一、默认隔离策略apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: prod
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
二、服务入站白名单(按标签与端口)apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-api-from-gateway
namespace: prod
spec:
podSelector:
matchLabels:
app: api
ingress:
- from:
- namespaceSelector:
matchLabels:
role: edge
podSelector:
matchLabels:
app: gateway
ports:
- protocol: TCP
port: 8080
三、服务出站白名单(Egress)apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-api-to-db
namespace: prod
spec:
podSelector:
matchLabels:
app: api
egress:
- to:
- namespaceSelector:
matchLabels:
role: core
podSelector:
matchLabels:
app: db
ports:
- protocol: TCP
port: 5432
policyTypes:
- Egress
四、策略生成与校验(示意)type Rule = { ns: string; app: string; allowFrom?: { nsLabel: string; appLabel: string; port: number }[]; allowTo?: { nsLabel: string; appLabel: string; port: number }[] }
function validPort(p: number): boolean { return Number.isInteger(p) && p > 0 && p < 65536 }
五、验收清单命名空间开启默认`Ingress/Egress`隔离;仅按标签与端口白名单放行。Egress策略限制到指定命名空间与服务端口;未声明的出站默认拒绝。与Service Mesh(mTLS/策略)互补使用;变更后逐一验证连通性与拒绝路径。
发表评论 取消回复