Cilium动手实验室: 精通之旅---1.Getting Started with Cilium
Cilium动手实验室: 精通之旅---1.Getting Started with Cilium
- 1. 初始化环境
- 1.1 kind
- 1.2 Cilium 安装
- 1.3 小测验
- 2. 部署Demo
- 3. 访问权限测试
- 3.1 无策略访问测试
- 3.2 访问策略
- 3.3 更严格的策略
- 3.4 小测试
- 4. 最终测试
- 4.1 题目
- 4.2 解题
1. 初始化环境
Lab环境访问
https://isovalent.com/labs/getting-started-with-cilium/
1.1 kind
这套环境由kind部署,1控制节点2worker节点
root@server:~# yq /etc/kind/${KIND_CONFIG}.yaml
---
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:- role: control-planeextraPortMappings:# localhost.run proxy- containerPort: 32042hostPort: 32042# Hubble relay- containerPort: 31234hostPort: 31234# Hubble UI- containerPort: 31235hostPort: 31235- role: worker- role: worker
networking:disableDefaultCNI: truekubeProxyMode: none
root@server:~# kubectl get nodes
NAME STATUS ROLES AGE VERSION
kind-control-plane NotReady control-plane 9h v1.31.0
kind-worker NotReady <none> 9h v1.31.0
kind-worker2 NotReady <none> 9h v1.31.0
root@server:~#
1.2 Cilium 安装
默认安装cilium
root@server:~# cilium install
🔮 Auto-detected Kubernetes kind: kind
ℹ️ Using Cilium version 1.17.0
🔮 Auto-detected cluster name: kind-kind
ℹ️ Detecting real Kubernetes API server addr and port on Kind
🔮 Auto-detected kube-proxy has not been installed
ℹ️ Cilium will fully replace all functionalities of kube-proxy
root@server:~# cilium status --wait/¯¯\/¯¯\__/¯¯\ Cilium: OK\__/¯¯\__/ Operator: OK/¯¯\__/¯¯\ Envoy DaemonSet: OK\__/¯¯\__/ Hubble Relay: disabled\__/ ClusterMesh: disabledDaemonSet cilium Desired: 3, Ready: 3/3, Available: 3/3
DaemonSet cilium-envoy Desired: 3, Ready: 3/3, Available: 3/3
Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1
Containers: cilium Running: 3cilium-envoy Running: 3cilium-operator Running: 1clustermesh-apiserver hubble-relay
Cluster Pods: 3/3 managed by Cilium
Helm chart version: 1.17.0
Image versions cilium quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d: 3cilium-envoy quay.io/cilium/cilium-envoy:v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e@sha256:57a3aa6355a3223da360395e3a109802867ff635cb852aa0afe03ec7bf04e545: 3cilium-operator quay.io/cilium/operator-generic:v1.17.0@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8: 1
root@server:~#
1.3 小测验
√ Install Cilium on a cluster
√ Check the Cilium status on a cluster
× Install Kubernetes
2. 部署Demo
简单的 empire 演示应用程序。它由多个微服务组成,每个微服务都由 Kubernetes 标签标识:
| Pod | 标签 |
|---|---|
| the Death Star | org=empire, class=deathstar |
| the Imperial TIE fighter | org=empire, class=tiefighter |
| the Rebel X-Wing | org=alliance, class=xwing |
root@server:~# yq http-sw-app.yaml
---
apiVersion: v1
kind: Service
metadata:name: deathstarlabels:app.kubernetes.io/name: deathstar
spec:type: ClusterIPports:- port: 80selector:org: empireclass: deathstar
---
apiVersion: apps/v1
kind: Deployment
metadata:name: deathstarlabels:app.kubernetes.io/name: deathstar
spec:replicas: 2selector:matchLabels:org: empireclass: deathstartemplate:metadata:labels:org: empireclass: deathstarapp.kubernetes.io/name: deathstarspec:containers:- name: deathstar# renovate: datasource=docker depName=quay.io/cilium/starwarsimage: quay.io/cilium/starwars@sha256:896dc536ec505778c03efedb73c3b7b83c8de11e74264c8c35291ff6d5fe8ada # v2.3---
apiVersion: v1
kind: Pod
metadata:name: tiefighterlabels:org: empireclass: tiefighterapp.kubernetes.io/name: tiefighter
spec:containers:- name: spaceshipimage: quay.io/cilium/json-mock:v1.3.8@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603
---
apiVersion: v1
kind: Pod
