networkPolicy初识

networkpolicy可以限制pod的入栈与出栈流量
spec
podSelector
有podSelector选择作用在哪些目标上
空的podSelector则会选择ns下的所有的pod
policyTypes
每个NetworkPolicy都包含一个policyTypes列表，其中包含Ingress以及Egress或者两者都有
未指定policyTypes默认的是Ingress

ingress：
每个NetworkPolicy可包含一个ingress的whitelist
每个rule都允许同时有from和ports部分的流量

Egress：
每个Networkpolicy也有白名单
以及允许匹配to和port

限制只能是ICMP的协议

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-ping-in-cluster
spec:
  selector: all()
  types:
    - Ingress
  ingress:
    - action: Allow
      protocol: ICMP
      source:
        selector: all()
      icmp:
        type: 8 # Ping request
    - action: Allow
      protocol: ICMPv6
      source:
        selector: all()
      icmp:
        type: 128
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: tst
spec:
  podSelector: 
    matchLabels:
      role: db
  types:
    - Ingress
    - Egress
  ingress:
  - from: 
    - ipBlock:
      cidr: 192.168.0.0/16
      except:
      - 192.168.1.0/24
    - namespaceSelector:
      matchLabels:
        project: myproject
    - podSelector:
      matchLabels:
        role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
    - to: 
      - ipBlock:
          cidr: 192.168.0.0/16
      ports:
      - protocol: TCP
        port: 5978      
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

默认拒绝所有

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: test
spec:
  podSelector: {} #所有pod
  types:
    - Ingress
1
2
3
4
5
6
7
8

默认允许

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: test
spec:
  podSelector: {} #所有pod
  ingress: #定义默认规则则所有的都可以
  - {}
  types:
    - Ingress
1
2
3
4
5
6
7
8
9
10
11

还有calico的networkpolicy更丰富的功能