概述NetworkPolicy用于限制Pod间通信与外部访问。采用默认拒绝、按命名空间与标签精确放行,以及对DNS和外部API的白名单控制,可提升安全边界与合规性。关键实践与参数默认拒绝:创建禁止所有 `ingress/egress` 的策略内部互通:按命名空间与标签精确允许出口白名单:允许DNS与特定CIDR或外部服务IP段观测:使用连通性测试与日志审计示例/配置/实现apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: app
spec:
podSelector: {}
policyTypes: [Ingress, Egress]
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-same-namespace
namespace: app
spec:
podSelector:
matchLabels: { role: api }
policyTypes: [Ingress]
ingress:
- from:
- podSelector: { matchLabels: { role: web } }
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-whitelist
namespace: app
spec:
podSelector:
matchLabels: { role: api }
policyTypes: [Egress]
egress:
- to:
- namespaceSelector: { matchLabels: { kube-system: "true" } }
ports: [{ port: 53, protocol: UDP }]
- ipBlock:
cidr: 203.0.113.0/24
ports: [{ port: 443, protocol: TCP }]
验证东西向:`web` Pod 访问 `api` 成功,其他命名空间访问被拒出口:`api` Pod 能解析DNS并访问白名单CIDR的外部API,其他外部目标被拒审计:结合CNI或网关日志确认拒绝与允许次数注意事项需确认CNI实现支持NetworkPolicy(e.g., Calico/Cilium)外部服务IP可能变化,建议配合网关或代理层进行域名到IP映射管理避免过度宽泛的CIDR,保持最小放行与Ingress/Egress Gateway策略协同
发表评论 取消回复