Ssoon
[8주차] Cilium CNI : Network Policy (L3, L4, L7) 본문
CloudNet@ 가시다님이 진행하는 쿠버네티스 네트워크 스터디 3기✅ Identity-Aware and HTTP-Aware Policy Enforcement
Apply an L3/L4 Policy
🧿 Cilium 프로젝트의 예제 YAML 파일을 사용하여 쿠버네티스(Kubernetes) 클러스터에 서비스를 생성
deathstar라는 서비스와 그에 연결된 deathstar 디플로이먼트, 그리고 tiefighter와 xwing이라는 두 개의 파드를 쿠버네티스 클러스터에 생성
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl create -f https://raw.githubusercontent.com/cilium/cilium/1.16.3/examples/minikube/http-sw-app.yaml
service/deathstar created
deployment.apps/deathstar created
pod/tiefighter created
pod/xwing created
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl get all
NAME READY STATUS RESTARTS AGE
pod/deathstar-689f66b57d-2s66d 1/1 Running 0 29s
pod/deathstar-689f66b57d-4xhx8 1/1 Running 0 29s
pod/tiefighter 1/1 Running 0 29s
pod/xwing 1/1 Running 0 29s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/deathstar ClusterIP 10.10.101.129 <none> 80/TCP 29s
service/kubernetes ClusterIP 10.10.0.1 <none> 443/TCP 165m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/deathstar 2/2 2 2 29s
NAME DESIRED CURRENT READY AGE
replicaset.apps/deathstar-689f66b57d 2 2 2 29s🧿 각 파드에 할당된 라벨(labels) 정보
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl get pod --show-labels
NAME READY STATUS RESTARTS AGE LABELS
deathstar-689f66b57d-2s66d 1/1 Running 0 71s app.kubernetes.io/name=deathstar,class=deathstar,org=empire,pod-template-hash=689f66b57d
deathstar-689f66b57d-4xhx8 1/1 Running 0 71s app.kubernetes.io/name=deathstar,class=deathstar,org=empire,pod-template-hash=689f66b57d
tiefighter 1/1 Running 0 71s app.kubernetes.io/name=tiefighter,class=tiefighter,org=empire
xwing 1/1 Running 0 71s app.kubernetes.io/name=xwing,class=xwing,org=alliance🧿 쿠버네티스 클러스터에서 Cilium이 관리하는 Cilium Endpoints 목록
- Cilium Endpoint는 파드의 네트워크 및 보안을 관리하는 핵심 엔티티입니다.
- 각 파드는 고유의 Security Identity를 부여받아 보안 정책이 적용됩니다. deathstar 파드 두 개는 같은 보안 ID(28695)를 공유하고 있어, 같은 네트워크 보안 정책을 적용받고 있습니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl get ciliumendpoints
NAME SECURITY IDENTITY ENDPOINT STATE IPV4 IPV6
deathstar-689f66b57d-2s66d 28695 ready 172.16.2.113
deathstar-689f66b57d-4xhx8 28695 ready 172.16.1.160
tiefighter 1442 ready 172.16.2.154
xwing 1365 ready 172.16.2.122🧿 Cilium 클러스터에서 관리되는 모든 Cilium Endpoints 목록
- ENDPOINT: Cilium이 각 엔드포인트에 할당한 고유 ID입니다.
- POLICY (ingress): 수신 트래픽에 대한 보안 정책의 적용 상태입니다.
- POLICY (egress): 송신 트래픽에 대한 보안 정책의 적용 상태입니다.
- IDENTITY: Cilium이 각 엔드포인트에 할당한 보안 ID입니다.
