一、简介

因为Flannel安装和使用简单便捷，但没有网络策略功能；而Calico具有网络策略功能，但部署和使用较复杂。所以，我们一般将Flannel和Calico联合使用。

二、Flannel网络插件

为了提高Flannel的性能，我们一般需要设置它的Backend参数打开Directrouting功能选项，在flannel配置文件中内容

  net-conf.json: |
    { 
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan"
      }
    }

更改为

  net-conf.json: |
    { 
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan",
        "Directrouting": true
      }
    }

二、Calico网络插件

1.安装Calico

点击这里查看官方安装文档

安装仅提供网络策略的Calico，Installing Calico for policy and flannel (aka Canal) for networking，安装方法如下：（若需要相关yaml配置清单文件和image镜像可联系作者）

Installing with the Kubernetes API datastore (recommended)

1. Ensure that the Kubernetes controller manager has the following flags set:
   --cluster-cidr=<your-pod-cidr> and --allocate-node-cidrs=true.

   Tip: On kubeadm, you can pass --pod-network-cidr=<your-pod-cidr> to kubeadm to set both Kubernetes controller flags.

2. Download the flannel networking manifest for the Kubernetes API datastore.

   $ curl https://docs.projectcalico.org/manifests/canal.yaml -O
   

3. If you are using pod CIDR 10.244.0.0/16, skip to the next step. If you are using a different pod CIDR with kubeadm, no changes are required – Calico will automatically detect the CIDR based on the running configuration. For other platforms, make sure you uncomment the CALICO_IPV4POOL_CIDR variable in the manifest and set it to the same value as your chosen pod CIDR.
4. Issue the following command to install Calico.

   $ kubectl apply -f canal.yaml
   

5. If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enable application layer policy (optional).

2.Calico网络策略制定格式

对象networkpolicy，简称netpol

[root@master1 calico]# kubectl explain networkpolicy
KIND: NetworkPolicy
VERSION: networking.k8s.io/v1

DESCRIPTION:
NetworkPolicy describes what network traffic is allowed for a set of Pods

FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

spec <Object>
Specification of the desired behavior for this NetworkPolicy.

[root@master1 calico]# kubectl explain networkpolicy.spec
KIND:     NetworkPolicy
VERSION:  networking.k8s.io/v1

RESOURCE: spec <Object>

DESCRIPTION:
     Specification of the desired behavior for this NetworkPolicy.

     NetworkPolicySpec provides the specification of a NetworkPolicy

FIELDS:
   egress	<[]Object>
     List of egress rules to be applied to the selected pods. Outgoing traffic
     is allowed if there are no NetworkPolicies selecting the pod (and cluster
     policy otherwise allows the traffic), OR if the traffic matches at least
     one egress rule across all of the NetworkPolicy objects whose podSelector
     matches the pod. If this field is empty then this NetworkPolicy limits all
     outgoing traffic (and serves solely to ensure that the pods it selects are
     isolated by default). This field is beta-level in 1.8

   ingress	<[]Object>
     List of ingress rules to be applied to the selected pods. Traffic is
     allowed to a pod if there are no NetworkPolicies selecting the pod (and
     cluster policy otherwise allows the traffic), OR if the traffic source is
     the pod's local node, OR if the traffic matches at least one ingress rule
     across all of the NetworkPolicy objects whose podSelector matches the pod.
     If this field is empty then this NetworkPolicy does not allow any traffic
     (and serves solely to ensure that the pods it selects are isolated by
     default)

   podSelector	<Object> -required-
     Selects the pods to which this NetworkPolicy object applies. The array of
     ingress rules is applied to any pods selected by this field. Multiple
     network policies can select the same set of pods. In this case, the ingress
     rules for each are combined additively. This field is NOT optional and
     follows standard label selector semantics. An empty podSelector matches all
     pods in this namespace.

   policyTypes	<[]string>
     List of rule types that the NetworkPolicy relates to. Valid options are
     "Ingress", "Egress", or "Ingress,Egress". If this field is not specified,
     it will default based on the existence of Ingress or Egress rules; policies
     that contain an Egress section are assumed to affect Egress, and all
     policies (whether or not they contain an Ingress section) are assumed to
     affect Ingress. If you want to write an egress-only policy, you must
     explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write
     a policy that specifies that no egress is allowed, you must specify a
     policyTypes value that include "Egress" (since such a policy would not
     include an Egress section and would otherwise default to just [ "Ingress"
     ]). This field is beta-level in 1.8

常用选项ingress、egress、podSelector、policyTypes。

3.Calico网络策略功能演示

创建两个名称空间，制定网络策略，在两个名称空间中相互访问，以此做演示，显示Calico网络策略的功能使用方式。

1).创建两个名称空间

[root@master1 calico]# kubectl create ns dev
namespace/dev created
[root@master1 calico]# kubectl create ns prod
namespace/prod created

2).分别在两个名称空间中创建pod资源

apiVersion: v1
kind: Pod
metadata:
  name: calico-pod1
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1

创建pod

[root@master1 calico]# kubectl apply -f calico-pod.yaml -n dev
pod/calico-pod1 created
[root@master1 calico]# kubectl apply -f calico-pod.yaml -n prod
pod/calico-pod1 created

3).创建网络策略

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

创建和查看

[root@master1 calico]# kubectl apply -f ingress-demo.yaml -n dev
networkpolicy.networking.k8s.io/deny-all-ingress created
[root@master1 calico]# kubectl get netpol -n dev
NAME               POD-SELECTOR   AGE
deny-all-ingress   <none>         17s
[root@master1 calico]# kubectl describe netpol -n dev
Name:         deny-all-ingress
Namespace:    dev
Created on:   2020-05-30 11:43:20 +0800 CST
Labels:       <none>
Annotations:  Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Not affecting egress traffic
  Policy Types: Ingress

4).测试功能1

分别访问两个名称空间下的pod如下，制定网络规则的名称空间dev的pod资源无法访问，而没有制定规则的名称空间prod下的pod可以正常访问。

[root@master1 calico]# kubectl get pods -n dev -o wide
NAME          READY   STATUS    RESTARTS   AGE     IP           NODE    NOMINATED NODE   READINESS GATES
calico-pod1   1/1     Running   0          8m33s   10.244.1.2   node1   <none>           <none>
[root@master1 calico]# kubectl get pods -n prod -o wide
NAME          READY   STATUS    RESTARTS   AGE     IP           NODE    NOMINATED NODE   READINESS GATES
calico-pod1   1/1     Running   0          8m36s   10.244.2.3   node2   <none>           <none>
[root@master1 calico]# curl 10.244.1.2
^C
[root@master1 calico]# curl 10.244.2.3
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>

5).修改网络规则

您暂时无权查看此隐藏内容！