用于定义和控制 Pod 之间网络流量的机制。它允许管理员精细地控制哪些 Pod 可以相互通信、允许哪些端口和协议进行通信,从而增强集群内部的网络安全性。
默认情况下,Kubernetes 集群中的所有 Pod 是非隔离的,它们可以自由地与任何其他 Pod 通信(无论是否在同一命名空间)。而通过应用网络策略,你可以对 Pod 的网络访问进行精细化控制,类似于传统网络中的防火墙规则。
1. Pod 选择器(Pod Selector)
用于指定哪些 Pod 会受到该网络策略的影响。可以基于标签(labels)来选择目标 Pod。
2. 命名空间(Namespace)
网络策略是命名空间级别的资源,即一个网络策略只对它所在的命名空间内的 Pod 生效。
3. 流量方向
网络策略可以控制入站(Ingress) 和/或 出站(Egress) 流量。
- Ingress:控制哪些流量可以进入该策略所选择的 Pod。
- Egress:控制哪些流量可以从该策略所选择的 Pod 发出。
4. 规则(Rules)
定义允许或拒绝哪些流量,包括:
- 来源(来源 Pod、IP 段等)
- 目标端口和协议(TCP、UDP 等)
0.2 二、网络策略的组成结构
一个典型的 NetworkPolicy 资源定义包括以下关键字段:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # 选择受策略影响的 Pod
matchLabels:
role: db
policyTypes: # 指定策略类型:Ingress、Egress 或两者
- Ingress
- Egress
ingress: # 定义允许进入的流量规则
- from: # 允许哪些来源访问
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports: # 允许访问的端口和协议
- protocol: TCP
port: 6379
egress: # 定义允许发出的流量规则
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
ipBlock:允许来自特定 IP 段的流量
namespaceSelector:允许来自特定命名空间的流量
podSelector:允许来自特定 Pod 的流量
0.3 案例测试
1.编写资源清单
[root@master231 networkpolciy]# cat > 01-deploy-ns-xiuxian.yaml <<EOF
apiVersion: v1
kind: Namespace
metadata:
labels:
class: linux97
name: cmy
---
apiVersion: v1
kind: Namespace
metadata:
labels:
school: cmy
name: cmy
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: xiuxian-v1
namespace: cmy
spec:
replicas: 1
selector:
matchLabels:
apps: v1
template:
metadata:
labels:
apps: v1
spec:
nodeName: worker232
containers:
- image: registry.cn-hangzhou.aliyuncs.com/cmy-k8s/apps:v1
name: c1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: xiuxian-v2
namespace: cmy
spec:
replicas: 1
selector:
matchLabels:
apps: v2
template:
metadata:
labels:
apps: v2
spec:
nodeName: worker233
containers:
- image: registry.cn-hangzhou.aliyuncs.com/cmy-k8s/apps:v2
name: c1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: xiuxian-v3
spec:
replicas: 1
selector:
matchLabels:
apps: v3
template:
metadata:
labels:
apps: v3
spec:
nodeName: master231
containers:
- image: registry.cn-hangzhou.aliyuncs.com/cmy-k8s/apps:v3
name: c1
EOF
2.创建资源
kubectl apply -f 01-deploy-ns-xiuxian.yaml
namespace/cmy created
namespace/cmy created
deployment.apps/xiuxian-v1 created
deployment.apps/xiuxian-v2 created
deployment.apps/xiuxian-v3 created
kubectl get pods -l apps -o wide -A
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
default xiuxian-v3-fbbcf9474-l29p2 1/1 Running 0 13s 10.100.160.130 master231 <none> <none>
cmy xiuxian-v2-768f95c4d8-zss9d 1/1 Running 0 13s 10.100.140.119 worker233 <none> <none>
cmy xiuxian-v1-6545d56f7c-mxrwg 1/1 Running 0 13s 10.100.203.143 worker232 <none> <none>
3.测试连通性,默认情况下都是可以正常访问的
kubectl get pods -l apps -o wide -A
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
default xiuxian-v3-fbbcf9474-l29p2 1/1 Running 0 3m19s 10.100.160.130 master231 <none> <none>
cmy xiuxian-v2-768f95c4d8-zss9d 1/1 Running 0 3m19s 10.100.140.119 worker233 <none> <none>
cmy xiuxian-v1-6545d56f7c-mxrwg 1/1 Running 0 3m19s 10.100.203.143 worker232 <none> <none>
kubectl -n default exec xiuxian-v3-fbbcf9474-l29p2 -- curl -s 10.100.140.119
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v2</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: red">凡人修仙传 v2 </h1>
<div>
<img src="2.jpg">
<div>
</body>
</html>
