# Kubernetes网络策略概念
[root@k8s-master ~]# cat > /root/k8s-networkpolicy.学习交流加群风哥QQ113257174txt << 'EOF' Kubernetes网络策略 ================= 1. 网络策略类型 - Ingress: 入站流量控制 - Egress: 出站流量控制 2. 选择器 - podSelector: Pod选择器 - namespaceSelector: 命名空间选择器 - ipBlock: IP地址块 3. 端口规则 - port: 端口号 - protocol: 协议(TCP/UDP/SCTP) 4. 默认策略 - 默认允许所有流量 - 有策略时默认拒绝 - 需要明确允许规则 5. 网络插件支持 - Calico - Cilium - Weave Net - Flannel (需额外配置) EOF

# 创建命名空间
[root@k8s-master ~]# kubectl create namespace fgedu-prod
namespace/fgedu-prod created

# 创建允许特定Pod访问的策略
[root@k8s-master ~]# cat > fgedu-ingress-policy.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: fgedu-web-ingress namespace: fgedu-prod spec: podSelector: matchLabels: app: fgedu-web policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: role: frontend - namespaceSelector: matchLabels: name: fgedu-prod ports: - protocol: TCP port: 80 - protocol: TCP port: 443 EOF [root@k8s-master ~]# kubectl apply -f fgedu-ingress-policy.yaml networkpolicy.networking.更多视频教程www.fgedu.net.cnk8s.io/fgedu-web-ingress created # 查看网络策略 [root@k8s-master ~]# kubectl get networkpolicy -n fgedu-prod NAME POD-SELECTOR AGE fgedu-web-ingress app=fgedu-web 10s # 查看策略详情 [root@k8s-master ~]# kubectl describe networkpolicy fgedu-web-ingress -n fgedu-prod Name: fgedu-web-ingress Namespace: fgedu-prod Created on: 2026-04-04 10:00:00 +0800 CST Labels:
Annotations:
Spec:
PodSelector: app=fgedu-web
Not affecting ingress traffic
Allowing ingress traffic:
To Port: 80/TCP
To Port: 443/TCP
From:
PodSelector: role=frontend
From:
NamespaceSelector: name=fgedu-prod
Not affecting egress traffic
Policy Types: Ingress

# 创建出站流量策略
[root@k8s-master ~]# cat > fgedu-egress-policy.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: fgedu-app-egress namespace: fgedu-prod spec: podSelector: matchLabels: app: fgedu-app policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: fgedu-db ports: - protocol: TCP port: 3306 - to: - podSelector: matchLabels: app: fgedu-redis ports: - protocol: TCP port: 6379 - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53 EOF [root@k8s-master ~]# kubectl apply -f fgedu-egress-policy.yaml networkpolicy.networking.k8s.io/fgedu-app-egress created

# 默认拒绝所有入站流量
[root@k8s-master ~]# cat > default-deny-ingress.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: fgedu-prod spec: podSelector: {} policyTypes: - Ingress EOF [root@k8s-master ~]# kubectl afrom PG视频:www.itpux.compply -f default-deny-ingress.yaml networkpolicy.networking.k8s.io/default-deny-ingress created # 默认拒绝所有出站流量 [root@k8s-master ~]# cat > default-deny-egress.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: fgedu-prod spec: podSelector: {} policyTypes: - Egress EOF [root@k8s-master ~]# kubectl apply -f default-deny-egress.yaml networkpolicy.networking.k8s.io/default-deny-egress created # 默认拒绝所有流量 [root@k8s-master ~]# cat > default-deny-all.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: fgedu-prod spec: podSelector: {} policyTypes: - Ingress - Egress EOF [root@k8s-master ~]# kubectl apply -f default-deny-all.yaml net学习交流加群风哥微信: itpux-comworkpolicy.networking.k8s.io/default-deny-all created # 允许所有入站流量 [root@k8s-master ~]# cat > allow-all-ingress.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-ingress namespace: fgedu-prod spec: podSelector: {} policyTypes: - Ingress ingress: - {} EOF [root@k8s-master ~]# kubectl apply -f allow-all-ingress.yaml networkpolicy.networking.k8s.io/allow-all-ingress created # 查看所有网络策略 [root@k8s-master ~]# kubectl get networkpolicy -n fgedu-prod NAME POD-SELECTOR AGE allow-all-ingress 10s
default-deny-all 30s
default-deny-egress 40s
default-deny-ingress 50s
fgedu-app-egress app=fgedu-app 2m
fgedu-web-ingress app=fgedu-web 3m