2017-09-03 15:58:39 +08:00
<!DOCTYPE HTML>
< html lang = "zh-cn" >
< head >
< meta charset = "UTF-8" >
< meta content = "text/html; charset=utf-8" http-equiv = "Content-Type" >
< title > 2.2.19 NetworkPolicy · Kubernetes Handbook< / title >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" / >
< meta name = "description" content = "" >
< meta name = "generator" content = "GitBook 3.2.2" >
< meta name = "author" content = "Jimmy Song" >
< link rel = "stylesheet" href = "../gitbook/style.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-splitter/splitter.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-page-toc-button/plugin.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-image-captions/image-captions.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-page-footer-ex/style/plugin.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-search-plus/search.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-highlight/website.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-fontsettings/website.css" >
< meta name = "HandheldFriendly" content = "true" / >
< meta name = "viewport" content = "width=device-width, initial-scale=1, user-scalable=no" >
< meta name = "apple-mobile-web-app-capable" content = "yes" >
< meta name = "apple-mobile-web-app-status-bar-style" content = "black" >
< link rel = "apple-touch-icon-precomposed" sizes = "152x152" href = "../gitbook/images/apple-touch-icon-precomposed-152.png" >
< link rel = "shortcut icon" href = "../gitbook/images/favicon.ico" type = "image/x-icon" >
< link rel = "next" href = "../guide/" / >
< link rel = "prev" href = "garbage-collection.html" / >
< / head >
< body >
< div class = "book" >
< div class = "book-summary" >
< div id = "book-search-input" role = "search" >
< input type = "text" placeholder = "輸入並搜尋" / >
< / div >
< nav role = "navigation" >
< ul class = "summary" >
< li class = "chapter " data-level = "1.1" data-path = "../" >
< a href = "../" >
1. 前言
< / a >
< / li >
< li class = "chapter " data-level = "1.2" data-path = "./" >
< a href = "./" >
2. 概念原理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.2.1" data-path = "concepts.html" >
< a href = "concepts.html" >
2.1 设计理念
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2" data-path = "objects.html" >
< a href = "objects.html" >
2.2 Objects
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.2.2.1" data-path = "pod-overview.html" >
< a href = "pod-overview.html" >
2.2.1 Pod
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.2.2.1.1" data-path = "pod.html" >
< a href = "pod.html" >
2.2.1.1 Pod解析
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.1.2" data-path = "init-containers.html" >
< a href = "init-containers.html" >
2.2.1.2 Init容器
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.1.3" data-path = "pod-security-policy.html" >
< a href = "pod-security-policy.html" >
2.2.1.3 Pod安全策略
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.2.2.2" data-path = "node.html" >
< a href = "node.html" >
2.2.2 Node
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.3" data-path = "namespace.html" >
< a href = "namespace.html" >
2.2.3 Namespace
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.4" data-path = "service.html" >
< a href = "service.html" >
2.2.4 Service
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.5" data-path = "volume.html" >
< a href = "volume.html" >
2.2.5 Volume和Persistent Volume
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.6" data-path = "deployment.html" >
< a href = "deployment.html" >
2.2.6 Deployment
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.7" data-path = "secret.html" >
< a href = "secret.html" >
2.2.7 Secret
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.8" data-path = "statefulset.html" >
< a href = "statefulset.html" >
2.2.8 StatefulSet
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.9" data-path = "daemonset.html" >
< a href = "daemonset.html" >
2.2.9 DaemonSet
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.10" data-path = "serviceaccount.html" >
