概述
NetworkPolicy 规则使用例子。
拒绝某几个外部 IP 访问
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: block-external-ip
namespace: default
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 192.168.2.31/32
- 192.168.2.51/32
|
参数说明:
通过 cidr: 0.0.0.0/0 允许所有流量,排除192.168.2.31 192.168.2.51这两个 IP。
因为 Networkpolicy 不支持写单个 IP 地址,但是可以通过 32位子网来指定单个 IP。
拒绝所有入站流量
1
2
3
4
5
6
7
8
| apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
|
允许所有入站流量
1
2
3
4
5
6
7
8
9
10
11
| apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
|
拒绝所有出站流量
1
2
3
4
5
6
7
8
| apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector: {}
policyTypes:
- Egress
|
允许所有出站流量
1
2
3
4
5
6
7
8
9
10
| apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
|
默认拒绝所有入站和所有出站流量
1
2
3
4
5
6
7
8
9
| apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
|
设置端口范围的策略
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: multi-port-egress
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 32000
endPort: 32768
|
这里允许10.0.0.0/24 访问 32000-32768 范围的 port。