|
本文默认已安装calico,Calico可通过节点标签分配ip池,当pod落在特定标签的节点上时,会从给定的ip池中获取ip
10-calico.conflist文件确认
确认/etc/cni/net.d/10-calico.conflist中ipam字段为以下内容,不能在此处填入ipv4_pools: ["xx.xx.xx.xx/xx"],如果有,直接删除该字段即可
"ipam": {
? ? ? ? "type": "calico-ipam",
? ? ? ? "assign_ipv4": "true"
? ? ? },
配置calicoctl?
如已配置可忽略
下载对应架构及对应操作系统calicoctl二进制文件
Install calicoctl
连接etcd
Configure calicoctl to connect to an etcd datastore
calicoclt默认配置文件为/etc/calico/calicoctl.cfg,如果没有手动创建,本次示例如下
apiVersion: projectcalico.org/v3
kind: CalicoAPIConfig
metadata:
spec:
? etcdEndpoints: https://172.20.42.70:2379
? etcdKeyFile: etc/ssl/etcd/ssl/node-master1-key.pem
? etcdCertFile: etc/ssl/etcd/ssl/node-master1.pem?
? etcdCACertFile: etc/ssl/etcd/ssl/ca.pem
测试配置情况
calicoctl get ippool
ippool操作
删除默认ippool
如果calicoctl get ippool -o wide 获取到的默认ippool占据了整个cluster-cidr,可从kube-controller-manager.yaml文件中查看-cluster-cidr,需要删除默认ippool,ippool名字无影响,主要是nodeSelector字段如果为 all()则表示应用在所有node
calicoctl delete ippool default-pool
其他操作参考??Assign IP addresses based on topology即可
创建NetworkPolicy
?参考网络策略 | Kubernetes
上文中创建一个ippool,其cidr为10.233.1.0/24,此处创建一个NetworkPolicy,表示只能允许10.233.1.0/24网段的ip访问label为app: nginx的pod,label为app: nginx的pod也只能访问网段为10.233.1.0/24的pod,此处的标签可替换为整个隔离环境公共的一个标签
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-network-policy
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 10.233.1.0/24
egress:
- to:
- ipBlock:
cidr: 10.233.1.0/24
|