이 주제에서는 Kubernetes 네트워크 정책을 사용하여 Apigee Hybrid 클러스터 내에서 Cassandra 및 Redis 포드를 보호하는 방법을 설명합니다 .
개요
IP 주소 또는 포트 수준에서(OSI 레이어 3 또는 4) 트래픽 흐름을 제어하려는 경우 클러스터의 애플리케이션에 Kubernetes 네트워크 정책을 사용할 수 있습니다. 네트워크 정책은 포드가 클러스터의 다른 포드와 통신하는 방법을 지정할 수 있는 애플리케이션 중심 구조입니다.
Apigee Hybrid에서는 Kubernetes 네트워크 정책을 사용하여 런타임, 동기화 담당자, Mart 포드와 같이 Cassandra와 통신하려는 포드만 허용되도록 Cassandra 포드를 격리할 수 있습니다. Cassandra와 통신할 필요가 없는 인그레스 및 감시자 포드와 같은 클러스터의 다른 포드는 격리할 수 없습니다.
클러스터 내에서 상호작용할 수 있는 포드에 제한사항이 없으면 Kubernetes 네트워크 정책을 사용할 필요가 없습니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis document explains how to use Kubernetes Network Policies to control traffic flow to Cassandra and Redis pods within an Apigee Hybrid cluster.\u003c/p\u003e\n"],["\u003cp\u003eKubernetes Network Policies allow the restriction of communication to Cassandra pods to only those pods necessary, such as Runtime, Synchronizer, and Mart pods.\u003c/p\u003e\n"],["\u003cp\u003eEnabling network policies in the Kubernetes cluster is a prerequisite, with specific instructions provided for GKE, EKS, and AKS.\u003c/p\u003e\n"],["\u003cp\u003eTo implement, you'll label namespaces and apply network policy configuration files found within the \u003ccode\u003e$APIGEECTL_HOME\u003c/code\u003e directory.\u003c/p\u003e\n"],["\u003cp\u003eAfter applying the policies, you can validate them by using the \u003ccode\u003ekubectl get netpol -n apigee\u003c/code\u003e command to see which policies are running in the namespace.\u003c/p\u003e\n"]]],[],null,["# Configuring Kubernetes network policies\n\n| You are currently viewing version 1.11 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to use Kubernetes network policies to secure Cassandra and Redis pods\nwithin an Apigee Hybrid Cluster .\n\nOverview\n--------\n\n\nWhen you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then\nyou can use Kubernetes Network Policies for applications in your cluster. Network Policies are an\napplication-centric construct you can use to specify how a pod is allowed to communicate with\nother pods in your cluster.\n\n\nIn Apigee hybrid you can use Kubernetes Network Policies to isolate Cassandra pods so that only\npods that are intended to communicate with Cassandra are allowed to, such as the Runtime,\nSynchronizer, and Mart pods. Other pods in the cluster like Ingres and Watcher pods that do not\nneed to communicate with Cassandra are blocked from doing so.\n\n\nIf you have no restrictions on which pods can interact within your cluster, you do not need to\nuse Kubernetes network policies.\n\nPrerequisites\n-------------\n\n- Enable network policies in your cluster.\n - **GKE** : See [Enabling\n network policy enforcement](/kubernetes-engine/docs/how-to/network-policy#enabling_network_policy_enforcement).\n - **EKS** : See [Installing\n the Calico network policy engine add-on](https://docs.aws.amazon.com/eks/latest/userguide/calico.html).\n - **AKS** : See [Secure\n traffic between pods using network policies in Azure Kubernetes Service (AKS)](https://docs.microsoft.com/en-us/azure/aks/use-network-policies).\n - Other platforms: look for instructions to enable network policies on your cluster from your specific platform vendor.\n- A currently running Apigee hybrid cluster, version 1.8 or newer.\n\nProcedure\n---------\n\nIf you are running hybrid version 1.8.x, download and extract the newest Apigee release\npackage.\n\n### Linux\n\n```\ncurl -LO \\\n https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.11.2/apigeectl_linux_64.tar.gz\n```\n\n### Mac OS\n\n```\ncurl -LO \\\n https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.11.2/apigeectl_mac_64.tar.gz\n```\n\n### Windows\n\n```\ncurl -LO ^\n https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.11.2/apigeectl_windows_64.zip\n```\n\n\nThe configuration files for the Kubernetes network policies for Cassandra and Redis are in the\nfollowing directory structure within your `$APIGEECTL_HOME` directory: \n\n```scdoc\n └── apigeectl\n └── examples\n └── network-policies\n └── securing-cassandra-redis-pods\n ├── README.md\n ├── base\n │ └── cluster-scoped-communication\n │ ├── cassandra\n │ │ ├── kustomization.yaml\n │ │ ├── networkpolicy-cassandra-allow-controller.yaml\n │ │ ├── networkpolicy-cassandra-allow-intranode.yaml\n │ │ ├── networkpolicy-cassandra-allow-mart.yaml\n │ │ ├── networkpolicy-cassandra-allow-runtime.yaml\n │ │ ├── networkpolicy-cassandra-alow-sync.yaml\n │ │ ├── networkpolicy-cassandra-create-user.yaml\n │ │ ├── networkpolicy-cassandra-monitoring.yaml\n │ │ └── networkpolicy-cassandra-remove-dc.yaml\n │ └── redis\n │ ├── kustomization.yaml\n │ ├── networkpolicy-redis-envoy.yaml\n │ └── networkpolicy-redis.yaml\n └── overlays\n └── ORG_NAME\n └── kustomization.yaml\n```\n\nWhere \u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e is the name of your Apigee organization.\n\n1. Label the namespaces with the following command: \n\n kubectl label namespace apigee app=apigee\n kubectl label namespace apigee-system app=apigee-system\n\n2. Apply the network policies with the following command: \n\n ```\n kubectl apply -k ${APIGEECTL_HOME}/examples/network-policies/securing-cassandra-redis-pods/overlays/ORG_NAME\n ```\n3. Validate that the network policies were applied with the following command: \n\n ```\n kubectl get netpol -n apigee\n ```\n\n\n The following network policies should be created in the `apigee` namespace: \n\n ```text\n NAME POD-SELECTOR AGE\n cassandra-from-mart app=apigee-cassandra 4d5h\n cassandra-from-runtime app=apigee-cassandra 4d5h\n cassandra-from-sync app=apigee-cassandra 4d5h\n cassandra-to-cassandra app=apigee-cassandra 4d5h\n controller-to-cassandra app=apigee-cassandra 4d5h\n redis-from-redisenvoy app=apigee-redis 3d18h\n redisenvoy-from-runtime app=apigee-redis-envoy 3d18h\n \n ```"]]