概述目标:用NetworkPolicy在命名空间与Pod级别控制入站/出站流量,限制只允许必要的服务通信。适用:多服务微服务集群、东西向流量治理、敏感服务访问隔离。核心与实战默认拒绝所有入站(命名空间级):apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: prod
spec:
podSelector: {}
policyTypes: ["Ingress"]
仅允许同命名空间内`web`访问`api`:apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow-web
namespace: prod
spec:
podSelector:
matchLabels:
app: api
policyTypes: ["Ingress"]
ingress:
- from:
- podSelector:
matchLabels:
app: web
ports:
- protocol: TCP
port: 8080
限制出站仅允许访问数据库CIDR与DNS:apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-egress-db-dns
namespace: prod
spec:
podSelector:
matchLabels:
app: api
policyTypes: ["Egress"]
egress:
- to:
- ipBlock:
cidr: 10.0.10.0/24
ports:
- protocol: TCP
port: 5432
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
示例应用与测试:kubectl apply -f default-deny.yaml
kubectl apply -f api-allow-web.yaml
kubectl apply -f api-egress-db-dns.yaml
kubectl -n prod run -it netshoot --image=nicolaka/netshoot --restart=Never --rm -- /bin/sh -c "curl -sS api.prod.svc:8080 && nslookup api.prod.svc"
允许跨命名空间访问(按namespace标签):apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow-web-from-staging
namespace: prod
spec:
podSelector:
matchLabels: { app: api }
policyTypes: ["Ingress"]
ingress:
- from:
- namespaceSelector:
matchLabels:
env: staging
podSelector:
matchLabels:
app: web
验证与监控验证连通性:kubectl -n prod exec deploy/web -- curl -sS api:8080
kubectl -n prod exec deploy/api -- nc -vz 10.0.10.5 5432
观测拒绝:使用网络插件(如Calico/Cilium)日志或统计查看被拒绝连接。变更审查:通过`kubectl diff`与GitOps流程评审NetworkPolicy变更。常见误区只配置Ingress未配置Egress导致服务可任意出站;需双向治理。`ipBlock`包含集群Pod CIDR导致误开放;应精确到外部子网。缺少默认拒绝策略,新增服务默认可被访问;应先建立`default-deny`。结语NetworkPolicy通过细粒度入出站控制构建零信任边界,配合可验证测试与日志,可在生产环境稳定地实施访问治理。
发表评论 取消回复