: null                 
  policyTypes:                                
    - Egress
  egress:                                     
    - to:                                 
        - namespaceSelector:              
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns