僅允許NS內部請求
- 拒絕所有非default的namespace請求 default 命名空間下面的資源
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
name: deny-default
namespace: default
spec:
ingress:
- from:
- podSelector: {}
podSelector: {}
policyTypes:
- Ingress
內部請求隔離
- 在default命名空間內 僅允許 標籤爲app: testredis 的pod訪問 標籤爲app: default-redis-rc-2 的6379端口
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
labels:
app: default-redis-rc-2
name: ns-pod2pod
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: testredis
ports:
- port: 6379
protocol: TCP
podSelector:
matchLabels:
app: default-redis-rc-2
policyTypes:
- Ingress
NS 內部請求
- 僅允許 project: default 命名空間訪問 app: default-redis-rc-2 的6379
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
labels:
app: default-redis-rc-2
name: pod2pod
namespace: default
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
project: default
ports:
- protocol: TCP
podSelector:
matchLabels:
app: default-redis-rc-2
policyTypes:
- Ingress
集羣內非本namespace請求
- 允許ns爲project: michael 訪問default 命名空間下面的 app: default-redis-rc-2 下面的6379端口
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
labels:
app: default-redis-rc-2
name: pod2ns
namespace: default
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
project: michael
ports:
- port: 6379
protocol: TCP
podSelector:
matchLabels:
app: default-redis-rc-2
policyTypes:
- Ingress