- LABELS: 각 엔드포인트에 적용된 라벨들로, 파드의 메타데이터를 기반으로 하며 보안 정책 적용에 중요합니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# c1 endpoint list
ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS
ENFORCEMENT ENFORCEMENT
379 Disabled Disabled 4 reserved:health 172.16.1.159 ready
1004 Disabled Disabled 39166 k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system 172.16.1.221 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=coredns
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=kube-dns
1031 Disabled Disabled 42840 k8s:app.kubernetes.io/name=hubble-ui 172.16.1.79 ready
k8s:app.kubernetes.io/part-of=cilium
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=hubble-ui
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=hubble-ui
2158 Disabled Disabled 39166 k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system 172.16.1.210 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=coredns
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=kube-dns
2400 Disabled Disabled 44886 k8s:app.kubernetes.io/name=hubble-relay 172.16.1.78 ready
k8s:app.kubernetes.io/part-of=cilium
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=hubble-relay
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=hubble-relay
2639 Disabled Disabled 28695 k8s:app.kubernetes.io/name=deathstar 172.16.1.160 ready
k8s:class=deathstar
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
2851 Disabled Disabled 1 reserved:host ready(⎈|CiliumLab:N/A) root@k8s-s:~# c2 endpoint list
E1021 21:46:02.136932 44038 websocket.go:296] Unknown stream id 1, discarding message
ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS
ENFORCEMENT ENFORCEMENT
210 Disabled Disabled 1 reserved:host ready
700 Disabled Disabled 1365 k8s:app.kubernetes.io/name=xwing 172.16.2.122 ready
k8s:class=xwing
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=alliance
976 Disabled Disabled 28695 k8s:app.kubernetes.io/name=deathstar 172.16.2.113 ready
k8s:class=deathstar
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
1473 Disabled Disabled 4 reserved:health 172.16.2.73 ready
2820 Disabled Disabled 1442 k8s:app.kubernetes.io/name=tiefighter 172.16.2.154 ready
k8s:class=tiefighter
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire🧿 두 개의 파드인 xwing과 tiefighter에서 curl을 사용하여 deathstar 서비스에 POST 요청
- 두 파드 모두 요청을 성공적으로 수행하여 "Ship landed"라는 응답을 받았습니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
Ship landed
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
Ship landed🧿 Kubernetes 클러스터 내에서 네트워크 트래픽을 관찰
- Hubble은 클러스터 내의 네트워크 트래픽을 캡처하고, 각 패킷에 대한 정보를 실시간으로 출력합니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# hubble observe
Oct 21 12:46:23.242: 192.168.10.101 (remote-node) -> 172.16.0.236 (health) to-endpoint FORWARDED (ICMPv4 EchoRequest)
Oct 21 12:46:23.242: 192.168.10.101 (remote-node) <- 172.16.0.236 (health) to-network FORWARDED (ICMPv4 EchoReply)
Oct 21 12:46:24.600: 192.168.10.10:58172 (host) -> 172.16.0.236:4240 (health) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:24.600: 192.168.10.10 (host) -> 172.16.0.236 (health) to-endpoint FORWARDED (ICMPv4 EchoRequest)
Oct 21 12:46:24.600: 192.168.10.10 (host) <- 172.16.0.236 (health) to-stack FORWARDED (ICMPv4 EchoReply)
Oct 21 12:46:24.600: 192.168.10.10:58172 (host) <- 172.16.0.236:4240 (health) to-stack FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:24.600: 192.168.10.10:59258 (host) -> 192.168.10.101:4240 (remote-node) to-network FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:24.602: 192.168.10.10:41938 (host) -> 172.16.1.159:4240 (health) to-network FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:24.603: 192.168.10.10:32838 (host) -> 192.168.10.102:4240 (remote-node) to-network FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:24.603: 192.168.10.10:44178 (host) -> 172.16.2.73:4240 (health) to-network FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:26.630: 192.168.10.102 (remote-node) -> 172.16.0.236 (health) to-endpoint FORWARDED (ICMPv4 EchoRequest)