kubectl -n default exec xiuxian-v3-fbbcf9474-l29p2 -- curl -s 10.100.203.143
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
kubectl -n cmy exec xiuxian-v2-768f95c4d8-zss9d -- curl -s 10.100.160.130
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v3</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: pink">凡人修仙传 v3 </h1>
<div>
<img src="3.jpg">
<div>
</body>
</html>
kubectl -n cmy exec xiuxian-v2-768f95c4d8-zss9d -- curl -s 10.100.203.143
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
kubectl -n cmy exec -it xiuxian-v1-6545d56f7c-mxrwg -- curl -s 10.100.160.130
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v3</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: pink">凡人修仙传 v3 </h1>
<div>
<img src="3.jpg">
<div>
</body>
</html>
kubectl -n cmy exec -it xiuxian-v1-6545d56f7c-mxrwg -- curl -s 10.100.140.119
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v2</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: red">凡人修仙传 v2 </h1>
<div>
<img src="2.jpg">
<div>
</body>
</html>
- 基于ipBlock定义网络访问策略
1.编写资源清单
[root@master231 networkpolciy]# cat > 02-networkPolicy-ipBlock.yaml <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: network-policy-ipblock
namespace: cmy
spec:
# 匹配Pod指定的Pod,若不定义该字段则默认匹配当前名称空间下的所有Pod。
podSelector:
matchLabels:
apps: v1
# 表示给定的策略是应用于进入所选Pod的入站流量(Ingress)还是来自所选Pod的出站流量(Egress),或两者兼有。
# 如果 NetworkPolicy未指定policyTypes,则默认情况下始终设置Ingress。
# 如果 NetworkPolicy有任何出口规则的话则设置Egress。
# 此处我不仅仅使用入站流量,还使用了出站流量
policyTypes:
- Ingress
- Egress
# 定义Pod的入站流量,谁可以访问我?
ingress:
# 表示定义目标来源
- from:
# 基于IP地址匹配
- ipBlock:
# 指定特定的网段
cidr: 10.100.0.0/16
# 排除指定的网段
except:
- 10.100.140.0/24
ports:
- protocol: TCP
port: 80
# 定义匹配Pod的出站流量,表示我可以访问谁?
egress:
# 定义可以访问的目标
- to:
# 基于IP地址匹配目标
- ipBlock:
#cidr: 10.100.160.0/24
cidr: 10.100.140.0/24
# 定义可以访问的目标端口
ports:
- protocol: TCP
port: 80
EOF
2.应用资源
kubectl apply -f 02-networkPolicy-ipBlock.yaml
networkpolicy.networking.k8s.io/network-policy-ipblock created
kubectl describe -f 02-networkPolicy-ipBlock.yaml
Name: network-policy-ipblock
Namespace: cmy
Created on: 2025-06-13 09:02:37 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: apps=v1
Allowing ingress traffic:
To Port: 80/TCP
From:
IPBlock:
CIDR: 10.100.0.0/16
Except: 10.100.140.0/24
Allowing egress traffic:
To Port: 80/TCP
To:
IPBlock:
CIDR: 10.100.140.0/24
Except:
Policy Types: Ingress, Egress
3.测试验证
kubectl get pods -A -l apps -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
default xiuxian-v3-fbbcf9474-l29p2 1/1 Running 0 14m 10.100.160.130 master231 <none> <none>
cmy xiuxian-v2-768f95c4d8-zss9d 1/1 Running 0 14m 10.100.140.119 worker233 <none> <none>
cmy xiuxian-v1-6545d56f7c-mxrwg 1/1 Running 0 14m 10.100.203.143 worker232 <none> <none>
kubectl -n cmy exec xiuxian-v2-768f95c4d8-zss9d -- curl --connect-timeout 1 -s 10.100.203.143
command terminated with exit code 28
kubectl -n default exec xiuxian-v3-fbbcf9474-l29p2 -- curl --connect-timeout 1 -s 10.100.203.143
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
kubectl -n cmy exec xiuxian-v1-6545d56f7c-mxrwg -- curl --connect-timeout 1 -s 10.100.140.119
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v2</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: red">凡人修仙传 v2 </h1>
<div>
<img src="2.jpg">
