Kubernetes NetworkPolicy零信任服务访问实践

概述目标：用NetworkPolicy在命名空间与Pod级别控制入站/出站流量，限制只允许必要的服务通信。适用：多服务微服务集群、东西向流量治理、敏感服务访问隔离。核心与实战默认拒绝所有入站（命名空间级）：apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: prod spec: podSelector: {} policyTypes: ["Ingress"] 仅允许同命名空间内`web`访问`api`：apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: api-allow-web namespace: prod spec: podSelector: matchLabels: app: api policyTypes: ["Ingress"] ingress: - from: - podSelector: matchLabels: app: web ports: - protocol: TCP port: 8080 限制出站仅允许访问数据库CIDR与DNS：apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: api-egress-db-dns namespace: prod spec: podSelector: matchLabels: app: api policyTypes: ["Egress"] egress: - to: - ipBlock: cidr: 10.0.10.0/24 ports: - protocol: TCP port: 5432 - to: - namespaceSelector: {} ports: - protocol: UDP port: 53 示例应用与测试：kubectl apply -f default-deny.yaml kubectl apply -f api-allow-web.yaml kubectl apply -f api-egress-db-dns.yaml kubectl -n prod run -it netshoot --image=nicolaka/netshoot --restart=Never --rm -- /bin/sh -c "curl -sS api.prod.svc:8080 && nslookup api.prod.svc" 允许跨命名空间访问（按namespace标签）：apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: api-allow-web-from-staging namespace: prod spec: podSelector: matchLabels: { app: api } policyTypes: ["Ingress"] ingress: - from: - namespaceSelector: matchLabels: env: staging podSelector: matchLabels: app: web 验证与监控验证连通性：kubectl -n prod exec deploy/web -- curl -sS api:8080 kubectl -n prod exec deploy/api -- nc -vz 10.0.10.5 5432 观测拒绝：使用网络插件（如Calico/Cilium）日志或统计查看被拒绝连接。变更审查：通过`kubectl diff`与GitOps流程评审NetworkPolicy变更。常见误区只配置Ingress未配置Egress导致服务可任意出站；需双向治理。`ipBlock`包含集群Pod CIDR导致误开放；应精确到外部子网。缺少默认拒绝策略，新增服务默认可被访问；应先建立`default-deny`。结语NetworkPolicy通过细粒度入出站控制构建零信任边界，配合可验证测试与日志，可在生产环境稳定地实施访问治理。