Oct 21 12:46:26.630: 192.168.10.102 (remote-node) <- 172.16.0.236 (health) to-network FORWARDED (ICMPv4 EchoReply)
Oct 21 12:46:26.630: 192.168.10.102:38752 (remote-node) -> 172.16.0.236:4240 (health) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:26.631: 192.168.10.102:38752 (remote-node) <- 172.16.0.236:4240 (health) to-network FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:30.262: 192.168.10.10:41020 (host) -> 192.168.10.102:10250 (remote-node) to-network FORWARDED (TCP Flags: SYN)
Oct 21 12:46:30.262: 192.168.10.10:41020 (host) -> 192.168.10.102:10250 (remote-node) to-network FORWARDED (TCP Flags: ACK)
Oct 21 12:46:30.262: 192.168.10.10:41020 (host) -> 192.168.10.102:10250 (remote-node) to-network FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:30.370: kube-system/kube-dns:53 (world) <> default/tiefighter (ID:1442) post-xlate-rev TRANSLATED (UDP)
Oct 21 12:46:30.370: kube-system/coredns-55cb58b774-2xvk2:53 (ID:39166) <> default/tiefighter (ID:1442) pre-xlate-rev TRACED (UDP)
Oct 21 12:46:30.370: kube-system/kube-dns:53 (world) <> default/tiefighter (ID:1442) post-xlate-rev TRANSLATED (UDP)
Oct 21 12:46:30.371: default/tiefighter (ID:1442) <> default/deathstar:80 (world) pre-xlate-fwd TRACED (TCP)
Oct 21 12:46:30.371: default/tiefighter (ID:1442) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) post-xlate-fwd TRANSLATED (TCP)
Oct 21 12:46:30.371: default/tiefighter:59064 (ID:1442) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-network FORWARDED (TCP Flags: SYN)
Oct 21 12:46:30.371: default/tiefighter:59064 (ID:1442) <- default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: SYN, ACK)
Oct 21 12:46:30.371: default/tiefighter:59064 (ID:1442) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-network FORWARDED (TCP Flags: ACK)
Oct 21 12:46:30.371: default/deathstar-689f66b57d-4xhx8:80 (ID:28695) <> default/tiefighter (ID:1442) pre-xlate-rev TRACED (TCP)
Oct 21 12:46:30.371: default/deathstar:80 (world) <> default/tiefighter (ID:1442) post-xlate-rev TRANSLATED (TCP)
Oct 21 12:46:30.371: default/deathstar-689f66b57d-4xhx8:80 (ID:28695) <> default/tiefighter (ID:1442) pre-xlate-rev TRACED (TCP)
Oct 21 12:46:30.371: default/deathstar:80 (world) <> default/tiefighter (ID:1442) post-xlate-rev TRANSLATED (TCP)
Oct 21 12:46:30.371: default/tiefighter:59064 (ID:1442) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-network FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:30.372: default/tiefighter:59064 (ID:1442) <- default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:30.373: default/tiefighter:59064 (ID:1442) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-network FORWARDED (TCP Flags: ACK, FIN)
Oct 21 12:46:30.373: default/tiefighter:59064 (ID:1442) <- default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
Oct 21 12:46:30.373: default/tiefighter:59064 (ID:1442) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-network FORWARDED (TCP Flags: ACK)
Oct 21 12:46:30.381: 192.168.10.10:41020 (host) -> 192.168.10.102:10250 (remote-node) to-network FORWARDED (TCP Flags: ACK, FIN)
Oct 21 12:46:30.382: 192.168.10.10:41020 (host) -> 192.168.10.102:10250 (remote-node) to-network FORWARDED (TCP Flags: RST)
Oct 21 12:46:30.382: 192.168.10.10:41020 (host) -> 192.168.10.102:10250 (remote-node) to-network FORWARDED (TCP Flags: RST)
Oct 21 12:46:31.595: 192.168.10.102:44636 (host) -> 192.168.10.10:6443 (kube-apiserver) to-network FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:46:32.258: 192.168.10.102:41594 (host) -> 192.168.10.10:6443 (kube-apiserver) to-network FORWARDED (TCP Flags: ACK)
Oct 21 12:46:32.793: 192.168.10.102:44630 (host) -> 192.168.10.10:6443 (kube-apiserver) to-network FORWARDED (TCP Flags: ACK)
...
🧿 Cilium Network Policy를 생성
- 이 CiliumNetworkPolicy는 deathstar 서비스에 대한 접근을 제어합니다.
- 정책의 목적: 오직 org: empire 레이블을 가진 파드만이 deathstar 서비스에 접근할 수 있도록 제한합니다.
- fromEndpoints: 트래픽의 출처를 지정합니다. 여기서는 org: empire 레이블을 가진 엔드포인트에서 오는 트래픽을 허용합니다.
