🌐

Kubernetes网络策略

📂 devops ⏱ 2 min 271 words

kubernetes 网络策略安全网络高级应用

Kubernetes网络策略

什么是网络策略

网络策略用于控制Pod之间的网络流量，实现网络级别的安全隔离。

基本概念

Ingress：入站流量
Egress：出站流量
Pod选择器：目标Pod
命名空间选择器：目标命名空间
CIDR：IP地址范围

创建网络策略

限制入站流量

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: myapp
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: web
      ports:
        - protocol: TCP
          port: 8080

限制出站流量

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to: []
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53

拒绝所有流量

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

高级场景

基于命名空间的策略

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: frontend

基于IP范围的策略

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-external
spec:
  podSelector:
    matchLabels:
      app: myapp
  policyTypes:
    - Ingress
  ingress:
    - from:
        - ipBlock:
            cidr: 10.0.0.0/8
            except:
              - 10.0.1.0/24

实践：微服务网络隔离

# 1. 命名空间标签
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    name: production

---
# 2. 拒绝所有流量
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

---
# 3. 允许DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - ports:
        - protocol: UDP
          port: 53

---
# 4. API允许来自Web的流量
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: web
      ports:
        - protocol: TCP
          port: 8080

---
# 5. 数据库只允许来自API的流量
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: database
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: api
      ports:
        - protocol: TCP
          port: 3306

验证网络策略

# 查看网络策略
kubectl get networkpolicy -n production

# 测试连通性
kubectl exec -it pod-web -- curl api:8080
kubectl exec -it pod-web -- curl database:3306  # 应该失败

注意事项

网络策略需要CNI插件支持（如Calico、Cilium）
空的podSelector选择所有Pod
网络策略是累加的，不会覆盖其他策略

总结

网络策略是Kubernetes安全的重要组成部分。通过合理配置网络策略，可以实现Pod级别的网络隔离和安全控制。