juner417/ccnp.md

## ccnp.md

      
    Raw
  

              ccnp.md
            
          
    CiliumClusterwideNetworkPolicy

ref


firewall rules
host policy
l3 entity based
cilium-host-policies

cilium update

helm upgrade cilium cilium --version 1.9.8 \
  --set prometheus.enabled=true \
  --set operator.prometheus.enabled=true \
  --set hubble.enabled=false \
  --set devices='{eth1}' \
  --set hostFirewall=true \
  --namespace kube-system

cilium agent configmap check and restart

k get cm -n kube-system cilium-config -o yaml
apiVersion: v1
data:
...
  devices: eth1
...
  enable-host-firewall: "true"
...

k rollout restart ds/cilium -n kube-system

master policy

apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "host-policy-for-master"
spec:
  description: ""
  nodeSelector:
    matchLabels:
      node-role.kubernetes.io/master: ""
  ingress:
  - fromEntities:
    - unmanaged
    - remote-node
    - host
  - toPorts:
    - ports:
      - port: "22"
        protocol: TCP
      - port: "6443"
        protocol: TCP
  - fromEntities:
    - host
    - remote-node
  - toPorts:
    - ports:
      # etcd
      - port: "2379"
        protocol: TCP
      - port: "2380"
        protocol: TCP
      - port: "2381"
        protocol: TCP
  - fromEntities:
    - remote-node
  - toPorts:
    - ports:
      # operator prometheus metric
      - port: "6942"
        protocol: TCP
      # kubelet for remote exec log
      - port: "10250"
        protocol: TCP
      # kubeproxy for metric
      - port: "10249"
        protocol: TCP
      # kubescheduler secure port
      - port: "10259"
        protocol: TCP
      # cilium-agent Prometheus metrics
      - port: "9090"
        protocol: TCP
      # cilium vxlan
      - port: "8472"
        protocol: UDP
      # node exporter
      - port: "9100"
        protocol: TCP
  - fromEntities:
    - health
    - remote-node
    toPorts:
    - ports:
      # cilium health check for inter node
      - port: "4240"
        protocol: TCP
      # cilium-agent health status API
      - port: "9876"
        protocol: TCP

worker policy

apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "host-policy-for-worker"
spec:
  description: ""
  nodeSelector:
    matchLabels:
      node-role.kubernetes.io/worker: ""
  ingress:
  - fromEntities:
    - remote-node
  - toPorts:
    - ports:
      # operator prometheus metric
      - port: "6942"
        protocol: TCP
      # kubelet for remote exec log
      - port: "10250"
        protocol: TCP
      # kubeproxy for metric
      - port: "10249"
        protocol: TCP
      # cilium-agent Prometheus metrics
      - port: "9090"
        protocol: TCP
      # cilium vxlan
      - port: "8472"
        protocol: UDP
      # node exporter
      - port: "9100"
        protocol: TCP
  - fromEntities:
    - health
    - remote-node
    toPorts:
    - ports:
      # cilium health check for inter node
      - port: "4240"
        protocol: TCP
      # cilium-agent health status API
      - port: "9876"
        protocol: TCP

check cilium monitor

# check endpoint
export NODE_NAME="node1"
CILIUM_NAMESPACE=kube-system
CILIUM_POD_NAME=$(kubectl -n $CILIUM_NAMESPACE get pods -l "k8s-app=cilium" -o jsonpath="{.items[?(@.spec.nodeName=='$NODE_NAME')].metadata.name}")
HOST_EP_ID=$(kubectl -n $CILIUM_NAMESPACE exec $CILIUM_POD_NAME -- cilium endpoint list -o jsonpath='{[?(@.status.identity.id==1)].id}')
kubectl -n $CILIUM_NAMESPACE exec $CILIUM_POD_NAME -- cilium endpoint list

# get bpf policy
kubectl -n $CILIUM_NAMESPACE exec $CILIUM_POD_NAME -- cilium bpf policy get $HOST_EP_ID

# monitor
kubectl -n $CILIUM_NAMESPACE exec $CILIUM_POD_NAME -- cilium monitor -t policy-verdict --related-to $HOST_EP_ID
No results found