- toPorts: 허용된 트래픽의 목적지 포트를 정의합니다. 여기서는 TCP 포트 80을 지정했습니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# cat <<EOF | kubectl apply -f -
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "rule1"
spec:
description: "L3-L4 policy to restrict deathstar access to empire ships only"
endpointSelector:
matchLabels:
org: empire
class: deathstar
ingress:
- fromEndpoints:
- matchLabels:
org: empire
toPorts:
- ports:
- port: "80"
protocol: TCP
EOF
ciliumnetworkpolicy.cilium.io/rule1 created🧿 Cilium Network Policy의 상태를 확인
- Endpoint Selector:
- Match Labels:
- class: deathstar
- org: empire
- 이 정책은 deathstar 클래스와 empire 조직 레이블을 가진 엔드포인트에 적용됩니다.
- Match Labels:
- Ingress: 이 정책의 수신 트래픽에 대한 정의
- From Endpoints:
- Match Labels: org: empire ( org: empire 레이블을 가진 엔드포인트에서 오는 트래픽을 허용)
- To Ports:
- Ports:
- Port: 80
- Protocol: TCP
- 이 정책은 포트 80(TCP)에 대한 트래픽만 허용합니다.
- Ports:
- From Endpoints:
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl get cnp
NAME AGE
rule1 26s
(⎈|CiliumLab:N/A) root@k8s-s:~# kc describe cnp rule1
Name: rule1
Namespace: default
Labels: <none>
Annotations: <none>
API Version: cilium.io/v2
Kind: CiliumNetworkPolicy
Metadata:
Creation Timestamp: 2024-10-21T12:49:23Z
Generation: 1
Resource Version: 21252
UID: d9ac2a7a-df0f-442a-8e75-e9dc0e08f7c2
Spec:
Description: L3-L4 policy to restrict deathstar access to empire ships only
Endpoint Selector:
Match Labels:
Class: deathstar
Org: empire
Ingress:
From Endpoints:
Match Labels:
Org: empire
To Ports:
Ports:
Port: 80
Protocol: TCP
Status:
Conditions:
Last Transition Time: 2024-10-21T12:49:23Z
Message: Policy validation succeeded
Status: True
Type: Valid
Events: <none>🧿 Cilium의 정책을 JSON 형식으로 출력
- 정책 이름: rule1
- 목적: deathstar 서비스에 대한 접근을 org: empire 레이블을 가진 파드만 으로 제한합니다.
- 적용 조건:
- deathstar 클래스와 org: empire 레이블을 가진 엔드포인트에서 오는 트래픽만 허용하며, HTTP 포트 80에서의 TCP 트래픽에 적용됩니다.
- 기본 차단 설정: 모든 수신 트래픽을 기본적으로 차단하고 송신 트래픽은 허용됩니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# c0 policy get
[
{
"endpointSelector": {
"matchLabels": {
"any:class": "deathstar",
"any:org": "empire",
"k8s:io.kubernetes.pod.namespace": "default"
}
},
"ingress": [
{
"fromEndpoints": [
{
"matchLabels": {
"any:org": "empire",
"k8s:io.kubernetes.pod.namespace": "default"
}
}
],
"toPorts": [
{
"ports": [
{
"port": "80",
"protocol": "TCP"
}
]
}
]
}
],
"labels": [
{
"key": "io.cilium.k8s.policy.derived-from",
"value": "CiliumNetworkPolicy",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.name",
"value": "rule1",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.namespace",
"value": "default",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.uid",
"value": "d9ac2a7a-df0f-442a-8e75-e9dc0e08f7c2",
"source": "k8s"
}
],
"enableDefaultDeny": {
"ingress": true,
"egress": false
},
"description": "L3-L4 policy to restrict deathstar access to empire ships only"
}
]
Revision: 2🧿 hubble observe 명령어를 사용하여 Cilium 네트워크 정책에 의해 발생하는 트래픽 흐름을 관찰
- xwing 파드는 deathstar 서비스에 요청을 보내려고 하지만, 현재 설정된 Cilium 네트워크 정책(rule1)에 따라 deathstar 서비스는 empire 조직의 파드만 접근할 수 있도록 제한되어 있습니다. 이로 인해 xwing의 요청이 거부되고 있습니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
^C
(⎈|CiliumLab:N/A) root@k8s-s:~# hubble observe --pod deathstar
Oct 21 12:51:36.413: default/tiefighter:54820 (ID:1442) <- default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-network FORWARDED (TCP Flags: ACK, FIN)
Oct 21 12:51:36.413: default/tiefighter:54820 (ID:1442) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: ACK)
Oct 21 12:51:44.456: default/xwing:34796 (ID:1365) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-network FORWARDED (TCP Flags: SYN)
Oct 21 12:51:44.457: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:44.457: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:45.468: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:45.468: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:46.492: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:46.492: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:47.516: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:47.516: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:48.540: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:48.540: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:49.564: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:49.564: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:51.612: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)🧿 deathstar 서비스에 대한 xwing 파드의 요청이 Cilium 정책에 의해 거부된 상태를 지속적으로 관찰
(⎈|CiliumLab:N/A) root@k8s-s:~# hubble observe --pod deathstar --verdict DROPPED
Oct 21 12:51:46.492: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:46.492: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:47.516: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:47.516: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:48.540: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:48.540: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:49.564: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:49.564: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:51.612: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:51.612: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:51:55.644: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:51:55.644: default/xwing:34796 (ID:1365) <> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:01.980: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:01.980: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
...🧿 deathstar 관련 엔드포인트 정보
- deathstar 엔드포인트는 인그레스 트래픽에 대해 정책이 활성화되어 있으며, 정상적으로 작동하고 있습니다. 이 엔드포인트에 대한 네트워크 접근은 설정된 Cilium 네트워크 정책에 의해 제어됩니다.
