Kubernetes网络策略与安全配置构建安全的集群网络一、网络安全概述Kubernetes网络安全通过网络策略、TLS加密、认证授权等机制保护集群内外部通信安全。1.1 网络安全架构flowchart TD subgraph 外部边界 A[Ingress Controller] B[Load Balancer] C[WAF] end subgraph 集群内部 D[Network Policy] E[RBAC] F[TLS加密] end subgraph Pod通信层 G[服务间通信 - DNS服务发现 - mTLS] end A -- D B -- E C -- F D -- G E -- G F -- G1.2 网络安全层级层级安全机制作用网络层NetworkPolicy控制Pod间通信传输层TLS/mTLS加密数据传输应用层RBAC/认证访问控制边界层Ingress/WAF外部访问控制二、NetworkPolicy配置2.1 允许所有出站流量apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-egress spec: podSelector: {} policyTypes: - Egress egress: - {}2.2 限制入站流量apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress spec: podSelector: {} policyTypes: - Ingress ingress: []2.3 允许特定服务访问apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels: app: database policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: backend ports: - protocol: TCP port: 54322.4 基于命名空间的策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-namespace spec: podSelector: matchLabels: app: api policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: frontend ports: - protocol: TCP port: 80802.5 组合策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: api-network-policy spec: podSelector: matchLabels: app: api policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: frontend - podSelector: matchLabels: role: gateway ports: - protocol: TCP port: 8080 egress: - to: - podSelector: matchLabels: app: database ports: - protocol: TCP port: 5432 - to: - podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53三、Calico网络配置3.1 安装Calicokubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml # 验证安装 kubectl get pods -n kube-system -l k8s-appcalico-node3.2 Calico全局网络策略apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: default-deny spec: selector: all() types: - Ingress - Egress ingress: - action: Allow source: selector: has(kubernetes.io/hostname) destination: {} egress: - action: Allow destination: {}3.3 Calico主机端点策略apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: host-endpoint labels: type: worker spec: interfaceName: eth0 node: node-1四、Cilium网络配置4.1 安装Ciliumhelm repo add cilium https://helm.cilium.io/ helm install cilium cilium/cilium --namespace kube-system # 验证安装 kubectl get pods -n kube-system -l k8s-appcilium4.2 Cilium网络策略apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: app-to-db spec: endpointSelector: matchLabels: app: database ingress: - fromEndpoints: - matchLabels: app: backend toPorts: - ports: - port: 5432 protocol: TCP4.3 Cilium集群范围网络策略apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: deny-all-external spec: endpointSelector: {} egress: - toEndpoints: - matchLabels: k8s:io.kubernetes.pod.namespace: kube-system k8s:k8s-app: kube-dns toPorts: - ports: - port: 53 protocol: UDP五、TLS配置5.1 创建证书SecretapiVersion: v1 kind: Secret metadata: name: tls-secret type: kubernetes.io/tls data: tls.crt: base64-encoded-cert tls.key: base64-encoded-key5.2 Ingress TLS配置apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tls-ingress spec: tls: - hosts: - example.com secretName: tls-secret rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: my-service port: number: 80六、cert-manager配置6.1 安装cert-managerkubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml # 验证安装 kubectl get pods -n cert-manager6.2 创建ClusterIssuerapiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: adminexample.com privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: nginx6.3 创建CertificateapiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-tls spec: secretName: example-tls issuerRef: name: letsencrypt-prod kind: ClusterIssuer commonName: example.com dnsNames: - example.com - www.example.com七、网络安全最佳实践7.1 最小权限原则apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: minimal-policy spec: podSelector: matchLabels: app: sensitive-service policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: role: allowed-client ports: - protocol: TCP port: 8080 egress: - to: - podSelector: matchLabels: app: allowed-backend ports: - protocol: TCP port: 4437.2 隔离敏感命名空间apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate-namespace spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: trusted-namespace egress: - to: - namespaceSelector: matchLabels: name: trusted-namespace7.3 监控网络流量apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: network-monitor spec: selector: matchLabels: app: network-exporter endpoints: - port: metrics interval: 30s八、总结网络安全实践要点默认拒绝配置默认拒绝所有流量的策略最小权限只允许必要的网络通信命名空间隔离隔离不同安全级别的服务TLS加密确保数据传输安全自动化证书管理使用cert-manager管理证书监控审计记录和监控网络流量建议根据安全需求配置多层次的网络安全策略。参考资料NetworkPolicy文档Calico文档Cilium文档cert-manager文档
Kubernetes网络策略与安全配置:构建安全的集群网络
发布时间:2026/5/29 1:30:19
