[英]kubernetes: intra-cluster isolation of applications
I have been experimenting with k8s
/ kops
/ aws
suite. 我一直在尝试使用
k8s
/ kops
/ aws
套件。
So far things have been going pretty well (except an issue when updating cluster via kops
) 到目前为止,一切进展顺利(通过
kops
更新集群时出现问题除外)
I want to be able to make use of my existing resources/cluster and deploy 2 flavors of my app (ie production
and testing
) in the same cluster. 我希望能够利用我现有的资源/集群,并在同一集群中部署2种风格的应用程序(即
production
和testing
)。
I would like to be on the safe side and maximize as much as possible the isolation between the k8s
resources of those two deployments. 为了安全起见,我希望最大限度地扩大这两个部署的
k8s
资源之间的隔离。
Definately there going on different namespaces. 肯定有不同的命名空间。
From some investigation I have found out that I need to also apply NetworkPolicy
to prevent inter- namespace
communication; 通过一些调查,我发现我还需要应用
NetworkPolicy
来防止namespace
通信。 however applying NetworkPolicy
resources requires a supporting networking solution (currently using kubenet
, the default of kops
which doesn't ). 但是,应用
NetworkPolicy
资源需要支持的联网解决方案(当前使用kubenet
,默认为kops
,默认为not )。
What is the solution/plugin to go for? 要使用什么解决方案/插件?
Just want (at least for the time being) the level of isolation described above which I assume can be achieved via NetworkPolicy
even if there is a common CIDR
for all pods (just saying that to emphasise that there is a need for just the simplest possible networking solution that achieves that, nothing more fancy with multiple CIDRs
etc). 我只是想(至少暂时)可以通过
NetworkPolicy
实现上述隔离级别,即使所有吊舱都具有通用的CIDR
(我只是强调要只需要最简单的一种)实现这一目标的网络解决方案,别无所求了多个CIDRs
等)。
Ideally I would like to be able just to use NetworkPolicy
resource for some namespace
-based ( namespaceSelector
) and pod
-based ( podSelector
) ingress rules and that's it (?) 理想情况下,我只想对某些基于
namespaceSelector
namespace
的( namespaceSelector
)和基于pod
的( podSelector
)入口规则使用NetworkPolicy
资源, 仅此而已(?)
On my kops clusters I use weave networking (also I provision them as private topology, which excludes kubenet
anyway). 在我的kops群集上,我使用编织网络(也将它们设置为专用拓扑,但无论如何都排除了
kubenet
)。 So my first suggestion would be to go with a different networking, weave and calico being first ones coming to my mind. 因此,我的第一个建议是使用其他网络,编织和印花布是我想到的第一个。
Other then that, you might want to look into service mesh solution like Istio which can leverage NetworkPolicies as well (some istio policy reading ) 除此之外,您可能希望研究Istio之类的服务网格解决方案,它也可以利用NetworkPolicies(一些istio策略阅读 )
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.