- ENFORCEMENT (EGRESS) (Disabled): 이 엔드포인트에 대한 이그레스(발신) 트래픽에 대한 정책 강제 적용이 비활성화되어 있음을 나타냅니다. 즉, 나가는 트래픽은 Cilium 정책에 의해 제한되지 않습니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# c1 endpoint list | grep deathstar
2639 Enabled Disabled 28695 k8s:app.kubernetes.io/name=deathstar 172.16.1.160 ready
k8s:class=deathstar🧿 현재 Kubernetes 클러스터 내의 엔드포인트 목록
- deathstar 엔드포인트(ENDPOINT 976)는 인그레스 정책이 활성화되어 있으며, 이그레스 정책은 비활성화되어 있습니다. 이는 외부에서 deathstar로 들어오는 트래픽은 제어되고 있지만, 나가는 트래픽은 제어되지 않음을 나타냅니다.
- xwing(ENDPOINT 700) 및 tiefighter(ENDPOINT 2820) 엔드포인트는 모두 인그레스와 이그레스 정책이 비활성화되어 있습니다. 이들은 제한 없이 다른 파드와 통신할 수 있습니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# c2 endpoint list
ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS
ENFORCEMENT ENFORCEMENT
210 Disabled Disabled 1 reserved:host ready
700 Disabled Disabled 1365 k8s:app.kubernetes.io/name=xwing 172.16.2.122 ready
k8s:class=xwing
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=alliance
976 Enabled Disabled 28695 k8s:app.kubernetes.io/name=deathstar 172.16.2.113 ready
k8s:class=deathstar
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
1473 Disabled Disabled 4 reserved:health 172.16.2.73 ready
2820 Disabled Disabled 1442 k8s:app.kubernetes.io/name=tiefighter 172.16.2.154 ready
k8s:class=tiefighter
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
✅ Identity-Aware and HTTP-Aware Policy Enforcement
Apply and Test HTTP-aware L7 Policy
🧿 tiefighter 파드에서 deathstar 서비스의 /v1/exhaust-port 엔드포인트에 대한 PUT 요청을 보냈을 때 발생한 오류
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl exec tiefighter -- curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port
Panic: deathstar exploded
goroutine 1 [running]:
main.HandleGarbage(0x2080c3f50, 0x2, 0x4, 0x425c0, 0x5, 0xa)
/code/src/github.com/empire/deathstar/
temp/main.go:9 +0x64
main.main()
/code/src/github.com/empire/deathstar/
temp/main.go:5 +0x85🧿 Cilium 네트워크 정책을 정의하여 deathstar 서비스에 대한 HTTP 접근을 제어
- empire 조직의 파드만 deathstar 서비스의 /v1/request-landing 엔드포인트에 POST 요청을 할 수 있습니다.
- Endpoint Selector:
- org: empire
- class: deathstar
- Ingress:
- 소스 엔드포인트: org: empire
- 대상 포트: TCP 포트 80
- HTTP 규칙:
- 허용되는 메서드: POST
- 허용되는 경로: /v1/request-landing
- Endpoint Selector:
- 정책 적용 후:
- empire 조직의 파드는 deathstar 서비스에 대한 POST 요청을 /v1/request-landing 경로로 할 수 있습니다.
