Kubernetes安全服务 [英] Kubernetes Securing services

问题描述

我在Kubernetes集群中运行了很多服务.现在，服务A可以访问服务B，服务C也可以访问服务B.是否有任何方法可以控制谁可以访问什么服务?就像典型的VM风格的ACL(访问控制列表).

I am running so many services in Kubernetes cluster. Now, service A is able to access Service B and Service C is also able to access Service B. Is there any way to control who can access what service? Like, ACL( Access Control List) in typical VM style.

谢谢

推荐答案

简短的答案是肯定的，较长的答案是有几种解决方法.从 NetworkPolicy 开始，据我所知，这仅仅是基础SDN实现的概念的标准化-类似于Ingress资源标准化基础Ingress控制器如何管理虚拟主机的方式.

The short answer is yes, the longer answer is that there are several approaches to that. Starting with NetworkPolicy, which as best I can tell is just the standardization of the concept implemented by the underlying SDN -- similar to the way the Ingress resource standardized how virtual-hosts are managed by the underlying Ingress controllers.

整个列表在这里，但我认识的主要参与者-手是:

The whole list is here but the major players I know off-hand are:

• Calico
• Contiv
• WeaveNetworks

还有一个博客文章可以追溯到2016年，这也许很有启发性，但尚不明确其中有多少仍然适用

There was also a blog post back in 2016, which may be enlightening but unknown how much of it is still applicable

这可能是显而易见的，但是将这种级别的安全性推入您的集群将极大地增加调试成本.我对不要在您的集群中运行不受信任的代码"的支持比对防火墙所有事情！1"的支持要大得多.

This may be stating the obvious, but pushing that level of security into your cluster will greatly, greatly increase debugging costs. I am a much bigger proponent of "don't run untrusted code in your cluster" than "firewall all the things!!1"

这篇关于Kubernetes安全服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！