Search

[CKA] 52. Network Policies

Date
2025/01/23
Category
Devops
Tag
Kubernetes
CKA
Security
λͺ©μ°¨

Β Traffic

Β Ingress & Egress

νŠΈλž˜ν”½μ€ 두 가지 μœ ν˜•μ˜ νŠΈλž˜ν”½μ΄ μ‘΄μž¬ν•˜λ©°, μ΄λŠ” Ingress와 Egress이닀. IngressλŠ” λ“€μ–΄μ˜€λŠ” νŠΈλž˜ν”½μ„ μ˜λ―Έν•˜λ©°, EgressλŠ” λ‚˜κ°€λŠ” νŠΈλž˜ν”½μ„ μ˜λ―Έν•œλ‹€. νŠΈλž˜ν”½μ„ μ •μ˜ν•  λ•ŒλŠ” νŠΈλž˜ν”½μ˜ λ°©ν–₯이 μ€‘μš”ν•˜λ‹€.
ν”„λ‘ νŠΈ μ—”λ“œμ˜ μ›Ή μ„œλ²„, λ°±μ—”λ“œ APIλ₯Ό μ„œλΉ„μŠ€ν•˜λŠ” μ•± μ„œλ²„, λ°μ΄ν„°λ² μ΄μŠ€ μ„œλ²„κ°€ μžˆμ„ λ•Œμ˜ νŠΈλž˜ν”½μ„ λ‚˜νƒ€λ‚Έλ‹€λ©΄ λ‹€μŒκ³Ό κ°™λ‹€:
Ingress
Egress
Web Server
Client β†’ WS
WS β†’ WAS
Application Server
WS β†’ WAS
WAS β†’ DB
Database Server
WAS β†’ DB
-

Β Rule

μœ„ ν‘œμ™€ 같이 νŠΈλž˜ν”½μ€ μš”μ²­(Request) λ°©ν–₯에 따라 Ingress, Egressλ₯Ό κ΅¬λΆ„ν•˜λ©° 응닡(Response) λ°©ν–₯에 λŒ€ν•΄μ„œλŠ” 신경쓰지 μ•ŠλŠ”λ‹€. μ΄λŸ¬ν•œ νŠΈλž˜ν”½μ„ μ†‘μˆ˜μ‹ ν•˜κΈ° μœ„ν•΄μ„œλŠ” 각각의 νŠΈλž˜ν”½μ— λŒ€ν•œ 포트 κ΄€λ ¨ κ·œμΉ™μ΄ ν•„μš”ν•˜λ‹€. WSλŠ” HTTP νŠΈλž˜ν”½μ„ 받아듀이기 μœ„ν•΄ 80번 ν¬νŠΈμ— λŒ€ν•œ Ingress κ·œμΉ™μ΄ ν•„μš”ν•˜λ©°, WAS둜 νŠΈλž˜ν”½μ„ 내보내기 μœ„ν•΄ 5000번 ν¬νŠΈμ— λŒ€ν•œ Egress 포트 κ·œμΉ™μ΄ ν•„μš”ν•˜λ‹€. λ‹€λ₯Έ μ„œλ²„λ“€λ„ λΉ„μŠ·ν•˜κ²Œ 각자의 포트 κ·œμΉ™μ„ μ„€μ •ν•΄μ•Ό 정상적인 νŠΈλž˜ν”½ 흐름을 μœ μ§€ν•  수 μžˆλ‹€.