- 다른 조직의 파드(예: rebels 조직의 파드)는 이 경로에 접근하려 할 때 요청이 거부됩니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# cat <<EOF | kubectl apply -f -
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "rule1"
spec:
description: "L7 policy to restrict access to specific HTTP call"
endpointSelector:
matchLabels:
org: empire
class: deathstar
ingress:
- fromEndpoints:
- matchLabels:
org: empire
toPorts:
- ports:
- port: "80"
protocol: TCP
rules:
http:
- method: "POST"
path: "/v1/request-landing"
EOF
ciliumnetworkpolicy.cilium.io/rule1 configured🧿 Cilium 네트워크 정책 rule1
- 이 정책은 empire 조직의 엔드포인트가 deathstar 서비스에 대해 POST 요청을 /v1/request-landing 경로로 할 수 있도록 허용합니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# kc describe ciliumnetworkpolicies
Name: rule1
Namespace: default
Labels: <none>
Annotations: <none>
API Version: cilium.io/v2
Kind: CiliumNetworkPolicy
Metadata:
Creation Timestamp: 2024-10-21T12:49:23Z
Generation: 2
Resource Version: 22086
UID: d9ac2a7a-df0f-442a-8e75-e9dc0e08f7c2
Spec:
Description: L7 policy to restrict access to specific HTTP call
Endpoint Selector:
Match Labels:
Class: deathstar
Org: empire
Ingress:
From Endpoints:
Match Labels:
Org: empire
To Ports:
Ports:
Port: 80
Protocol: TCP
Rules:
Http:
Method: POST
Path: /v1/request-landing
Status:
Conditions:
Last Transition Time: 2024-10-21T12:49:23Z
Message: Policy validation succeeded
Status: True
Type: Valid
Events: <none>🧿 Cilium의 정책을 JSON 형식으로 출력
(⎈|CiliumLab:N/A) root@k8s-s:~# c0 policy get
[
{
"endpointSelector": {
"matchLabels": {
"any:class": "deathstar",
"any:org": "empire",
"k8s:io.kubernetes.pod.namespace": "default"
}
},
"ingress": [
{
"fromEndpoints": [
{
"matchLabels": {
"any:org": "empire",
"k8s:io.kubernetes.pod.namespace": "default"
}
}
],
"toPorts": [
{
"ports": [
{
"port": "80",
"protocol": "TCP"
}
],
"rules": {
"http": [
{
"path": "/v1/request-landing",
"method": "POST"
}
]
}
}
]
}
],
"labels": [
{
"key": "io.cilium.k8s.policy.derived-from",
"value": "CiliumNetworkPolicy",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.name",
"value": "rule1",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.namespace",
"value": "default",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.uid",
"value": "d9ac2a7a-df0f-442a-8e75-e9dc0e08f7c2",
"source": "k8s"
}
],
"enableDefaultDeny": {
"ingress": true,
"egress": false
},
"description": "L7 policy to restrict access to specific HTTP call"
}
]
Revision: 3🧿 deathstar 서비스와 tiefighter 파드 간의 네트워크 트래픽 흐름
- default/xwing에서 deathstar로의 트래픽 흐름이 여러 번 거부되었습니다. (예: INGRESS DENIED).
- default/tiefighter에서 deathstar로의 트래픽은 성공적으로 허용되었습니다. (예: INGRESS ALLOWED).