< a href = "serviceaccount.html" >
2.2.10 ServiceAccount
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.11" data-path = "replicaset.html" >
< a href = "replicaset.html" >
2.2.11 ReplicationController和ReplicaSet
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.12" data-path = "job.html" >
< a href = "job.html" >
2.2.12 Job
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.13" data-path = "cronjob.html" >
< a href = "cronjob.html" >
2.2.13 CronJob
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.14" data-path = "ingress.html" >
< a href = "ingress.html" >
2.2.14 Ingress
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.15" data-path = "configmap.html" >
< a href = "configmap.html" >
2.2.15 ConfigMap
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.16" data-path = "horizontal-pod-autoscaling.html" >
< a href = "horizontal-pod-autoscaling.html" >
2.2.16 Horizontal Pod Autoscaling
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.17" data-path = "label.html" >
< a href = "label.html" >
2.2.17 Label
< / a >
< / li >
< li class = "chapter " data-level = "1.2.2.18" data-path = "garbage-collection.html" >
< a href = "garbage-collection.html" >
2.2.18 垃圾收集
< / a >
< / li >
< li class = "chapter active" data-level = "1.2.2.19" data-path = "network-policy.html" >
< a href = "network-policy.html" >
2.2.19 NetworkPolicy
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.3" data-path = "../guide/" >
< a href = "../guide/" >
3. 用户指南
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.3.1" data-path = "../guide/resource-configuration.html" >
< a href = "../guide/resource-configuration.html" >
3.1 资源配置
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.3.1.1" data-path = "../guide/configure-liveness-readiness-probes.html" >
< a href = "../guide/configure-liveness-readiness-probes.html" >
3.1.1 配置Pod的liveness和readiness探针
< / a >
< / li >
< li class = "chapter " data-level = "1.3.1.2" data-path = "../guide/configure-pod-service-account.html" >
< a href = "../guide/configure-pod-service-account.html" >
3.1.2 配置Pod的Service Account
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.3.2" data-path = "../guide/command-usage.html" >
< a href = "../guide/command-usage.html" >
3.2 命令使用
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.3.2.1" data-path = "../guide/using-kubectl.html" >
< a href = "../guide/using-kubectl.html" >
3.2.1 使用kubectl
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.3.3" data-path = "../guide/cluster-management.html" >
< a href = "../guide/cluster-management.html" >
3.3 集群管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.3.3.1" data-path = "../guide/managing-tls-in-a-cluster.html" >
< a href = "../guide/managing-tls-in-a-cluster.html" >
3.3.1 管理集群中的TLS
< / a >
< / li >
< li class = "chapter " data-level = "1.3.3.2" data-path = "../guide/kubelet-authentication-authorization.html" >
< a href = "../guide/kubelet-authentication-authorization.html" >
3.3.2 kubelet的认证授权
< / a >
< / li >
< li class = "chapter " data-level = "1.3.3.3" data-path = "../guide/tls-bootstrapping.html" >
< a href = "../guide/tls-bootstrapping.html" >
3.3.3 TLS bootstrap
< / a >
< / li >
< li class = "chapter " data-level = "1.3.3.4" data-path = "../guide/kubectl-user-authentication-authorization.html" >
< a href = "../guide/kubectl-user-authentication-authorization.html" >
3.3.4 kubectl的用户认证授权
< / a >
< / li >
< li class = "chapter " data-level = "1.3.3.5" data-path = "../guide/rbac.html" >
< a href = "../guide/rbac.html" >
3.3.5 RBAC——基于角色的访问控制
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.3.4" data-path = "../guide/access-kubernetes-cluster.html" >
< a href = "../guide/access-kubernetes-cluster.html" >
3.4 访问 Kubernetes 集群
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.3.4.1" data-path = "../guide/access-cluster.html" >
< a href = "../guide/access-cluster.html" >
3.4.1 访问集群
< / a >
< / li >
< li class = "chapter " data-level = "1.3.4.2" data-path = "../guide/authenticate-across-clusters-kubeconfig.html" >