Β Network Policy

Β Network Security

μΏ λ²„λ„€ν‹°μŠ€ ν΄λŸ¬μŠ€ν„°μ—μ„œ λ…Έλ“œλŠ” λ…Έλ“œλ§ˆλ‹€ IP μ£Όμ†Œκ°€ 있고, 각 νŒŒλ“œ(Pod)와 μ„œλΉ„μŠ€(Service)도 IP μ£Όμ†Œλ₯Ό 가진닀. μΏ λ²„λ„€ν‹°μŠ€ λ„€νŠΈμ›Œν‚Ήμ˜ μ „μ œ 쑰건 쀑 ν•˜λ‚˜λŠ” μ–΄λ–€ μ†”λ£¨μ…˜μ„ κ΅¬ν˜„ν•˜λ“  라우트 같은 μΆ”κ°€ μ„€μ • 없이도 νŒŒλ“œκ°€ μ„œλ‘œ 톡신할 수 μžˆμ–΄μ•Ό ν•œλ‹€λŠ” 것이닀. μΏ λ²„λ„€ν‹°μŠ€λŠ” 기본적으둜 λͺ¨λ“  νŒŒλ“œκ°€ ν΄λŸ¬μŠ€ν„° λ‚΄μ˜ λ‹€λ₯Έ νŒŒλ“œλ‚˜ μ„œλΉ„μŠ€μ™€μ˜ νŠΈλž˜ν”½μ„ ν—ˆμš©ν•˜λŠ” β€œAll Allow” κ·œμΉ™μœΌλ‘œ κ΅¬μ„±λ˜μ–΄μžˆλ‹€.

Β Network Policy

λ„€νŠΈμ›Œν¬ 정책은 μΏ λ²„λ„€ν‹°μŠ€ λ„€μž„μŠ€νŽ˜μ΄μŠ€μ— μžˆλŠ” 객체(Object)이닀. λ„€νŠΈμ›Œν¬ 정책은 ν•˜λ‚˜ μ΄μƒμ˜ νŒŒλ“œμ— μ—°κ²°λ˜λ©°, μ •μ±… λ‚΄μ—μ„œ κ·œμΉ™μ„ μ •μ˜ν•  수 μžˆλ‹€.
μœ„μ—μ„œ μ˜ˆμ‹œλ‘œ λ“  3ν‹°μ–΄ μ›Ή μ„œλ²„λ₯Ό 계속 μ–˜κΈ°ν•˜μžλ©΄ 각 μ„œλ²„λŠ” νŒŒλ“œμ™€ μ„œλΉ„μŠ€λ‘œ λ°°ν¬λœλ‹€. νŒŒλ“œλŠ” 기본적으둜 λ‹€λ₯Έ λͺ¨λ“  νŒŒλ“œμ™€ 톡신할 수 있기 λ•Œλ¬Έμ—, WS와 DBκ°€ μ§μ ‘μ μœΌλ‘œ ν†΅μ‹ ν•˜κ³  μžˆλŠ” μƒνƒœμ΄λ‹€. 이λ₯Ό ν•΄κ²°ν•˜κΈ° μœ„ν•΄ λ„€νŠΈμ›Œν¬ 정책을 μ‚¬μš©ν•œλ‹€. API Podμ—μ„œ 포트 3306에 λŒ€ν•œ 인그레슀 νŠΈλž˜ν”½λ§Œ ν—ˆμš©ν•˜λŠ” κ·œμΉ™μ„ 가진 정책을 DB Podκ°€ κ°€μ§μœΌλ‘œμ¨ Web Podμ™€μ˜ 톡신을 막을 수 μžˆλ‹€.