<div>
</body>
</html>
kubectl -n cmy exec xiuxian-v1-6545d56f7c-mxrwg -- curl --connect-timeout 1 -s 10.100.160.130
command terminated with exit code 28
kubectl delete -f 02-networkPolicy-ipBlock.yaml # 删除策略后,立刻就可以恢复访问哟~
networkpolicy.networking.k8s.io "network-policy-ipblock" deleted
kubectl -n cmy exec xiuxian-v1-6545d56f7c-mxrwg -- curl --connect-timeout 1 -s 10.100.160.130
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v3</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: pink">凡人修仙传 v3 </h1>
<div>
<img src="3.jpg">
<div>
</body>
</html>
- 基于名称空间空间namespaceSelector进行访问
1.编写资源清单
[root@master231 networkpolciy]# cat > 03-networkPolicy-namespaceSelector.yaml <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: network-policy-namespaceselector
namespace: cmy
spec:
# 匹配Pod指定的Pod,若不定义该字段则默认匹配所有的Pod。
podSelector:
matchLabels:
apps: v1
# 表示给定的策略是应用于进入所选Pod的入站流量(Ingress)还是来自所选Pod的出站流量(Egress),或两者兼有。
# 如果 NetworkPolicy未指定policyTypes,则默认情况下始终设置Ingress。
# 如果 NetworkPolicy有任何出口规则的话则设置Egress。
policyTypes:
- Ingress
- Egress
# 定义Pod的入站流量,谁可以访问我?
ingress:
# 表示定义目标来源
- from:
# 基于名称空间匹配Pod
- namespaceSelector:
matchLabels:
school: cmy
# 匹配目标来源的端口号,可以指定协议和端口
ports:
- protocol: TCP
port: 80
# 定义匹配Pod的出站流量,表示我可以访问谁?
egress:
# 定义可以访问的目标
- to:
# 基于IP地址匹配目标
- ipBlock:
cidr: 10.100.140.0/24
# 定义可以访问的目标端口
ports:
- protocol: TCP
port: 80
# port: 22
EOF
2.创建网络策略
kubectl apply -f 03-networkPolicy-namespaceSelector.yaml
networkpolicy.networking.k8s.io/network-policy-namespaceselector created
kubectl describe -f 03-networkPolicy-namespaceSelector.yaml
Name: network-policy-namespaceselector
Namespace: cmy
Created on: 2025-06-13 09:11:14 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: apps=v1
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: school=cmy
Allowing egress traffic:
To Port: 80/TCP
To:
IPBlock:
CIDR: 10.100.140.0/24
Except:
Policy Types: Ingress, Egress
3.测试验证
kubectl get pods -A -l apps -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
default xiuxian-v3-fbbcf9474-l29p2 1/1 Running 0 22m 10.100.160.130 master231 <none> <none>
cmy xiuxian-v2-768f95c4d8-zss9d 1/1 Running 0 22m 10.100.140.119 worker233 <none> <none>
cmy xiuxian-v1-6545d56f7c-mxrwg 1/1 Running 0 22m 10.100.203.143 worker232 <none> <none>
kubectl get ns -l school=cmy --show-labels
NAME STATUS AGE LABELS
cmy Active 22m kubernetes.io/metadata.name=cmy,school=cmy
kubectl -n cmy exec xiuxian-v2-768f95c4d8-zss9d -- curl --connect-timeout 1 -s 10.100.203.143
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
kubectl -n default exec xiuxian-v3-fbbcf9474-l29p2 -- curl --connect-timeout 1 -s 10.100.203.143
command terminated with exit code 28
kubectl -n cmy exec xiuxian-v1-6545d56f7c-mxrwg -- curl --connect-timeout 1 -s 10.100.140.119
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v2</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: red">凡人修仙传 v2 </h1>
<div>
<img src="2.jpg">
<div>
</body>
</html>
kubectl -n cmy exec xiuxian-v1-6545d56f7c-mxrwg -- curl --connect-timeout 1 -s 10.100.160.130
command terminated with exit code 28
kubectl delete -f 03-networkPolicy-namespaceSelector.yaml # 删除后就可以正常访问
networkpolicy.networking.k8s.io "network-policy-namespaceselector" deleted
kubectl -n cmy exec xiuxian-v1-6545d56f7c-mxrwg -- curl --connect-timeout 1 -s 10.100.160.130
