网络策略需要依赖cni 网络插件,calico 通过自定义k8s 资源支持网络策略
配置文件
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name:
namespace:
labels:
annotations:
spec:
下面详细描述NetworkPolicy.spec
podSelector 指定了该网络策略作用的Pod范围
- 作用于
NetworkPolicy.metadata.namespace名称空间的所有pod
spec:
podSelector: {}
- 作用于指定标签的pod
spec:
podSelector:
matchLabels:
app: db
spec:
podSelector:
matchExpressions:
- key: app
operator: In
values:
- db
policyTypes 指定流入流出的网络策略
- 如果不指定则使用默认的策略,默认Ingress和Egress 都是通过
spec:
policyTypes: []
- 禁止所有的流出策略,不定义
spec.egress
spec:
policyTypes:
- Egress
- 禁止所有的流入策略,不定义
spec.ingress
spec:
policyTypes:
- Ingress
- 允许所有的流出策略
spec:
policyTypes:
- Egress
egress: {}
- 允许所有的流入策略
spec:
policyTypes:
- Ingress
ingress: {}
ingress 控制流入的具体策略
spec:
ingress:
- from:
- ipBlock:
cidr: "10.4.7.1/24"
expect:
- "10.4.7.50/32"
- "192.168.123.1/24"
- namespaceSelector:
matchLabels: {}
matchExpressions: {}
- podSelector:
matchLabels: {}
matchExpressions: {}
- ports:
- protocol: TCP
port: 8000
egress 控制流出的具体策略
spec:
ingress:
- to:
- ipBlock:
cidr: "10.4.7.1/24"
expect:
- "10.4.7.50/32"
- "192.168.123.1/24"
- namespaceSelector:
matchLabels: {}
matchExpressions: {}
- podSelector:
matchLabels: {}
matchExpressions: {}
- ports:
- protocol: TCP
port: 8000
测试文件
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
spec:
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web
image: python
command: ["python","-m","http.server"]
---
apiVersion: v1
metadata: v1
kind: Service
metadata:
name: myapp
spec:
selector:
app: web
ports:
- port: 8000
targetPort: 8000