Β Ingress

Β Link Policy - podSelector

정책을 νŒŒλ“œμ— μ—°κ²°ν•˜κΈ° μœ„ν•΄μ„œλŠ” 라벨(Label)κ³Ό μ…€λ ‰ν„°(Selector)λ₯Ό μ‚¬μš©ν•œλ‹€. νŒŒλ“œμ˜ μ •μ˜νŒŒμΌμ—λŠ” labels.role 을 톡해 라벨을 μƒμ„±ν•˜λ©°, μ •μ±…μ˜ μ •μ˜νŒŒμΌμ—λŠ” podSelector.matchLabels.role을 톡해 ν•΄λ‹Ή 라벨과 μ—°κ²°ν•œλ‹€.
Ingress νŠΈλž˜ν”½μ— λŒ€ν•œ ν—ˆμš©μ΄ μ΄λ€„μ§ˆ 경우 νŠΈλž˜ν”½μ— λŒ€ν•œ 응닡(Response)λŠ” μžλ™μœΌλ‘œ ν—ˆμš©λ˜κΈ° λ•Œλ¬Έμ— λ”°λ‘œ μ„€μ •ν•  ν•„μš”κ°€ μ—†λ‹€.
# db-pod.yaml ... metadata: name: db labels: role: db ...
YAML
볡사
# policy-definition.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-policy spec: podSelector: matchLabels: role: db policyTypes: - Ingress ingress: - from: # Ingress νŠΈλž˜ν”½μ˜ 좜처 μ •μ˜ - podSelector: matchLabels: name: api-pod ports: # Ingress νŠΈλž˜ν”½μ˜ ν—ˆμš© 포트 μ •μ˜ - protocol: TCP port: 3306
YAML
볡사
ν•΄λ‹Ή μ •μ±… μ •μ˜ νŒŒμΌμ—λŠ” μΈκ·Έλ ˆμŠ€μ— λŒ€ν•œ κ·œμΉ™λ§Œ μ‘΄μž¬ν•œλ‹€. μ΄λŠ” 인그레슀 νŠΈλž˜ν”½λ§Œ 격리되며, 이그레슀 νŠΈλž˜ν”½μ€ 영ν–₯이 μ—†λ‹€λŠ” 것을 λ‚˜νƒ€λ‚Έλ‹€. λ”°λΌμ„œ API PodλŠ” DB Pod에 API ν˜ΈμΆœμ„ ν•  수 μžˆμ§€λ§Œ, κ·Έ λ°˜λŒ€μΈ DB PodλŠ” API Pod에 API ν˜ΈμΆœμ„ ν•  수 μ—†λ‹€.

Β Link Policy II - namespaceSelector

라벨 이름은 κ°™μ§€λ§Œ λ„€μž„μŠ€νŽ˜μ΄μŠ€κ°€ λ‹€λ₯Ό κ²½μš°μ—λŠ” namespaceSelector λ₯Ό μΆ”κ°€ν•˜μ—¬ μ§€μ •λœ λ„€μž„μŠ€νŽ˜μ΄μŠ€μ˜ νŒŒλ“œμ— λŒ€ν•΄μ„œλ§Œ νŠΈλž˜ν”½μ„ ν—ˆμš©ν•  수 μžˆλ‹€. namespaceSelector 만 μ‘΄μž¬ν•˜κ³ , podSelector κ°€ μ—†λŠ” κ²½μš°λ„ μ‘΄μž¬ν•  수 μžˆλŠ”λ°, μ΄λ•ŒλŠ” 같은 λ„€μž„μŠ€νŽ˜μ΄μŠ€μ˜ λͺ¨λ“  νŒŒλ“œμ˜ νŠΈλž˜ν”½μ„ ν—ˆμš©ν•œλ‹€.
# policy-definition.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-policy spec: podSelector: matchLabels: role: db policyTypes: - Ingress ingress: - from: # Ingress νŠΈλž˜ν”½μ˜ 좜처 μ •μ˜ - podSelector: # Ingress νŠΈλž˜ν”½μ„ ν—ˆμš©ν•  pod μ •μ˜ matchLabels: name: api-pod namespaceSelector: # Ingress νŠΈλž˜ν”½μ„ ν—ˆμš©ν•  namespace μ •μ˜ matchLabels: name: prod ports: # Ingress νŠΈλž˜ν”½μ˜ ν—ˆμš© 포트 μ •μ˜ - protocol: TCP port: 3306
YAML
볡사

