networkpolicy可以限制pod的入栈与出栈流量
spec
podSelector
有podSelector选择作用在哪些目标上
空的podSelector则会选择ns下的所有的pod
policyTypes
每个NetworkPolicy都包含一个policyTypes列表,其中包含Ingress以及Egress或者两者都有
未指定policyTypes默认的是Ingress
ingress:
每个NetworkPolicy可包含一个ingress的whitelist
每个rule都允许同时有from和ports部分的流量
Egress:
每个Networkpolicy也有白名单
以及允许匹配to和port
限制只能是ICMP的协议
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-ping-in-cluster
spec:
selector: all()
types:
- Ingress
ingress:
- action: Allow
protocol: ICMP
source:
selector: all()
icmp:
type: 8 # Ping request
- action: Allow
protocol: ICMPv6
source:
selector: all()
icmp:
type: 128
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: tst
spec:
podSelector:
matchLabels:
role: db
types:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 192.168.0.0/16
except:
- 192.168.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 192.168.0.0/16
ports:
- protocol: TCP
port: 5978
默认拒绝所有
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: test
spec:
podSelector: {} #所有pod
types:
- Ingress
默认允许
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: test
spec:
podSelector: {} #所有pod
ingress: #定义默认规则则所有的都可以
- {}
types:
- Ingress
还有calico的networkpolicy更丰富的功能