deathstar에 대한 POST 요청은 tiefighter를 통해 성공적으로 이루어졌으며, 이는 정책이 의도한 대로 작동하고 있음을 보여줍니다. 반면, xwing은 요청을 보내지 못하고 거부되었습니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# hubble observe --pod deathstar
Oct 21 12:52:52.540: default/xwing:34796 (ID:1365) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) to-network FORWARDED (TCP Flags: SYN)
Oct 21 12:53:08.924: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:53:08.924: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:54:49.586: default/tiefighter (ID:1442) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) post-xlate-fwd TRANSLATED (TCP)
Oct 21 12:54:49.586: default/tiefighter:49370 (ID:1442) -> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:L3-L4 INGRESS ALLOWED (TCP Flags: SYN)
Oct 21 12:54:49.586: default/tiefighter:49370 (ID:1442) -> default/deathstar-689f66b57d-2s66d:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: SYN)
Oct 21 12:54:49.586: default/tiefighter:49370 (ID:1442) <- default/deathstar-689f66b57d-2s66d:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: SYN, ACK)
Oct 21 12:54:49.586: default/tiefighter:49370 (ID:1442) -> default/deathstar-689f66b57d-2s66d:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: ACK)
Oct 21 12:54:49.586: default/deathstar-689f66b57d-2s66d:80 (ID:28695) <> default/tiefighter (ID:1442) pre-xlate-rev TRACED (TCP)
Oct 21 12:54:49.586: default/deathstar-689f66b57d-2s66d:80 (ID:28695) <> default/tiefighter (ID:1442) pre-xlate-rev TRACED (TCP)
Oct 21 12:54:49.586: default/tiefighter:49370 (ID:1442) -> default/deathstar-689f66b57d-2s66d:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:54:49.586: default/tiefighter:49370 (ID:1442) <> default/deathstar-689f66b57d-2s66d (ID:28695) pre-xlate-rev TRACED (TCP)
Oct 21 12:54:49.587: default/tiefighter:49370 (ID:1442) <> default/deathstar-689f66b57d-2s66d (ID:28695) pre-xlate-rev TRACED (TCP)
Oct 21 12:54:49.587: default/tiefighter:49370 (ID:1442) <> default/deathstar-689f66b57d-2s66d (ID:28695) pre-xlate-rev TRACED (TCP)
Oct 21 12:54:49.587: default/tiefighter:49370 (ID:1442) <> default/deathstar-689f66b57d-2s66d (ID:28695) pre-xlate-rev TRACED (TCP)
Oct 21 12:54:49.587: default/tiefighter:49370 (ID:1442) <> default/deathstar-689f66b57d-2s66d (ID:28695) pre-xlate-rev TRACED (TCP)
Oct 21 12:54:49.587: default/tiefighter:49370 (ID:1442) <- default/deathstar-689f66b57d-2s66d:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
Oct 21 12:54:49.587: default/tiefighter:49370 (ID:1442) -> default/deathstar-689f66b57d-2s66d:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
Oct 21 12:54:49.587: default/tiefighter:49370 (ID:1442) <- default/deathstar-689f66b57d-2s66d:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
Oct 21 12:54:49.587: default/tiefighter:49370 (ID:1442) -> default/deathstar-689f66b57d-2s66d:80 (ID:28695) to-endpoint FORWARDED (TCP Flags: ACK)🧿 deathstar 서비스에 대한 xwing 파드의 네트워크 트래픽 흐름
- 모든 로그 항목에서 xwing에서 deathstar로의 요청이 INGRESS DENIED와 함께 Policy denied DROPPED로 나타납니다. 이는 xwing에서 deathstar로의 트래픽이 정책에 의해 차단되었음을 나타냅니다.
- TCP SYN 플래그가 설정되어 있어 요청을 시작했지만, 정책이 이를 허용하지 않았습니다.
xwing의 트래픽이 차단되고 있다는 것은 Cilium 네트워크 정책이 올바르게 적용되었음을 의미합니다. 이전에 설정한 정책(rule1)에 의해 xwing에서 deathstar에 대한 POST 요청이 허용되지 않고 있습니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# hubble observe --pod deathstar --verdict DROPPED
Oct 21 12:52:01.980: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:01.980: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:03.004: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:03.004: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:04.028: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:04.028: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:05.052: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:05.052: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:06.076: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:06.076: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:08.126: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:08.126: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:12.156: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:12.156: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:20.284: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:20.284: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:36.668: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:36.668: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:53:08.924: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:53:08.924: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)🧿 현재 네트워크 정책과 접근 제어의 상태
- tiefighter에서 deathstar로의 요청 결과를 보면, HTTP POST 요청은 성공적으로 처리되어 "Ship landed"라는 응답을 받았고, PUT 요청은 "Access denied"라는 오류가 발생했습니다.
- POST 요청 성공:
- tiefighter에서 deathstar로의 POST 요청(/v1/request-landing)이 성공적으로 처리되었습니다. 이는 CiliumNetworkPolicy에서 설정한 규칙에 의해 허용된 요청임을 나타냅니다.
