•
Pod 내부로 들어오거나 외부로 나가는 트래픽을 허용하고 거부하는 정책을 설정할 수 있는 오브젝트
•
기본적으로 Whitelist형식
•
CNI를 사용하는것이 전제
•
Basic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector:
matchLabels:
<key>: <value>
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: <cidr>
except:
- <cidr>
- namespaceSelector:
matchLabels:
<key>: <value>
- podSelector:
matchLabels:
<key>: <value>
ports:
- protocol: <protocol>
port: <Port>
egress:
- to:
- ipBlock:
cidr: <cidr>
ports:
- protocol: <protocol>
port: <Port>
YAML
복사
•
allow-egress-port.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector:
matchLabels:
app: worker
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 443
- port: 80
- port: 53
protocol: TCP
- port: 53
protocol: UDP
YAML
복사
•
allow-egress-traffic.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
YAML
복사
•
allow-ingress-traffic.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
YAML
복사
•
deny-egress-traffic.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector: {}
policyTypes:
- Egress
YAML
복사
•
deny-ingress-traffic.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector: {}
policyTypes:
- Ingress
YAML
복사
•
deny-ingress-egress-traffic.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
YAML
복사
•
deny-pod-traffic.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector:
matchLabels:
app: a # 적용할 대상을 지정.
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: b # 통신되는 대상 지정.
YAML
복사
•
allow-namespace-traffic.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector:
matchLabels:
app: a # 적용할 대상을 지정.
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
app: b # 통신되는 대상 지정.
YAML
복사
•
allow-external-traffic.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <networkpolicy name>
namespace: <namespace>
spec:
podSelector:
matchLabels:
app: a # 적용할 대상을 지정.
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 192.168.1.100/32 # cidr
# ports:
# - protocol: TCP
# port: 8080
YAML
복사