Kubernetes网络策略与安全配置构建安全的集群网络一、网络安全概述Kubernetes网络安全通过网络策略、TLS加密、认证授权等机制保护集群内外部通信安全。1.1 网络安全架构flowchart TD subgraph 外部边界 A[Ingress Controller] B[Load Balancer] C[WAF] end subgraph 集群内部 D[Network Policy] E[RBAC] F[TLS加密] end subgraph Pod通信层 G[服务间通信 - DNS服务发现 - mTLS] end A -- D B -- E C -- F D -- G E -- G F -- G1.2 网络安全层级层级安全机制作用网络层NetworkPolicy控制Pod间通信传输层TLS/mTLS加密数据传输应用层RBAC/认证访问控制边界层Ingress/WAF外部访问控制二、NetworkPolicy配置2.1 允许所有出站流量apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-egress spec: podSelector: {} policyTypes: - Egress egress: - {}2.2 限制入站流量apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress spec: podSelector: {} policyTypes: - Ingress ingress: []2.3 允许特定服务访问apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels: app: database policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: backend ports: - protocol: TCP port: 54322.4 基于命名空间的策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-namespace spec: podSelector: matchLabels: app: api policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: frontend ports: - protocol: TCP port: 80802.5 组合策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: api-network-policy spec: podSelector: matchLabels: app: api policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: frontend - podSelector: matchLabels: role: gateway ports: - protocol: TCP port: 8080 egress: - to: - podSelector: matchLabels: app: database ports: - protocol: TCP port: 5432 - to: - podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53三、Calico网络配置3.1 安装Calicokubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml # 验证安装 kubectl get pods -n kube-system -l k8s-appcalico-node3.2 Calico全局网络策略apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: default-deny spec: selector: all() types: - Ingress - Egress ingress: - action: Allow source: selector: has(kubernetes.io/hostname) destination: {} egress: - action: Allow destination: {}3.3 Calico主机端点策略apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: host-endpoint labels: type: worker spec: interfaceName: eth0 node: node-1四、Cilium网络配置4.1 安装Ciliumhelm repo add cilium https://helm.cilium.io/ helm install cilium cilium/cilium --namespace kube-system # 验证安装 kubectl get pods -n kube-system -l k8s-appcilium4.2 Cilium网络策略apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: app-to-db spec: endpointSelector: matchLabels: app: database ingress: - fromEndpoints: - matchLabels: app: backend toPorts: - ports: - port: 5432 protocol: TCP4.3 Cilium集群范围网络策略apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: deny-all-external spec: endpointSelector: {} egress: - toEndpoints: - matchLabels: k8s:io.kubernetes.pod.namespace: kube-system k8s:k8s-app: kube-dns toPorts: - ports: - port: 53 protocol: UDP五、TLS配置5.1 创建证书SecretapiVersion: v1 kind: Secret metadata: name: tls-secret type: kubernetes.io/tls data: tls.crt: base64-encoded-cert tls.key: base64-encoded-key5.2 Ingress TLS配置apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tls-ingress spec: tls: - hosts: - example.com secretName: tls-secret rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: my-service port: number: 80六、cert-manager配置6.1 安装cert-managerkubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml # 验证安装 kubectl get pods -n cert-manager6.2 创建ClusterIssuerapiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: adminexample.com privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: nginx6.3 创建CertificateapiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-tls spec: secretName: example-tls issuerRef: name: letsencrypt-prod kind: ClusterIssuer commonName: example.com dnsNames: - example.com - www.example.com七、网络安全最佳实践7.1 最小权限原则apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: minimal-policy spec: podSelector: matchLabels: app: sensitive-service policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: role: allowed-client ports: - protocol: TCP port: 8080 egress: - to: - podSelector: matchLabels: app: allowed-backend ports: - protocol: TCP port: 4437.2 隔离敏感命名空间apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate-namespace spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: trusted-namespace egress: - to: - namespaceSelector: matchLabels: name: trusted-namespace7.3 监控网络流量apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: network-monitor spec: selector: matchLabels: app: network-exporter endpoints: - port: metrics interval: 30s八、总结网络安全实践要点默认拒绝配置默认拒绝所有流量的策略最小权限只允许必要的网络通信命名空间隔离隔离不同安全级别的服务TLS加密确保数据传输安全自动化证书管理使用cert-manager管理证书监控审计记录和监控网络流量建议根据安全需求配置多层次的网络安全策略。参考资料NetworkPolicy文档Calico文档Cilium文档cert-manager文档
)
)
)
:测试如何提前在代码提交阶段发现 Bug?)
)
