Kubernetes网络模型深度解析与实践

Kubernetes网络模型深度解析与实践

Kubernetes网络概述

Kubernetes网络是容器编排的核心组成部分，它为Pod提供了稳定的网络标识和通信能力。本文将深入探讨Kubernetes网络模型的核心概念、网络插件和最佳实践。

Kubernetes网络核心概念

1. Pod网络模型

┌─────────────────────────────────────────────────────────────────┐ │ Kubernetes网络模型 │ ├─────────────────────────────────────────────────────────────────┤ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ Pod1 │ │ Pod2 │ │ Pod3 │ │ │ │ 10.1.0.2 │────│ 10.1.0.3 │────│ 10.1.0.4 │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ Service网络 │ │ │ │ ClusterIP: 10.96.0.10 │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ Ingress │ │ │ │ example.com -> 10.96.0.10 │ │ │ └─────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘

2. Service网络

apiVersion: v1 kind: Service metadata: name: myapp-service spec: type: ClusterIP selector: app: myapp ports: - port: 80 targetPort: 8080 protocol: TCP

3. Pod间通信

apiVersion: v1 kind: Pod metadata: name: network-test spec: containers: - name: busybox image: busybox:1.35 command: ["sleep", "3600"]

Kubernetes网络插件

1. Calico网络配置

# calico.yaml apiVersion: crd.projectcalico.org/v1 kind: IPPool metadata: name: default-ipv4-ippool spec: cidr: 10.1.0.0/16 ipipMode: Always natOutgoing: true

2. Flannel网络配置

# kube-flannel.yml apiVersion: v1 kind: ConfigMap metadata: name: kube-flannel-cfg namespace: kube-system data: cni-conf.json: | { "name": "cbr0", "cniVersion": "0.3.1", "plugins": [ { "type": "flannel", "delegate": { "hairpinMode": true, "isDefaultGateway": true } }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } net-conf.json: | { "Network": "10.244.0.0/16", "Backend": { "Type": "vxlan" } }

3. Cilium网络配置

apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: deny-all-ingress spec: endpointSelector: matchLabels: app: myapp ingress: - fromEndpoints: - matchLabels: app: frontend toPorts: - ports: - port: "8080" protocol: TCP

网络策略

1. 基本网络策略

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress

2. 允许特定流量

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-database-access namespace: backend spec: podSelector: matchLabels: app: database policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: api - ipBlock: cidr: 192.168.1.0/24 except: - 192.168.1.100/32 ports: - protocol: TCP port: 5432

3. Egress策略

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: restrict-egress namespace: default spec: podSelector: matchLabels: app: frontend policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: api ports: - protocol: TCP port: 8080 - to: - namespaceSelector: matchLabels: name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53

Service类型详解

1. ClusterIP

apiVersion: v1 kind: Service metadata: name: internal-service spec: type: ClusterIP selector: app: backend ports: - port: 80 targetPort: 8080

2. NodePort

apiVersion: v1 kind: Service metadata: name: nodeport-service spec: type: NodePort selector: app: frontend ports: - port: 80 targetPort: 8080 nodePort: 30080

3. LoadBalancer

apiVersion: v1 kind: Service metadata: name: loadbalancer-service spec: type: LoadBalancer selector: app: web ports: - port: 80 targetPort: 8080 loadBalancerIP: 192.168.1.100

4. ExternalName

apiVersion: v1 kind: Service metadata: name: external-service spec: type: ExternalName externalName: api.example.com

Ingress配置

1. 基本Ingress

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: basic-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: web-service port: number: 80

2. TLS配置

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tls-ingress annotations: cert-manager.io/cluster-issuer: letsencrypt-prod spec: tls: - hosts: - example.com secretName: example-tls rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: web-service port: number: 80

3. 多路径配置

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: multi-path-ingress spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 8080 - path: /web pathType: Prefix backend: service: name: web-service port: number: 80

网络性能优化

1. 网络策略优化

apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: optimized-policy spec: endpointSelector: matchLabels: app: high-performance ingress: - fromEndpoints: - matchLabels: app: trusted toPorts: - ports: - port: "8080" protocol: TCP

2. Service拓扑优化

apiVersion: v1 kind: Service metadata: name: topology-service annotations: service.kubernetes.io/topology-aware-hints: auto spec: type: ClusterIP selector: app: myapp ports: - port: 80 targetPort: 8080

3. 节点本地DNS

apiVersion: v1 kind: ConfigMap metadata: name: kube-dns namespace: kube-system data: stubDomains: | {"example.com": ["10.96.0.10"]} upstreamNameservers: | ["8.8.8.8", "8.8.4.4"]

网络故障排查

1. 网络诊断工具

# 查看Pod网络状态 kubectl get pods -o wide # 测试Pod间通信 kubectl exec -it pod1 -- ping pod2-ip # 查看Service端点 kubectl get endpoints # 查看网络策略 kubectl get networkpolicy

2. DNS排查

# 测试DNS解析 kubectl exec -it mypod -- nslookup kubernetes.default # 查看DNS配置 kubectl get configmap kube-dns -n kube-system -o yaml # 查看CoreDNS日志 kubectl logs -n kube-system -l k8s-app=kube-dns

3. 网络策略排查

# 查看网络策略状态 kubectl describe networkpolicy mypolicy # 使用calicoctl查看策略 calicoctl get networkpolicy # 使用cilium查看策略 cilium policy get

网络安全最佳实践

1. 网络隔离

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: namespace-isolation namespace: sensitive spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: trusted egress: - to: - namespaceSelector: matchLabels: name: kube-system

2. 零信任网络

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: zero-trust namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress

3. Service账户隔离

apiVersion: v1 kind: ServiceAccount metadata: name: restricted-sa namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: restricted-role namespace: default rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"]

实战案例：构建安全的微服务网络

架构设计

┌─────────────────────────────────────────────────────────────────┐ │ 微服务网络架构 │ ├─────────────────────────────────────────────────────────────────┤ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ Frontend │ │ API │ │ Database │ │ │ │ (Public) │───>│ (Private) │───>│ (Isolated) │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ Network Policies │ │ │ │ - Frontend -> API only │ │ │ │ - API -> Database only │ │ │ │ - Deny all other traffic │ │ │ └─────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘

实现步骤

1. 部署网络插件：选择Calico或Cilium作为CNI插件
2. 配置网络策略：为每个命名空间配置默认拒绝策略
3. 定义服务网络：使用ClusterIP隔离内部服务
4. 配置Ingress：暴露必要的服务到外部
5. 监控网络流量：使用Cilium或Prometheus监控网络指标

总结

Kubernetes网络是容器编排的核心，它为Pod提供了稳定的网络标识和通信能力。通过合理配置网络插件、Service和网络策略，可以构建安全、高效的网络环境。

在实际应用中，需要根据集群规模和安全要求，选择合适的网络插件和配置策略，确保网络的可靠性和安全性。

掌握Kubernetes网络模型的核心概念和最佳实践，对于构建和管理云原生应用至关重要。