Kubernetes网络策略（NetworkPolicy-隔离与端口白名单）最佳实践

--- title: Kubernetes网络策略（NetworkPolicy-隔离与端口白名单）最佳实践 keywords: - NetworkPolicy - 隔离 - 端口白名单 - Namespace - Label - Egress - Ingress - 默认拒绝 - Service Mesh - 验收 description: 通过Kubernetes NetworkPolicy实现命名空间与服务级隔离，默认拒绝并按标签与端口白名单开放，结合Egress控制与Mesh互补，附YAML示例与验证要点。 categories: - 文章资讯 - 技术教程 --- 一、默认隔离策略 ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: prod spec: podSelector: {} policyTypes: - Ingress - Egress ``` 二、服务入站白名单（按标签与端口） ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-from-gateway namespace: prod spec: podSelector: matchLabels: app: api ingress: - from: - namespaceSelector: matchLabels: role: edge podSelector: matchLabels: app: gateway ports: - protocol: TCP port: 8080 ``` 三、服务出站白名单（Egress） ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: prod spec: podSelector: matchLabels: app: api egress: - to: - namespaceSelector: matchLabels: role: core podSelector: matchLabels: app: db ports: - protocol: TCP port: 5432 policyTypes: - Egress ``` 四、策略生成与校验（示意） ```ts type Rule = { ns: string; app: string; allowFrom?: { nsLabel: string; appLabel: string; port: number }[]; allowTo?: { nsLabel: string; appLabel: string; port: number }[] } function validPort(p: number): boolean { return Number.isInteger(p) && p > 0 && p < 65536 } ``` 五、验收清单 - 命名空间开启默认`Ingress/Egress`隔离；仅按标签与端口白名单放行。 - Egress策略限制到指定命名空间与服务端口；未声明的出站默认拒绝。 - 与Service Mesh（mTLS/策略）互补使用；变更后逐一验证连通性与拒绝路径。