網絡政策需要依賴cni 網絡插件,calico 通過自定義k8s 資源支援網絡政策
配置檔案
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name:
namespace:
labels:
annotations:
spec:
下面較長的描述
NetworkPolicy.spec
podSelector 指定了該網絡政策作用的Pod範圍
- 作用于
名稱空間的所有podNetworkPolicy.metadata.namespace
spec:
podSelector: {}
- 作用于指定标簽的pod
spec:
podSelector:
matchLabels:
app: db
spec:
podSelector:
matchExpressions:
- key: app
operator: In
values:
- db
policyTypes 指定流入流出的網絡政策
- 如果不指定則使用預設的政策,預設Ingress和Egress 都是通過
spec:
policyTypes: []
- 禁止所有的流出政策,不定義
spec.egress
spec:
policyTypes:
- Egress
- 禁止所有的流入政策,不定義
spec.ingress
spec:
policyTypes:
- Ingress
- 允許所有的流出政策
spec:
policyTypes:
- Egress
egress: {}
- 允許所有的流入政策
spec:
policyTypes:
- Ingress
ingress: {}
ingress 控制
流入
的具體政策
spec:
ingress:
- from:
- ipBlock:
cidr: "10.4.7.1/24"
expect:
- "10.4.7.50/32"
- "192.168.123.1/24"
- namespaceSelector:
matchLabels: {}
matchExpressions: {}
- podSelector:
matchLabels: {}
matchExpressions: {}
- ports:
- protocol: TCP
port: 8000
egress 控制
流出
的具體政策
spec:
ingress:
- to:
- ipBlock:
cidr: "10.4.7.1/24"
expect:
- "10.4.7.50/32"
- "192.168.123.1/24"
- namespaceSelector:
matchLabels: {}
matchExpressions: {}
- podSelector:
matchLabels: {}
matchExpressions: {}
- ports:
- protocol: TCP
port: 8000
測試檔案
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
spec:
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web
image: python
command: ["python","-m","http.server"]
---
apiVersion: v1
metadata: v1
kind: Service
metadata:
name: myapp
spec:
selector:
app: web
ports:
- port: 8000
targetPort: 8000