3.4.13. NetworkPolicy.yaml¶
Enabling network isolation in a namespace¶
默认拒绝
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector:
Allowing only some pods in the namespace to connect to a server pod¶
podSelector指定lable可连接:The NetworkPolicy allows pods with the app=webserver label to connect to pods with the app=database label, and only on port 5432。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: postgres-netpolicy
spec:
podSelector:
matchLabels: # This policy secures access to pods with app=database label.
app: database
ingress:
- from:
- podSelector: # It allows incoming connections only from pods with the app=webserver label.
matchLabels:
app: webserver
ports:
- port: 5432 # Connections to this port are allowed
Isolating the network between Kubernetes namespaces¶
namespaceSelector指定lable可连接,This NetworkPolicy ensures only pods running in namespaces labeled as tenant: manning can access their Shopping Cart microservice
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: shoppingcart-netpolicy
spec:
podSelector:
matchLabels: # This policy applies to pods labeled as microservice= shopping-cart.
app: shopping-cart
ingress:
- from:
- namespaceSelector:
matchLabels: # Only pods running in namespaces labeled as tenant=manning
tenant: manning # are allowed to access the microservice.
ports:
- port: 80
Isolating using CIDR notation¶
allow the shopping-cart pods to only be accessible from IPs in the 192.168.1.1 to .255 range:
ingress:
- from:
- ipBlock:
cidr: 192.168.1.0/24
Limiting the outbound traffic of a set of pods¶
allows pods that have the app=webserver label to only access pods that have the app=database label:
spec:
podSelector:
matchLabels:
app: webserver
egress:
- to:
- podSelector:
matchLabels:
app: database