metadata:name: xwinglabels:app.kubernetes.io/name: xwingorg: allianceclass: xwing
spec:containers:- name: spaceshipimage: quay.io/cilium/json-mock:v1.3.8@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603
root@server:~# k apply -f http-sw-app.yaml
service/deathstar created
deployment.apps/deathstar created
pod/tiefighter created
pod/xwing created
root@server:~# k get deployments.apps
NAME READY UP-TO-DATE AVAILABLE AGE
deathstar 2/2 2 2 2m50s
root@server:~# kubectl get pods,svc
NAME READY STATUS RESTARTS AGE
pod/deathstar-67c5c5c88-4cq6d 1/1 Running 0 3m23s
pod/deathstar-67c5c5c88-rbxgm 1/1 Running 0 3m23s
pod/tiefighter 1/1 Running 0 3m23s
pod/xwing 1/1 Running 0 3m23sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/deathstar ClusterIP 10.96.123.234 <none> 80/TCP 3m23s
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 9h
每个 Pod 也将在 Cilium 中表示为 Endpoint。要检索由 Cilium 管理的所有端点的列表,可以使用 Cilium Endpoint(或 cep)资源:
root@server:~# kubectl get cep --all-namespaces
NAMESPACE NAME SECURITY IDENTITY ENDPOINT STATE IPV4 IPV6
default deathstar-67c5c5c88-4cq6d 30077 ready 10.244.2.5
default deathstar-67c5c5c88-rbxgm 30077 ready 10.244.1.192
default tiefighter 12978 ready 10.244.1.155
default xwing 54749 ready 10.244.1.106
kube-system coredns-6f6b679f8f-bx7qc 16920 ready 10.244.0.18
kube-system coredns-6f6b679f8f-v94xf 16920 ready 10.244.0.124
local-path-storage local-path-provisioner-57c5987fd4-l9zh4 9204 ready 10.244.0.248
3. 访问权限测试
3.1 无策略访问测试
为了模拟我们的连接测试,我们将使用 curl 执行简单的 API 调用。
让我们通过运行以下命令来测试我们是否可以将 TIE 战斗机降落在死星上:
root@server:~# kubectl exec tiefighter -- \curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
Ship landed
上面的命令让我们在 tiefighter pod 上获取一个 shell,并向 deathstar Service 运行 HTTP POST 请求以请求着陆。
该命令应该有效 — 因为 TIE 战斗机和死星位于银河系战争的同一方(即坏人)。
现在测试一下你是否可以用以下方式降落你的 X 翼(即好人):
root@server:~# kubectl exec xwing -- \curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
Ship landed
到目前为止,似乎允许访问!这对叛军联盟有好处——可以不受限制地进入死星——但这不应该被允许.
3.2 访问策略
显然叛军是不应该被授权直接访问死星的,那么我们来加上一条策略阻止他们.
我们将从基本策略开始,将 deathstar 登陆请求限制为仅具有标签 org=empire 的飞船。
在我们立即开始更改策略之前,让我们考虑一下相应的网络策略应该是什么样子。
我们只需要在帝国船只上进行匹配,因此我们需要在该标签上进行匹配,此外,我们必须确保来自带有标签 empire 的端点的入口被允许对协议 tcp 的端口 80 进行访问:
配置网络策略应用于我们的演示系统:
root@server:~# yq sw_l3_l4_policy.yaml
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:name: "rule1"
spec:description: "L3-L4 policy to restrict deathstar access to empire ships only"endpointSelector:matchLabels:org: empireclass: deathstaringress:- fromEndpoints:- matchLabels:org: empiretoPorts:- ports:- port: "80"protocol: TCP
root@server:~# k apply -f sw_l3_l4_policy.yaml
ciliumnetworkpolicy.cilium.io/rule1 created
现在让我们尝试再次登陆帝国 tiefighter
root@server:~# kubectl exec tiefighter -- \curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
Ship landed
这仍然有效,这是意料之中的。
尝试从 xwing Pod 请求 Landing,我们会看到请求最终会超时:(使用 Ctrl+C 终止请求。)
root@server:~# kubectl exec xwing -- \curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
^C
root@server:~#
我们已经成功地阻止了 X-Wing飞船进入死星 。
3.3 更严格的策略
死星现在已经得到了很好的保护,只允许帝国船只进入它。
不过,如果 Rebellion 能够控制 Imperial Tie Figther 呢?你 - 一名叛军军官 - 刚刚控制了一架 Tie Fighter 并正在接近死星。
考虑到 deathstar 服务公开了一些维护 API,这些 API 不应该被随机的帝国飞船调用。如果由帝国飞船发起了恶意的攻击:
root@server:~# kubectl exec tiefighter -- \curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port
Panic: deathstar explodedgoroutine 1 [running]:
main.HandleGarbage(0x2080c3f50, 0x2, 0x4, 0x425c0, 0x5, 0xa)/code/src/github.com/empire/deathstar/temp/main.go:9 +0x64
main.main()/code/src/github.com/empire/deathstar/temp/main.go:5 +0x85
root@server:~#
是的,有一场Panic:死星刚刚爆炸了!