< a href = "../guide/authenticate-across-clusters-kubeconfig.html" >
3.4.2 使用 kubeconfig 文件配置跨集群认证
< / a >
< / li >
< li class = "chapter " data-level = "1.3.4.3" data-path = "../guide/connecting-to-applications-port-forward.html" >
< a href = "../guide/connecting-to-applications-port-forward.html" >
3.4.3 通过端口转发访问集群中的应用程序
< / a >
< / li >
< li class = "chapter " data-level = "1.3.4.4" data-path = "../guide/service-access-application-cluster.html" >
< a href = "../guide/service-access-application-cluster.html" >
3.4.4 使用 service 访问群集中的应用程序
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.3.5" data-path = "../guide/application-development-deployment-flow.html" >
< a href = "../guide/application-development-deployment-flow.html" >
3.5 在kubernetes中开发部署应用
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.3.5.1" data-path = "../guide/deploy-applications-in-kubernetes.html" >
< a href = "../guide/deploy-applications-in-kubernetes.html" >
3.5.1 适用于kubernetes的应用开发部署流程
< / a >
< / li >
< li class = "chapter " data-level = "1.3.5.2" data-path = "../guide/migrating-hadoop-yarn-to-kubernetes.html" >
< a href = "../guide/migrating-hadoop-yarn-to-kubernetes.html" >
3.5.2 迁移传统应用到kubernetes中——以Hadoop YARN为例
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.4" data-path = "../practice/" >
< a href = "../practice/" >
4. 最佳实践
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.4.1" data-path = "../practice/install-kbernetes1.6-on-centos.html" >
< a href = "../practice/install-kbernetes1.6-on-centos.html" >
4.1 在CentOS上部署kubernetes1.6集群
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.4.1.1" data-path = "../practice/create-tls-and-secret-key.html" >
< a href = "../practice/create-tls-and-secret-key.html" >
4.1.1 创建TLS证书和秘钥
< / a >
< / li >
< li class = "chapter " data-level = "1.4.1.2" data-path = "../practice/create-kubeconfig.html" >
< a href = "../practice/create-kubeconfig.html" >
4.1.2 创建kubeconfig文件
< / a >
< / li >
< li class = "chapter " data-level = "1.4.1.3" data-path = "../practice/etcd-cluster-installation.html" >
< a href = "../practice/etcd-cluster-installation.html" >
4.1.3 创建高可用etcd集群
< / a >
< / li >
< li class = "chapter " data-level = "1.4.1.4" data-path = "../practice/kubectl-installation.html" >
< a href = "../practice/kubectl-installation.html" >
4.1.4 安装kubectl命令行工具
< / a >
< / li >
< li class = "chapter " data-level = "1.4.1.5" data-path = "../practice/master-installation.html" >
< a href = "../practice/master-installation.html" >
4.1.5 部署master节点
< / a >
< / li >
< li class = "chapter " data-level = "1.4.1.6" data-path = "../practice/node-installation.html" >
< a href = "../practice/node-installation.html" >
4.1.6 部署node节点
< / a >
< / li >
< li class = "chapter " data-level = "1.4.1.7" data-path = "../practice/kubedns-addon-installation.html" >
< a href = "../practice/kubedns-addon-installation.html" >
4.1.7 安装kubedns插件
< / a >
< / li >
< li class = "chapter " data-level = "1.4.1.8" data-path = "../practice/dashboard-addon-installation.html" >
< a href = "../practice/dashboard-addon-installation.html" >
4.1.8 安装dashboard插件
< / a >
< / li >
< li class = "chapter " data-level = "1.4.1.9" data-path = "../practice/heapster-addon-installation.html" >
< a href = "../practice/heapster-addon-installation.html" >
4.1.9 安装heapster插件
< / a >
< / li >
< li class = "chapter " data-level = "1.4.1.10" data-path = "../practice/efk-addon-installation.html" >
< a href = "../practice/efk-addon-installation.html" >
4.1.10 安装EFK插件
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.4.2" data-path = "../practice/service-discovery-and-loadbalancing.html" >
< a href = "../practice/service-discovery-and-loadbalancing.html" >
4.2 服务发现与负载均衡
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.4.2.1" data-path = "../practice/traefik-ingress-installation.html" >
< a href = "../practice/traefik-ingress-installation.html" >
4.2.1 安装Traefik ingress
< / a >
< / li >
< li class = "chapter " data-level = "1.4.2.2" data-path = "../practice/distributed-load-test.html" >
< a href = "../practice/distributed-load-test.html" >
