Azure Kubernetes 网络策略概述Azure Kubernetes network policies overview

网络策略为 Pod 提供微分段,就像网络安全组 (NSG) 为 VM 提供微分段一样。Network Policies provide micro-segmentation for pods just like Network Security Groups (NSGs) provide micro-segmentation for VMs. Azure 网络策略实现支持标准的 Kubernetes 网络策略规范。The Azure Network Policy implementation supports the standard Kubernetes Network Policy specification. 可以使用标签来选择一组 Pod 并定义入口和出口规则的列表,这些规则指定允许从这些 Pod 出入的流量的类型。You can use labels to select a group of pods and define a list of ingress and egress rules that specify the kind of traffic that is allowed to and from these pods. Kubernetes 文档中详细了解 Kubernetes 网络策略。Learn more about the Kubernetes network policies in the Kubernetes documentation.

Kubernetes 网络策略概述

Azure 网络策略可以与为容器提供 VNet 集成的 Azure CNI 配合使用。Azure network policies work in conjunction with the Azure CNI that provides VNet integration for containers. 目前仅 Linux 节点支持它。It is supported only on Linux nodes today. 这些实现根据定义的策略来配置 Linux IP 表规则,以便强制流量筛选。The implementations configure Linux IP Table rules based on the defined policies to enforce traffic filtering.

规划 Kubernetes 群集的安全性Planning security for your Kubernetes cluster

为群集实现安全性时,使用网络安全组 (NSG) 来筛选南北流量(即,进出群集子网的流量),并使用 Kubernetes 网络策略来筛选东西流量(即,群集中 Pod 之间的流量)。When implementing security for your cluster, use network security groups (NSGs) to filter North-South traffic, that is, traffic entering and leaving your cluster subnet, and use Kubernetes network policies for East-West traffic, that is, traffic between pods in your cluster.

使用 Azure Kubernetes 网络策略Using Azure Kubernetes network policies

Azure 网络策略可以通过下述方式来使用,以便为 Pod 提供微分段。Azure Network Policies can be used in the following ways to provide micro-segmentation for pods.

ACS-engineACS-engine

ACS-Engine 是一项工具,可以生成 Azure 资源管理器模板,以便在 Azure 中部署 Kubernetes 群集。ACS-Engine is a tool that generates an Azure Resource Manager template for the deployment of a Kubernetes cluster in Azure. 群集配置在 JSON 文件中指定,该文件在生成模板时传递给工具。The cluster configuration is specified in a JSON file that is passed to the tool when generating the template. 若要详细了解受支持的群集设置及其说明的完整列表,请参阅“Azure 容器服务引擎 - 群集定义”。To learn more about the entire list of supported cluster settings and their descriptions, see Azure Container Service Engine - Cluster Definition.

若要在使用 acs-engine 部署的群集上启用策略,请在群集定义文件中将 networkPolicy 设置的值指定为“azure”。To enable policies on clusters deployed using acs-engine, specify the value of the networkPolicy setting in the cluster definition file to be "azure".

示例配置Example configuration

下面的 JSON 示例配置使用 Azure CNI 创建了一个新的虚拟网络和子网,并在其中部署了 Kubernetes 群集。The below JSON example configuration creates a new virtual network and subnet, and deploys a Kubernetes cluster in it with Azure CNI. 我们建议你使用“记事本”来编辑此 JSON 文件。We recommend that you use "Notepad" to edit the JSON file.

{
  "apiVersion": "vlabs",
  "properties": {
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
         "networkPolicy": "azure"
       }
    },
    "masterProfile": {
      "count": 1,
      "dnsPrefix": "<specify a cluster name>",
      "vmSize": "Standard_D2s_v3"
    },
    "agentPoolProfiles": [
      {
        "name": "agentpool",
        "count": 2,
        "vmSize": "Standard_D2s_v3",
        "availabilityProfile": "AvailabilitySet"
      }
    ],
   "linuxProfile": {
      "adminUsername": "<specify admin username>",
      "ssh": {
        "publicKeys": [
          {
            "keyData": "<cut and paste your ssh key here>"
          }
        ]
      }
    },
    "servicePrincipalProfile": {
      "clientId": "<enter the client ID of your service principal here >",
      "secret": "<enter the password of your service principal here>"
    }
  }
}

在 Azure 中创建自己的 Kubernetes 群集Creating your own Kubernetes cluster in Azure

可以使用此实现在自行部署的 Kubernetes 群集中为 Pod 提供网络策略,不需依赖 ACS-Engine 之类的工具。The implementation can be used to provide Network Policies for Pods in Kubernetes clusters that you deploy yourself, without relying on tools like the ACS-Engine. 在此示例中,请先安装 CNI 插件,然后在群集中的每个虚拟机上启用它。In this case, you first install the CNI plug-in and enable it on every virtual machine in a cluster. 如需详细说明,请参阅为自行部署的 Kubernetes 群集部署插件For detailed instructions, see Deploy the plug-in for a Kubernetes cluster that you deploy yourself.

部署群集以后,请运行下面的 kubectl 命令,以便下载 Azure 网络策略 daemonset 并将其应用到群集。Once the cluster is deployed run the following kubectl command to download and apply the Azure network policy daemonset to the cluster.

kubectl apply -f https://raw.githubusercontent.com/Azure/acs-engine/master/parts/k8s/addons/kubernetesmasteraddons-azure-npm-daemonset.yaml

此解决方案也是开源的,代码在 Azure 容器网络存储库中提供。The solution is also open source and the code is available on the Azure Container Networking repository.

后续步骤Next steps