[따배씨] 30. Network Policy / CKA 시험 문제 학습

이 포스팅은 아래의 유튜브 채널 "따배"를 따라서 학습한 내용입니다.

[관련 이론]

[Precondition]

(1) 테스트 환경

(1.1) Rocky Linux Cluster

: 직접 구성

[root@k8s-master ~]# k get nodes -o wide
NAME         STATUS   ROLES           AGE   VERSION   INTERNAL-IP     EXTERNAL-IP   OS-IMAGE                            KERNEL-VERSION                  CONTAINER-RUNTIME
k8s-master   Ready    control-plane   30d   v1.27.2   192.168.56.30   <none>        Rocky Linux 8.10 (Green Obsidian)   4.18.0-553.33.1.el8_10.x86_64   containerd://1.6.32
k8s-node1    Ready    <none>          30d   v1.27.2   192.168.56.31   <none>        Rocky Linux 8.8 (Green Obsidian)    4.18.0-477.10.1.el8_8.x86_64    containerd://1.6.21
k8s-node2    Ready    <none>          30d   v1.27.2   192.168.56.32   <none>        Rocky Linux 8.8 (Green Obsidian)    4.18.0-477.10.1.el8_8.x86_64    containerd://1.6.21
[root@k8s-master ~]#

(1.2) Ubuntu Cluster

: kodekloud 테스트 환경 활용

controlplane ~ ➜  kubectl get nodes -o wide
NAME           STATUS   ROLES           AGE     VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION   CONTAINER-RUNTIME
controlplane   Ready    control-plane   9m6s    v1.31.0   192.6.94.6    <none>        Ubuntu 22.04.4 LTS   5.4.0-1106-gcp   containerd://1.6.26
node01         Ready    <none>          8m31s   v1.31.0   192.6.94.9    <none>        Ubuntu 22.04.4 LTS   5.4.0-1106-gcp   containerd://1.6.26

https://learn.kodekloud.com/user/courses/udemy-labs-certified-kubernetes-administrator-with-practice-tests

(2) 사전 필요 설정

: namespace 생성

- 문제 풀이에 맞게 devops, migops 네임스페이스에 label을 설정.

[root@k8s-master ~]# k create namespace devops --dry-run=client -o yaml > 30-devops-ns.yaml
[root@k8s-master ~]# vi 30-devops-ns.yaml 
[root@k8s-master ~]# cat 30-devops-ns.yaml 
apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: null
  name: devops
  labels:
    team: devops
spec: {}
status: {}
[root@k8s-master ~]# 
[root@k8s-master ~]# cp 30-devops-ns.yaml 30-migops-ns.yaml
[root@k8s-master ~]# vi 30-migops-ns.yaml 
[root@k8s-master ~]# cat 30-migops-ns.yaml 
apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: null
  name: migops
  labels:
    team: migops
spec: {}
status: {}
[root@k8s-master ~]# 
[root@k8s-master ~]# k apply -f 30-devops-ns.yaml 
namespace/devops created
[root@k8s-master ~]# k apply -f 30-migops-ns.yaml 
namespace/migops created

: pod 생성

- 문제 풀이에 맞게 pod를 미리 생성해둔다.

controlplane ~ ➜  k run web --image=nginx -l app=web --dry-run -o yaml
W0128 14:33:50.640680   43172 helpers.go:703] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    app: web
  name: web
spec:
  containers:
  - image: nginx
    name: web
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

[Question]

Create a new NetworkPolicy named allow-port-from-namespace in the existing namespace devops.

Ensure that the new NetworkPolicy allows Pods in namespace migops to connect to port 80 
of Pods in namespace devops.

[Solve]

(1) Network policy 생성

: metadata > namespace에 "devops"

: spec > podSelector > matchLabels에 "devops" 네임스페이스의 pod의 label을 일치

: spec > ingress > from > namespaceSelector > matchLabels에 "migops"

controlplane ~ ➜  vi 30-np.yaml

controlplane ~ ➜  cat 30-np.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: devops
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          team: migops
    ports:
    - protocol: TCP
      port: 80

controlplane ~ ➜  k apply -f 30-np.yaml 
networkpolicy.networking.k8s.io/allow-port-from-namespace created

controlplane ~ ➜  

controlplane ~ ➜  k describe networkpolicies.networking.k8s.io -n devops allow-port-from-namespace 
Name:         allow-port-from-namespace
Namespace:    devops
Created on:   2025-01-28 14:40:04 +0000 UTC
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     app=web
  Allowing ingress traffic:
    To Port: 80/TCP
    From:
      NamespaceSelector: team=migops
  Not affecting egress traffic
  Policy Types: Ingress

controlplane ~ ➜

[사용 커맨드 정리]

vi 30-np.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: devops
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          team: migops
    ports:
    - protocol: TCP
      port: 80

k apply -f 30-np.yaml

k describe networkpolicies.networking.k8s.io -n devops allow-port-from-namespace

저작자표시 비영리 변경금지

'Compute > kubernetis' 카테고리의 다른 글

쿠버네티스 kubernetis 환경에서의 인터페이스 구성 ovs / veth / bridge (0)	2025.04.07
[따배씨] 29. Kube-DNS / CKA 시험 문제 학습 (0)	2025.02.01
[따배씨] 28. ServiceAccount Cluster Role binding / CKA 시험 문제 학습 (0)	2025.02.01
[따배씨] 27. ServiceAccount Role Binding / CKA 시험 문제 학습 (0)	2025.02.01
[따배씨] 26. User Cluster Role Binding / CKA 시험 문제 학습 (0)	2025.02.01