4.2.2 分布式负载测试
< / a >
< / li >
< li class = "chapter " data-level = "1.4.2.3" data-path = "../practice/network-and-cluster-perfermance-test.html" >
< a href = "../practice/network-and-cluster-perfermance-test.html" >
4.2.3 网络和集群性能测试
< / a >
< / li >
< li class = "chapter " data-level = "1.4.2.4" data-path = "../practice/edge-node-configuration.html" >
< a href = "../practice/edge-node-configuration.html" >
4.2.4 边缘节点配置
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.4.3" data-path = "../practice/operation.html" >
< a href = "../practice/operation.html" >
4.3 运维管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.4.3.1" data-path = "../practice/service-rolling-update.html" >
< a href = "../practice/service-rolling-update.html" >
4.3.1 服务滚动升级
< / a >
< / li >
< li class = "chapter " data-level = "1.4.3.2" data-path = "../practice/app-log-collection.html" >
< a href = "../practice/app-log-collection.html" >
4.3.2 应用日志收集
< / a >
< / li >
< li class = "chapter " data-level = "1.4.3.3" data-path = "../practice/configuration-best-practice.html" >
< a href = "../practice/configuration-best-practice.html" >
4.3.3 配置最佳实践
< / a >
< / li >
< li class = "chapter " data-level = "1.4.3.4" data-path = "../practice/monitor.html" >
< a href = "../practice/monitor.html" >
4.3.4 集群及应用监控
< / a >
< / li >
< li class = "chapter " data-level = "1.4.3.5" data-path = "../practice/jenkins-ci-cd.html" >
< a href = "../practice/jenkins-ci-cd.html" >
4.3.5 使用Jenkins进行持续构建与发布
< / a >
< / li >
< li class = "chapter " data-level = "1.4.3.6" data-path = "../practice/data-persistence-problem.html" >
< a href = "../practice/data-persistence-problem.html" >
4.3.6 数据持久化问题
< / a >
< / li >
< li class = "chapter " data-level = "1.4.3.7" data-path = "../practice/manage-compute-resources-container.html" >
< a href = "../practice/manage-compute-resources-container.html" >
4.3.7 管理容器的计算资源
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.4.4" data-path = "../practice/storage.html" >
< a href = "../practice/storage.html" >
4.4 存储管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.4.4.1" data-path = "../practice/glusterfs.html" >
< a href = "../practice/glusterfs.html" >
4.4.1 GlusterFS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.4.4.1.1" data-path = "../practice/using-glusterfs-for-persistent-storage.html" >
< a href = "../practice/using-glusterfs-for-persistent-storage.html" >
4.4.1.1 使用GlusterFS做持久化存储
< / a >
< / li >
< li class = "chapter " data-level = "1.4.4.1.2" data-path = "../practice/storage-for-containers-using-glusterfs-with-openshift.html" >
< a href = "../practice/storage-for-containers-using-glusterfs-with-openshift.html" >
4.4.1.2 在OpenShift中使用GlusterFS做持久化存储
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.4.4.2" data-path = "../practice/cephfs.html" >
< a href = "../practice/cephfs.html" >
4.4.2 CephFS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.4.4.2.1" data-path = "../practice/using-ceph-for-persistent-storage.html" >
< a href = "../practice/using-ceph-for-persistent-storage.html" >
4.4.2.1 使用Ceph做持久化存储
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.5" data-path = "../usecases/" >
< a href = "../usecases/" >
5. 领域应用
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.5.1" data-path = "../usecases/microservices.html" >
< a href = "../usecases/microservices.html" >
5.1 微服务架构
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.5.1.1" data-path = "../usecases/istio.html" >
< a href = "../usecases/istio.html" >
5.1.1 Istio
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.5.1.1.1" data-path = "../usecases/istio-installation.html" >
< a href = "../usecases/istio-installation.html" >
5.1.1.1 安装istio
< / a >
< / li >
< li class = "chapter " data-level = "1.5.1.1.2" data-path = "../usecases/configuring-request-routing.html" >
< a href = "../usecases/configuring-request-routing.html" >
5.1.1.2 配置请求的路由规则
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.5.1.2" data-path = "../usecases/linkerd.html" >
< a href = "../usecases/linkerd.html" >
