Kubernetes网络策略深度解析构建安全的集群网络一、网络策略概述Kubernetes网络策略Network Policy是一种用于控制Pod之间通信的机制它允许管理员定义规则来限制哪些Pod可以相互通信。网络策略是实现微服务安全隔离的关键组件。1.1 网络策略的作用Pod间隔离控制哪些Pod可以与其他Pod通信命名空间隔离限制跨命名空间的网络访问入口/出口控制分别控制进入和离开Pod的流量标签选择器基于标签灵活定义规则1.2 网络策略的特点特性说明默认允许默认情况下所有Pod可以自由通信显式拒绝需要显式定义策略来限制流量状态感知支持状态ful的流量控制四层规则基于IP和端口进行过滤二、网络策略基础配置2.1 基本结构apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: example-network-policy namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 6379 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 59782.2 策略类型Ingress入口策略控制进入Pod的流量spec: policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 80Egress出口策略控制Pod发出的流量spec: policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 ports: - protocol: TCP port: 443三、选择器详解3.1 Pod选择器podSelector: matchLabels: app: backend tier: service3.2 命名空间选择器namespaceSelector: matchLabels: environment: production3.3 IP块选择器ipBlock: cidr: 192.168.0.0/24 except: - 192.168.0.100/32 - 192.168.0.101/32四、高级网络策略模式4.1 完全隔离策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all namespace: sensitive spec: podSelector: {} policyTypes: - Ingress - Egress ingress: [] egress: []4.2 允许特定流量策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-specific namespace: default spec: podSelector: matchLabels: app: database policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: app: api - namespaceSelector: matchLabels: name: monitoring ports: - protocol: TCP port: 5432 egress: - to: - ipBlock: cidr: 10.0.0.0/8 ports: - protocol: TCP port: 534.3 基于命名空间的隔离apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: namespace-isolation namespace: production spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: production - namespaceSelector: matchLabels: name: staging egress: - to: - namespaceSelector: matchLabels: name: production4.4 端口范围策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: port-range namespace: default spec: podSelector: matchLabels: app: api policyTypes: - Ingress ingress: - from: [] ports: - protocol: TCP port: 8000 endPort: 8080五、网络策略最佳实践5.1 默认拒绝策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: default spec: podSelector: {} policyTypes: - Ingress5.2 数据库访问控制apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: database-access namespace: backend spec: podSelector: matchLabels: app: postgresql policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: api - podSelector: matchLabels: app: worker ports: - protocol: TCP port: 54325.3 外部服务访问控制apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: external-access namespace: default spec: podSelector: matchLabels: app: frontend policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 ports: - protocol: TCP port: 443 - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53六、网络策略调试与验证6.1 检查网络策略状态kubectl get networkpolicies kubectl describe networkpolicy policy-name6.2 测试网络连通性# 在Pod内测试连通性 kubectl exec pod-name -- ping target-pod-ip kubectl exec pod-name -- curl http://target-pod-ip:port # 使用network policy tester kubectl apply -f https://raw.githubusercontent.com/ahmetb/kubernetes-network-policy-recipes/master/test-network-policy.yaml6.3 网络策略可视化# 安装网络策略可视化工具 kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.7/manifests/namespace.yaml kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.7/manifests/metallb.yaml七、常见问题与解决方案7.1 策略不生效问题定义了网络策略但流量没有被限制原因分析CNI插件不支持网络策略如flannel策略类型未正确设置选择器匹配不正确解决方案# 检查CNI插件是否支持网络策略 kubectl get pods -n kube-system -l k8s-appcalico-node # 确保策略类型包含Ingress/Egress kubectl get networkpolicy name -o yaml7.2 DNS解析失败问题应用无法解析DNS原因分析Egress策略阻止了DNS流量没有允许访问kube-dns的规则解决方案egress: - to: - namespaceSelector: matchLabels: name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 537.3 外部访问被阻止问题Pod无法访问外部服务原因分析Egress策略限制了对外访问缺少到0.0.0.0/0的规则解决方案egress: - to: - ipBlock: cidr: 0.0.0.0/0 ports: - protocol: TCP port: 443八、网络策略与服务网格集成8.1 Istio网络策略apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: istio-policy namespace: default spec: selector: matchLabels: app: my-app action: ALLOW rules: - from: - source: principals: [cluster.local/ns/default/sa/my-service-account] to: - operation: ports: [8080]8.2 Cilium网络策略apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: cilium-policy spec: endpointSelector: matchLabels: app: backend ingress: - fromEndpoints: - matchLabels: app: frontend toPorts: - ports: - port: 8080 protocol: TCP九、网络策略性能考量9.1 策略复杂度影响策略复杂度性能影响建议简单规则低推荐用于大多数场景复杂规则中需要评估性能影响大量规则高考虑规则合并9.2 优化建议减少策略数量合并相似的规则使用标签选择器避免过多的IP块规则定期清理移除不再使用的策略监控性能关注网络延迟变化十、总结Kubernetes网络策略是实现微服务安全隔离的重要工具。通过合理配置网络策略可以有效控制Pod之间的通信提升集群的安全性。建议在生产环境中遵循以下原则默认拒绝首先设置默认拒绝所有流量最小权限只允许必要的网络访问分层策略根据安全级别设置不同策略定期审计检查策略的有效性和合规性参考资料Kubernetes Network Policy官方文档Calico网络策略文档网络策略最佳实践
Kubernetes网络策略深度解析:构建安全的集群网络