Β Link Policy III - ipBlock

λ°±μ—… μ„œλ²„κ°€ μžˆμ„ λ•ŒλŠ” μ–΄λ–»κ²Œ μ„€μ •ν•΄μ•Ό ν• κΉŒ? λ°±μ—… μ„œλ²„λŠ” ν΄λŸ¬μŠ€ν„°μ— λ°°ν¬λ˜μ§€ μ•Šμ€ μƒνƒœμ΄κΈ° λ•Œλ¬Έμ— podSelector와 namespaceSelector λŠ” μž‘λ™ν•˜μ§€ μ•ŠλŠ”λ‹€. μ΄λ•Œ λ°±μ—… μ„œλ²„μ— λŒ€ν•œ IP μ£Όμ†Œλ₯Ό μ•Œκ³  μžˆλ‹€λ©΄ λ„€νŠΈμ›Œν¬ 정책을 생성할 수 μžˆλ‹€. λ„€νŠΈμ›Œν¬ μ •μ±…μ—λŠ” ipBlock이 μžˆμ–΄ νŠΉμ • ipμ—μ„œμ˜ νŠΈλž˜ν”½μ„ ν—ˆμš©ν•  수 μžˆλ‹€.
# policy-definition.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-policy spec: podSelector: matchLabels: role: db policyTypes: - Ingress ingress: - from: # Ingress νŠΈλž˜ν”½μ˜ 좜처 μ •μ˜ - podSelector: # Ingress νŠΈλž˜ν”½μ„ ν—ˆμš©ν•  pod μ •μ˜ matchLabels: name: api-pod namespaceSelector: # Ingress νŠΈλž˜ν”½μ„ ν—ˆμš©ν•  namespace μ •μ˜ matchLabels: name: prod - ipBlock: # Ingress νŠΈλž˜ν”½μ„ ν—ˆμš©ν•  IP μ£Όμ†Œ μ •μ˜ cidr: 192.168.5.10/32 ports: # Ingress νŠΈλž˜ν”½μ˜ ν—ˆμš© 포트 μ •μ˜ - protocol: TCP port: 3306
YAML
볡사

Β Separate Selectors

spec.ingress.from μ•„λž˜ 3개의 μ…€λ ‰ν„°λ₯Ό μ‚΄νŽ΄λ³΄μ•˜λ‹€. μ΄λ•Œ μ•žμ— -κ°€ λΆ™μ–΄μžˆλŠ” μ…€λ ‰ν„°κ°€ 있고, μ—†λŠ” μ…€λ ‰ν„°κ°€ μžˆλ‹€. μ΄λŠ” μ…€λ ‰ν„°λ₯Ό λΆ„λ¦¬ν•˜κΈ° μœ„ν•΄ μ‚¬μš©λ˜λŠ” 것이닀. 같은 - 내에 μžˆλŠ” μ…€λ ‰ν„°λŠ” AND μ—°μ‚°μžμ²˜λŸΌ μž‘λ™ν•΄ ν•΄λ‹Ή 셀렉터듀을 λͺ¨λ‘ 톡과해야 ingress νŠΈλž˜ν”½μ„ ν—ˆμš©ν•˜κ² λ‹€λŠ” 것이닀. λ‹€λ₯Έ -λ₯Ό 가진 μ…€λ ‰ν„°λŠ” OR μ—°μ‚°μžλ‘œ μž‘λ™ν•˜μ—¬ ν•˜λ‚˜λ§Œ ν†΅κ³Όν•˜λ©΄ ν•΄λ‹Ή κ·œμΉ™μ˜ ingress νŠΈλž˜ν”½μ„ ν—ˆμš©ν•˜κ² λ‹€λŠ” 것이닀.
λ°”λ‘œ μœ„ 예제 μ½”λ“œμ—μ„œλŠ” podSelector와 namespaceSelectorκ°€ λ¬Άμ—¬μžˆμœΌλ©°, ipBlockκ³ΌλŠ” λΆ„λ¦¬λ˜μ–΄ μžˆλ‹€. λ”°λΌμ„œ ingress νŠΈλž˜ν”½μ„ ν—ˆμš©ν•˜κΈ° μœ„ν•΄μ„œλŠ” podSelector AND namespaceSelectorλ₯Ό ν†΅κ³Όν•˜κ±°λ‚˜ OR ipBlock을 ν†΅κ³Όν•˜λ©΄ λœλ‹€.
podSelector와 namespaceSelectorλ₯Ό λΆ„λ¦¬ν•˜μ—¬ μ„Έ μ…€λ ‰ν„° 쀑 ν•˜λ‚˜λ§Œ 톡과해도 λ˜λ„λ‘ ν•˜λ €λ©΄ namespaceSelector μ•žμ— - λ₯Ό λΆ™μ΄λŠ” κ²ƒμœΌλ‘œ ν•΄κ²°ν•  수 μžˆλ‹€.