5.1.2 Linkerd
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.5.1.2.1" data-path = "../usecases/linkerd-user-guide.html" >
< a href = "../usecases/linkerd-user-guide.html" >
5.1.2.1 Linkerd 使用指南
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.5.1.3" data-path = "../usecases/service-discovery-in-microservices.html" >
< a href = "../usecases/service-discovery-in-microservices.html" >
5.1.3 微服务中的服务发现
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.5.2" data-path = "../usecases/big-data.html" >
< a href = "../usecases/big-data.html" >
5.2 大数据
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.5.2.1" data-path = "../usecases/spark-standalone-on-kubernetes.html" >
< a href = "../usecases/spark-standalone-on-kubernetes.html" >
5.2.1 Spark standalone on Kubernetes
< / a >
< / li >
< li class = "chapter " data-level = "1.5.2.2" data-path = "../usecases/support-spark-natively-in-kubernetes.html" >
< a href = "../usecases/support-spark-natively-in-kubernetes.html" >
5.2.2 运行支持kubernetes原生调度的Spark程序
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.5.3" data-path = "../usecases/serverless.html" >
< a href = "../usecases/serverless.html" >
5.3 Serverless架构
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.6" data-path = "../develop/" >
< a href = "../develop/" >
6. 开发指南
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.6.1" data-path = "../develop/developing-environment.html" >
< a href = "../develop/developing-environment.html" >
6.1 开发环境搭建
< / a >
< / li >
< li class = "chapter " data-level = "1.6.2" data-path = "../develop/testing.html" >
< a href = "../develop/testing.html" >
6.2 单元测试和集成测试
< / a >
< / li >
< li class = "chapter " data-level = "1.6.3" data-path = "../develop/client-go-sample.html" >
< a href = "../develop/client-go-sample.html" >
6.3 client-go示例
< / a >
< / li >
< li class = "chapter " data-level = "1.6.4" data-path = "../develop/contribute.html" >
< a href = "../develop/contribute.html" >
6.4 社区贡献
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "1.7" data-path = "../appendix/" >
< a href = "../appendix/" >
7. 附录
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "1.7.1" data-path = "../appendix/docker-best-practice.html" >
< a href = "../appendix/docker-best-practice.html" >
7.1 Docker最佳实践
< / a >
< / li >
< li class = "chapter " data-level = "1.7.2" data-path = "../appendix/issues.html" >
< a href = "../appendix/issues.html" >
7.2 问题记录
< / a >
< / li >
< li class = "chapter " data-level = "1.7.3" data-path = "../appendix/tricks.html" >
< a href = "../appendix/tricks.html" >
7.3 使用技巧
< / a >
< / li >
< / ul >
< / li >
< li class = "divider" > < / li >
< li >
< a href = "https://www.gitbook.com" target = "blank" class = "gitbook-link" >
本書使用 GitBook 釋出
< / a >
< / li >
< / ul >
< / nav >
< / div >
< div class = "book-body" >
< div class = "body-inner" >
< div class = "book-header" role = "navigation" >
<!-- Title -->
< h1 >
< i class = "fa fa-circle-o-notch fa-spin" > < / i >
< a href = ".." > 2.2.19 NetworkPolicy< / a >
< / h1 >
< / div >
< div class = "page-wrapper" tabindex = "-1" role = "main" >
< div class = "page-inner" >
< div class = "search-plus" id = "book-search-results" >
< div class = "search-noresults" >
< section class = "normal markdown-section" >
< h1 id = "network-policy" > Network Policy< / h1 >
< p > 网 络 策 略 说 明 一 组 < code > Pod< / code > 之 间 是 如 何 被 允 许 互 相 通 信 , 以 及 如 何 与 其 它 网 络 Endpoint 进 行 通 信 。 < code > NetworkPolicy< / code > 资 源 使 用 标 签 来 选 择 < code > Pod< / code > , 并 定 义 了 一 些 规 则 , 这 些 规 则 指 明 允 许 什 么 流 量 进 入 到 选 中 的 < code > Pod< / code > 上 。 < / p >
< h2 id = "前提条件" > 前 提 条 件 < / h2 >
< p > 网 络 策 略 通 过 网 络 插 件 来 实 现 , 所 以 必 须 使 用 一 种 支 持 < code > NetworkPolicy< / code > 的 网 络 方 案 — — 非 Controller 创 建 的 资 源 , 是 不 起 作 用 的 。 < / p >
< h2 id = "隔离的与未隔离的-pod" > 隔 离 的 与 未 隔 离 的 Pod< / h2 >
< p > 默 认 Pod 是 未 隔 离 的 , 它 们 可 以 从 任 何 的 源 接 收 请 求 。 具 有 一 个 可 以 选 择 Pod 的 网 络 策 略 后 , Pod 就 会 变 成 隔 离 的 。 一 旦 Namespace 中 配 置 的 网 络 策 略 能 够 选 择 一 个 特 定 的 Pod, 这 个 Pod 将 拒 绝 任 何 该 网 络 策 略 不 允 许 的 连 接 。 ( