Kubernetes网络策略（NetworkPolicy-隔离与端口白名单）最佳实践

一、默认隔离策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: prod spec: podSelector: {} policyTypes: - Ingress - Egress 二、服务入站白名单（按标签与端口）apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-from-gateway namespace: prod spec: podSelector: matchLabels: app: api ingress: - from: - namespaceSelector: matchLabels: role: edge podSelector: matchLabels: app: gateway ports: - protocol: TCP port: 8080 三、服务出站白名单（Egress）apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: prod spec: podSelector: matchLabels: app: api egress: - to: - namespaceSelector: matchLabels: role: core podSelector: matchLabels: app: db ports: - protocol: TCP port: 5432 policyTypes: - Egress 四、策略生成与校验（示意）type Rule = { ns: string; app: string; allowFrom?: { nsLabel: string; appLabel: string; port: number }[]; allowTo?: { nsLabel: string; appLabel: string; port: number }[] } function validPort(p: number): boolean { return Number.isInteger(p) && p > 0 && p < 65536 } 五、验收清单命名空间开启默认`Ingress/Egress`隔离；仅按标签与端口白名单放行。Egress策略限制到指定命名空间与服务端口；未声明的出站默认拒绝。与Service Mesh（mTLS/策略）互补使用；变更后逐一验证连通性与拒绝路径。