如您所见,这会导致相当不想要的结果。虽然这是一个说明性示例,但上述未经授权的访问可能会对安全产生不利影响。我们需要在 HTTP 层的第 7 层实施策略,以限制允许 tiefighter 调用的确切 API,以及不允许调用哪些 API。
这会将 API 访问限制为仅 /v1/request-landing 路径,从而阻止用户访问 /v1/exhaust-port,正如我们之前看到的那样,这会导致崩溃。
当我们加上访问策略后,借助 Cilium L7 安全策略,我们能够限制 tiefighter 对 deathstar 上仅需要的 API 资源的访问,从而为微服务之间的通信实施“最低权限”安全方法。
root@server:~# yq sw_l3_l4_l7_policy.yaml
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:name: "rule1"
spec:description: "L7 policy to restrict access to specific HTTP call"endpointSelector:matchLabels:org: empireclass: deathstaringress:- fromEndpoints:- matchLabels:org: empiretoPorts:- ports:- port: "80"protocol: TCPrules:http:- method: "POST"path: "/v1/request-landing"
root@server:~# k apply -f sw_l3_l4_l7_policy.yaml
ciliumnetworkpolicy.cilium.io/rule1 configured
root@server:~# kubectl exec tiefighter -- curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port
Access denied
root@server:~#
3.4 小测试
√ Network Policies can block or allow traffic between pods
× L3/L4 Network Policies can filter HTTP requests
√ L7 Network Policies can filter on HTTP paths
√ Cilium supports standard Kubernetes Network Policies
4. 最终测试
4.1 题目
这颗死星被 X 翼摧毁。帝国是做什么的呢?他们建造了另一颗死星。而这一次,我们真的必须确保没有 X-Wing 可以访问它。
您的任务是在名称为 /root/policies/sneak.yaml 下创建一个规则文件,其中包含一个名为 rule1 的规则,该规则将通过 L3-L4 策略对死星的访问限制为仅帝国船只
- 你的组织叫
empire,你只想允许tiefighter类的船只 - 飞船应该到达的终点是
Deathstar级,属于empire组织 - 我们还希望限制为端口 80 和 TCP 协议。
- 测试
kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landingTIE 战斗机访问权限 - 测试
kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landingX-Wing 访问权限
4.2 解题
- 根据题意编辑/root/policies/sneak.yaml
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:name: "rule1"
spec:endpointSelector:matchLabels:org: empireclass: deathstaringress:- fromEndpoints:- matchLabels:org: empireclass: tiefightertoPorts:- ports:- port: "80"protocol: TCP
- 应用配置
kubectl apply -f /root/policies/sneak.yaml
- 测试访问
root@server:~# k get po --show-labels
NAME READY STATUS RESTARTS AGE LABELS
deathstar-67c5c5c88-4cq6d 1/1 Running 2 (15m ago) 35m app.kubernetes.io/name=deathstar,class=deathstar,org=empire,pod-template-hash=67c5c5c88
deathstar-67c5c5c88-rbxgm 1/1 Running 0 35m app.kubernetes.io/name=deathstar,class=deathstar,org=empire,pod-template-hash=67c5c5c88
tiefighter 1/1 Running 0 35m app.kubernetes.io/name=tiefighter,class=tiefighter,org=empire
xwing 1/1 Running 0 35m app.kubernetes.io/name=xwing,class=xwing,org=alliance
root@server:~# kubectl apply -f /root/policies/sneak.yaml
ciliumnetworkpolicy.cilium.io/rule1 created
root@server:~# kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
Ship landed
root@server:~# kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
^C
root@server:~#