- PUT 요청 실패:
- tiefighter에서 deathstar로의 PUT 요청(/v1/exhaust-port)이 "Access denied"로 실패했습니다. 이는 현재 설정된 정책에 의해 이 요청이 차단되었음을 의미합니다.
- POST 요청 성공:
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
Ship landed
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl exec tiefighter -- curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port
Access denied🧿 tiefighter에서 deathstar로의 PUT 요청이 차단
- 요청에 대한 응답이 "DROPPED"로 나타나며, 이는 현재 적용된 네트워크 정책에 의해 요청이 거부되었음을 나타냅니다
(⎈|CiliumLab:N/A) root@k8s-s:~# hubble observe --pod deathstar --verdict DROPPED
Oct 21 12:52:01.980: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:01.980: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:03.004: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:03.004: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:04.028: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:04.028: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:05.052: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:05.052: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:06.076: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:06.076: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:08.126: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:08.126: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:12.156: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:12.156: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:20.284: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:20.284: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:52:36.668: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:52:36.668: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:53:08.924: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 21 12:53:08.924: default/xwing:38444 (ID:1365) <> default/deathstar-689f66b57d-2s66d:80 (ID:28695) Policy denied DROPPED (TCP Flags: SYN)
Oct 21 12:58:57.747: default/tiefighter:39610 (ID:1442) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) http-request DROPPED (HTTP/1.1 PUT http://deathstar.default.svc.cluster.local/v1/exhaust-port)🧿 tiefighter에서 deathstar로의 HTTP 요청과 관련된 정보
- POST 요청 성공: POST 요청이 성공적으로 처리되었음을 보여줍니다. 이는 해당 경로에 대한 접근이 허용되고 있음을 의미합니다.
- PUT 요청 차단: PUT 요청이 403 오류와 함께 차단된 것은 deathstar 서비스의 HTTP API에서 요청을 처리할 수 있는 권한이 없음을 나타냅니다.
(⎈|CiliumLab:N/A) root@k8s-s:~# hubble observe --pod deathstar --protocol http
Oct 21 12:58:52.729: default/tiefighter:60704 (ID:1442) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) http-request FORWARDED (HTTP/1.1 POST http://deathstar.default.svc.cluster.local/v1/request-landing)
Oct 21 12:58:52.729: default/tiefighter:60704 (ID:1442) <- default/deathstar-689f66b57d-4xhx8:80 (ID:28695) http-response FORWARDED (HTTP/1.1 200 1ms (POST http://deathstar.default.svc.cluster.local/v1/request-landing))
Oct 21 12:58:57.747: default/tiefighter:39610 (ID:1442) -> default/deathstar-689f66b57d-4xhx8:80 (ID:28695) http-request DROPPED (HTTP/1.1 PUT http://deathstar.default.svc.cluster.local/v1/exhaust-port)
Oct 21 12:58:57.747: default/tiefighter:39610 (ID:1442) <- default/deathstar-689f66b57d-4xhx8:80 (ID:28695) http-response FORWARDED (HTTP/1.1 403 0ms (PUT http://deathstar.default.svc.cluster.local/v1/exhaust-port))🧿 삭제
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl delete -f https://raw.githubusercontent.com/cilium/cilium/1.16.3/examples/minikube/http-sw-app.yaml
service "deathstar" deleted
deployment.apps "deathstar" deleted
pod "tiefighter" deleted
pod "xwing" deleted
(⎈|CiliumLab:N/A) root@k8s-s:~# kubectl delete cnp rule1
ciliumnetworkpolicy.cilium.io "rule1" deleted'쿠버네티스 네트워크 스터디 3기' 카테고리의 다른 글
| [9주차] AWS EKS : VPC CNI : 네트워크 정보 (0) | 2024.10.28 |
|---|---|
| [8주차] Cilium CNI : Bandwidth Manager (0) | 2024.10.21 |
| [8주차] Cilium CNI : 서비스 통신 확인 (0) | 2024.10.21 |
| [8주차] Cilium CNI : 노드 간 파드 통신 확인 (0) | 2024.10.21 |
| [8주차] Cilium CNI : Hubble UI & CLI (0) | 2024.10.21 |
'쿠버네티스 네트워크 스터디 3기' Related Articles
more
Comments