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v3</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: pink">凡人修仙传 v3 </h1>
<div>
<img src="3.jpg">
<div>
</body>
</html>
- 基于Pod的标签podSelector进行访问
1.编写资源清单
cat > 04-networkPolicy-podSelector.yaml <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: network-policy-podselector
namespace: cmy
spec:
podSelector:
matchLabels:
apps: v1
policyTypes:
- Ingress
- Egress
ingress:
- from:
# 基于Pod标签限制,一般情况下要和名称空间搭配使用,如果没有配置名称,则默认和网络策略相同的名称空间。
- podSelector:
matchExpressions:
- key: apps
values:
- v2
- v3
operator: In
# 注意,这里是基于标签来过滤对应的名称空间的。
namespaceSelector:
matchLabels:
school: cmy
ports:
- protocol: TCP
port: 80
egress:
- to:
- ipBlock:
cidr: 10.100.140.0/24
ports:
- protocol: TCP
port: 80
EOF
2.创建资源
kubectl apply -f 04-networkPolicy-podSelector.yaml
networkpolicy.networking.k8s.io/network-policy-podselector created
kubectl describe -f 04-networkPolicy-podSelector.yaml
Name: network-policy-podselector
Namespace: cmy
Created on: 2025-06-13 09:32:13 +0800 CST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: apps=v1
Allowing ingress traffic:
To Port: 80/TCP
From:
NamespaceSelector: school=cmy
PodSelector: apps in (v2,v3)
Allowing egress traffic:
To Port: 80/TCP
To:
IPBlock:
CIDR: 10.100.140.0/24
Except:
Policy Types: Ingress, Egress
3.测试验证
kubectl get pods -o wide -A -l apps --show-labels
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
default xiuxian-v3-fbbcf9474-l29p2 1/1 Running 0 31m 10.100.160.130 master231 <none> <none> apps=v3,pod-template-hash=fbbcf9474
cmy xiuxian-v2-768f95c4d8-zss9d 1/1 Running 0 31m 10.100.140.119 worker233 <none> <none> apps=v2,pod-template-hash=768f95c4d8
cmy xiuxian-v1-6545d56f7c-mxrwg 1/1 Running 0 31m 10.100.203.143 worker232 <none> <none> apps=v1,pod-template-hash=6545d56f7c
kubectl -n cmy exec xiuxian-v1-6545d56f7c-mxrwg -- curl --connect-timeout 1 -s 10.100.160.130
command terminated with exit code 28
kubectl -n cmy exec xiuxian-v1-6545d56f7c-mxrwg -- curl --connect-timeout 1 -s 10.100.140.119
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v2</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: red">凡人修仙传 v2 </h1>
<div>
<img src="2.jpg">
<div>
</body>
</html>
kubectl get pods -l apps -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
default xiuxian-v3-fbbcf9474-l29p2 1/1 Running 0 37m 10.100.160.130 master231 <none> <none>
cmy xiuxian-v2-768f95c4d8-zss9d 1/1 Running 0 37m 10.100.140.119 worker233 <none> <none>
cmy xiuxian-v1-6545d56f7c-mxrwg 1/1 Running 0 37m 10.100.203.143 worker232 <none> <none>
kubectl -n cmy exec xiuxian-v2-768f95c4d8-zss9d -- curl --connect-timeout 1 -s 10.100.203.143
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
kubectl get ns --show-labels | grep school=cmy
cmy Active 38m kubernetes.io/metadata.name=cmy,school=cmy
kubectl -n default exec xiuxian-v3-fbbcf9474-l29p2 -- curl --connect-timeout 1 -s 10.100.203.143
command terminated with exit code 28
kubectl delete -f 04-networkPolicy-podSelector.yaml
networkpolicy.networking.k8s.io "network-policy-podselector" deleted
kubectl -n default exec xiuxian-v3-fbbcf9474-l29p2 -- curl --connect-timeout 1 -s 10.100.203.143
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>