发布时间:2026/5/24 13:17:06
Kubernetes网络策略深度解析构建安全的集群网络一、网络策略概述Kubernetes网络策略Network Policy是一种用于控制Pod之间通信的机制它允许管理员定义规则来限制哪些Pod可以相互通信。网络策略是实现微服务安全隔离的关键组件。1.1 网络策略的作用Pod间隔离控制哪些Pod可以与其他Pod通信命名空间隔离限制跨命名空间的网络访问入口/出口控制分别控制进入和离开Pod的流量标签选择器基于标签灵活定义规则1.2 网络策略的特点特性说明默认允许默认情况下所有Pod可以自由通信显式拒绝需要显式定义策略来限制流量状态感知支持状态ful的流量控制四层规则基于IP和端口进行过滤二、网络策略基础配置2.1 基本结构apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: example-network-policy namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 6379 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 59782.2 策略类型Ingress入口策略控制进入Pod的流量spec: policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 80Egress出口策略控制Pod发出的流量spec: policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 ports: - protocol: TCP port: 443三、选择器详解3.1 Pod选择器podSelector: matchLabels: app: backend tier: service3.2 命名空间选择器namespaceSelector: matchLabels: environment: production3.3 IP块选择器ipBlock: cidr: 192.168.0.0/24 except: - 192.168.0.100/32 - 192.168.0.101/32四、高级网络策略模式4.1 完全隔离策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all namespace: sensitive spec: podSelector: {} policyTypes: - Ingress - Egress ingress: [] egress: []4.2 允许特定流量策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-specific namespace: default spec: podSelector: matchLabels: app: database policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: app: api - namespaceSelector: matchLabels: name: monitoring ports: - protocol: TCP port: 5432 egress: - to: - ipBlock: cidr: 10.0.0.0/8 ports: - protocol: TCP port: 534.3 基于命名空间的隔离apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: namespace-isolation namespace: production spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: production - namespaceSelector: matchLabels: name: staging egress: - to: - namespaceSelector: matchLabels: name: production4.4 端口范围策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: port-range namespace: default spec: podSelector: matchLabels: app: api policyTypes: - Ingress ingress: - from: [] ports: - protocol: TCP port: 8000 endPort: 8080五、网络策略最佳实践5.1 默认拒绝策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: default spec: podSelector: {} policyTypes: - Ingress5.2 数据库访问控制apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: database-access namespace: backend spec: podSelector: matchLabels: app: postgresql policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: api - podSelector: matchLabels: app: worker ports: - protocol: TCP port: 54325.3 外部服务访问控制apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: external-access namespace: default spec: podSelector: matchLabels: app: frontend policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 ports: - protocol: TCP port: 443 - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53六、网络策略调试与验证6.1 检查网络策略状态kubectl get networkpolicies kubectl describe networkpolicy policy-name6.2 测试网络连通性# 在Pod内测试连通性 kubectl exec pod-name -- ping target-pod-ip kubectl exec pod-name -- curl http://target-pod-ip:port # 使用network policy tester kubectl apply -f https://raw.githubusercontent.com/ahmetb/kubernetes-network-policy-recipes/master/test-network-policy.yaml6.3 网络策略可视化# 安装网络策略可视化工具 kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.7/manifests/namespace.yaml kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.7/manifests/metallb.yaml七、常见问题与解决方案7.1 策略不生效问题定义了网络策略但流量没有被限制原因分析CNI插件不支持网络策略如flannel策略类型未正确设置选择器匹配不正确解决方案# 检查CNI插件是否支持网络策略 kubectl get pods -n kube-system -l k8s-appcalico-node # 确保策略类型包含Ingress/Egress kubectl get networkpolicy name -o yaml7.2 DNS解析失败问题应用无法解析DNS原因分析Egress策略阻止了DNS流量没有允许访问kube-dns的规则解决方案egress: - to: - namespaceSelector: matchLabels: name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 537.3 外部访问被阻止问题Pod无法访问外部服务原因分析Egress策略限制了对外访问缺少到0.0.0.0/0的规则解决方案egress: - to: - ipBlock: cidr: 0.0.0.0/0 ports: - protocol: TCP port: 443八、网络策略与服务网格集成8.1 Istio网络策略apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: istio-policy namespace: default spec: selector: matchLabels: app: my-app action: ALLOW rules: - from: - source: principals: [cluster.local/ns/default/sa/my-service-account] to: - operation: ports: [8080]8.2 Cilium网络策略apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: cilium-policy spec: endpointSelector: matchLabels: app: backend ingress: - fromEndpoints: - matchLabels: app: frontend toPorts: - ports: - port: 8080 protocol: TCP九、网络策略性能考量9.1 策略复杂度影响策略复杂度性能影响建议简单规则低推荐用于大多数场景复杂规则中需要评估性能影响大量规则高考虑规则合并9.2 优化建议减少策略数量合并相似的规则使用标签选择器避免过多的IP块规则定期清理移除不再使用的策略监控性能关注网络延迟变化十、总结Kubernetes网络策略是实现微服务安全隔离的重要工具。通过合理配置网络策略可以有效控制Pod之间的通信提升集群的安全性。建议在生产环境中遵循以下原则默认拒绝首先设置默认拒绝所有流量最小权限只允许必要的网络访问分层策略根据安全级别设置不同策略定期审计检查策略的有效性和合规性参考资料Kubernetes Network Policy官方文档Calico网络策略文档网络策略最佳实践
:测试如何提前在代码提交阶段发现 Bug?)
)
