我尝试在EKS集群上启动的Fargate pod上设置安全组
首先
据下述链接所述,似乎已经可以对Fargate pod进行安全组配置。
https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
我已经实际设置并确认了其运行。
验证方法
我在EKS集群上启动了两个Nginx的Pod,并对在应用安全组之前和之后的通信进行了比较。
-
- AWSのセキュリティグループについて
インバウンド:設定なし(全通信遮断)
アウトバウンド:すべて許可
豆荚信息
用于启动 Pod 的 manifest 文件的信息如下。
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx1
labels:
name: nginx1
app: nginx1
spec:
replicas: 1
selector:
matchLabels:
app: nginx1
template:
metadata:
labels:
app: nginx1
spec:
containers:
- name: nginx
image: nginx:1.19.2
ports:
- containerPort: 80
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx2
labels:
name: nginx2
app: nginx2
spec:
replicas: 1
selector:
matchLabels:
app: nginx2
template:
metadata:
labels:
app: nginx2
spec:
containers:
- name: nginx
image: nginx:1.19.2
ports:
- containerPort: 80
使用上述的manifest文件来启动pod。
$ kubectl apply -f nginx1.yaml -f nginx2.yaml
deployment.apps/nginx1 created
deployment.apps/nginx2 created
$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx1-6b86d9bbbf-2q67v 1/1 Running 0 117s 10.2.45.218 fargate-ip-10-2-45-218.ap-northeast-1.compute.internal <none> <none>
nginx2-6775f69cc6-fvxpd 1/1 Running 0 117s 10.2.62.78 fargate-ip-10-2-62-78.ap-northeast-1.compute.internal <none> <none>
你启动了。
为了确认通信,将使用curl通过nginx1向nginx2发送请求。
$ kubectl exec -it nginx1-6b86d9bbbf-2q67v -- curl 10.2.62.78
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
我也会检查nginx1。
$ kubectl exec -it nginx2-6775f69cc6-fvxpd -- curl 10.2.45.218
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
将安全组设置应用于 Pod
接下来,我们将应用以下清单来为Pod设置安全组。
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
name: security-policy-test
namespace: default
spec:
podSelector:
matchLabels:
role: nginx2 ★label名は例なのでroleである必要はないです。
securityGroups:
groupIds:
- sg-xxxxxxxx
在.spec.template.metadata.labels中添加role: nginx2,并重新执行apply操作。
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx2
labels:
name: nginx2
app: nginx2
spec:
replicas: 1
selector:
matchLabels:
app: nginx2
template:
metadata:
labels:
app: nginx2
role: ngin2 ★追記
spec:
containers:
- name: nginx
image: nginx:1.19.2
ports:
- containerPort: 80
申请。
$ kubectl apply -f sg-policy.yaml
securitygrouppolicy.vpcresources.k8s.aws/security-policy-test created
$ kubectl get sgp
NAME SECURITY-GROUP-IDS
security-policy-test ["sg-xxxxxxxx"]
$ kubectl apply -f nginx2.yaml
deployment.apps/nginx2 created
$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx1-6b86d9bbbf-2q67v 1/1 Running 0 117s 10.2.45.218 fargate-ip-10-2-45-218.ap-northeast-1.compute.internal <none> <none>
nginx2-7d68c8456-4lbmr 1/1 Running 0 117s 10.2.36.251 fargate-ip-10-2-36-251.ap-northeast-1.compute.internal <none> <none>
确认动作
再次对nginx1执行curl命令,将其转发至nginx2。
kubectl exec -it nginx1-6b86d9bbbf-2q67v -- curl 10.2.36.251
curl: (7) Failed to connect to 10.2.36.251 port 80: Connection timed out
在带有标签nginx2的nginx2 pod上应用了安全组,这样会出现安全组的设置。安全组的入站规则未进行任何设置,拒绝所有通信,因此通信超时!
修改nginx2的manifest标签。
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx2
labels:
name: nginx2
app: nginx2
spec:
replicas: 1
selector:
matchLabels:
app: nginx2
template:
metadata:
labels:
app: nginx2
role: nginx ★修正
spec:
containers:
- name: nginx
image: nginx:1.19.2
ports:
- containerPort: 80
再次申请并执行curl命令,从nginx1切换至nginx2。
$ kubectl apply -f nginx2.yaml
deployment.apps/nginx2 created
$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx1-6b86d9bbbf-2q67v 1/1 Running 0 125m 10.2.45.218 fargate-ip-10-2-45-218.ap-northeast-1.compute.internal <none> <none>
nginx2-7d68c8456-t72zn 1/1 Running 0 4m11s 10.2.63.222 fargate-ip-10-2-63-222.ap-northeast-1.compute.internal <none> <none>
$ kubectl exec -it nginx1-6b86d9bbbf-2q67v -- curl 10.2.63.222
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
通过修改标签名称,导致nginx2的Pod不再应用安全组规则,从而使通信重新变得可行!