Β Egress

EgressλŠ” Ingress와 달리 from이 μ•„λ‹Œ toλ₯Ό κ°–λŠ”λ‹€. 이λ₯Ό 톡해 μ™ΈλΆ€λ‘œ λ‚˜κ°€λŠ” νŠΈλž˜ν”½μ„ ν—ˆμš©ν•˜λŠ” κ·œμΉ™μ„ μ„€μ •ν•  수 μžˆλ‹€.
λ°±μ—… μ„œλ²„κ°€ μ ‘κ·Όν•˜λŠ” 것이 μ•„λ‹Œ λ‹€λ₯Έ 상황을 κ°€μ •ν•΄λ³΄μž. DB Podμ—μ„œ μ‹€ν–‰λ˜λŠ” μ—μ΄μ „νŠΈκ°€ λ°±μ—… μ„œλ²„λ‘œ 백업을 ν‘Έμ‹œν•œλ‹€κ³  ν•œλ‹€λ©΄, νŠΈλž˜ν”½μ€ DB Podμ—μ„œ μ™ΈλΆ€ λ°±μ—… μ„œλ²„λ‘œ λ°œμƒν•˜κ²Œ λœλ‹€. μ΄λ•Œ μ™ΈλΆ€ λ°±μ—…μ„œλ²„λ‘œμ˜ Egress νŠΈλž˜ν”½μ„ ν—ˆμš©ν•˜λŠ” κ·œμΉ™μ„ μ„€μ •ν•΄μ•Ό ν•œλ‹€
# policy-definition.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-policy spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress # Egress μΆ”κ°€ ingress: - from: - podSelector: matchLabels: name: api-pod ports: - protocol: TCP port: 3306 egress: # Egress νŠΈλž˜ν”½μ˜ 도착점 μ •μ˜ - to: - ipBlock: cidr: 192.168.5.10/32 ports: - protocol: TCP port: 80
YAML
볡사

Β Note

μ°Έκ³ ν•  점으둜, λͺ¨λ“  λ„€νŠΈμ›Œν¬ μ†”λ£¨μ…˜μ΄ λ„€νŠΈμ›Œν¬ 정책을 μ§€μ›ν•˜λŠ” 것은 μ•„λ‹ˆλ‹€. λ„€νŠΈμ›Œν¬ 정책이 μ§€μ›λ˜λŠ” μ†”λ£¨μ…˜μœΌλ‘œλŠ” Cube Router, Calico, Romana, WaveNet κ°€ μžˆλ‹€. λ„€νŠΈμ›Œν¬ 정책을 μ§€μ›ν•˜μ§€ μ•ŠλŠ” μ†”λ£¨μ…˜μœΌλ‘œλŠ” Flannel이 μžˆλ‹€.
ν•˜μ§€λ§Œ λ„€νŠΈμ›Œν¬ 정책을 μ§€μ›ν•˜μ§€ μ•ŠλŠ”λ‹€κ³  였λ₯˜κ°€ μƒκΈ°μ§€λŠ” μ•ŠλŠ”λ‹€. λ„€νŠΈμ›Œν¬ 정책을 μ§€μ›ν•˜μ§€ μ•Šλ”λΌλ„ 생성할 μˆ˜λŠ” μžˆμ§€λ§Œ 정책에 μ μš©λ˜μ§€ μ•ŠμœΌλ©°, 였λ₯˜ λ©”μ‹œμ§€κ°€ ν‘œμ‹œλ˜μ§€ μ•ŠλŠ”λ‹€.
Network Policies
If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), NetworkPolicies allow you to specify rules for traffic flow within your cluster, and also between Pods and the outside world. Your cluster must use a network plugin that supports NetworkPolicy enforcement.
https://kubernetes.io/docs/concepts/services-networking/network-policies/
ㅁㅇㅁㄴㅇㄹ
ㅁㅇㄴㄹ
ㅁㄴㅇㄹ
ㅁㅇㄴㄹㄷㄹ
γ„·γ„Ήγ„·