-
Notifications
You must be signed in to change notification settings - Fork 4
安全组
Implementing Security Groups using OVN Port Groups
http://dani.foroselectronica.es/implementing-security-groups-in-openstack-using-ovn-port-groups-478/ https://www.ovirt.org/develop/release-management/features/network/networking-api-security-groups.html
- 默认创建一个deny_all的port_group,并配置如下 ACL 规则
ovn-nbctl acl-add ovn.sg.kubeovn_deny_all to-lport 2003 '[email protected]_deny_all ip' drop
ovn-nbctl acl-add ovn.sg.kubeovn_deny_all from-lport 2003 '[email protected]_deny_all ip' drop
- 所有使用了安全组的 port 都会先被添加到 deny_all 这个 port_group
- 每个自定义安全组对应使用一个port_group实例,可以设置是否允许同安全组的端口互相访问
ovn-nbctl pg-add ovn.sg.sg1 -- set port_group sg1 external_ids:type=security_group external_ids:sg=sg1
# 如果开启 AllowSameGroupTraffic 开关则添加以下acl规则
ovn-nbctl create address_set ovn.sg.sg1.associated.v4 external_ids:sg=sg1 external_ids:sg_associated=true
ovn-nbctl create address_set ovn.sg.sg1.associated.v6 external_ids:sg=sg1 external_ids:sg_associated=true
ovn-nbctl acl-add ovn.sg.sg1 to-lport 2004 '[email protected] && ip4 && ip4.src==$ovn.sg.sg1.associated.v4' allow-related
ovn-nbctl acl-add ovn.sg.sg1 to-lport 2004 '[email protected] && ip6 && ip6.src==$ovn.sg.sg1.associated.v6' allow-related
ovn-nbctl acl-add ovn.sg.sg1 from-lport 2004 '[email protected] && ip4 && ip4.dst==$ovn.sg.sg1.associated.v4' allow-related
ovn-nbctl acl-add ovn.sg.sg1 from-lport 2004 '[email protected] && ip6 && ip6.dst==$ovn.sg.sg1.associated.v6' allow-related
- 参考 Openstack 和商用公有云上对安全组规则的定义,设计 CRD 并在 controller 实现规则到 ovn acl 的转换
- 通过 pod 的 annotation 声明关联到哪些安全组
示例:
apiVersion: kubeovn.io/v1
kind: SecurityGroup
metadata:
name: sg1
spec:
allowSameGroupTraffic: true
egressRules:
- ipVersion: ipv4
policy: allow
priority: 1
protocol: all
remoteAddress: 0.0.0.0/0
remoteType: address
ingressRules:
- ipVersion: ipv4
policy: allow
priority: 10
protocol: icmp
remoteAddress: 0.0.0.0/0
remoteType: address
- ipVersion: ipv4
policy: allow
priority: 10
protocol: tcp
portRangeMin: 3306
portRangeMax: 3306
remoteAddress: 192.168.2.100
remoteType: address
- ipVersion: ipv4
policy: allow
priority: 10
protocol: all
remoteSecurityGroup: sg2
remoteType: securityGroup
allowSameGroupTraffic: 是否允许同安全组互访
ipVersion: 'ipv4' or 'ipv6'
policy: 'allow' or 'drop'
priority: 范围 1-200,数值越小,优先级越高
protocol: 支持 tcp/udp/icmp/all,当填写 tcp or udp 时,必须指定匹配的端口范围
portRangeMin & portRangeMax: 端口范围1-65535,当希望对单个端口配置策略时,portRangeMin & portRangeMax 设置相同的数值即可
remoteType: 'address' or 'securityGroup'
remoteSecurityGroup: 当 remoteType 是 securityGroup时,指定策略相关的安全组
只有开启安全端口特性的port可以使用安全组,所以我们需要首先为pod添加annotation ovn.kubernetes.io/port_security: 'true',然后使用ovn.kubernetes.io/security_groups声明需要关联的安全组
apiVersion: v1
kind: Pod
metadata:
annotations:
ovn.kubernetes.io/port_security: 'true'
ovn.kubernetes.io/security_groups: 'sg1,sg3,sgx'
namespace: default
name: scrutiry-pod1
---
apiVersion: v1
kind: Pod
metadata:
annotations:
ovn.kubernetes.io/port_security: 'true'
ovn.kubernetes.io/security_groups: 'sg1,sg3,sgx'
namespace: default
name: scrutiry-pod2
当需要调整pod的安全组关联策略时,我们可以动态地升级ovn.kubernetes.io/security_groups,无需重建pod,新的关联策略会立即生效而
如果只放通 egress 方向,pod 无法 ping 通 gateway 地址,虽然不影响 ovn 的路由功能,但默认情况下 cni 需要通过 ping 网关来判断网络是否正确分配。针对这个问题暂时有一下两个解决方法:
- 在 ingress 方向规则上放通 gateway 地址的访问
- 参看这个PR https://github.com/kubeovn/kube-ovn/pull/941 ,设置 subnet disableGatewayCheck 参数
虽然安全组并未限制vpc和subnet的作用域,但建议不要跨vpc使用同一个安全组实例,特别是开启allowSameGroupTraffic特性的情况下,因为不同的vpc可以有重叠的地址,从而导致不可预知的错误。建议在不同的vpc创建独立的安全组实例。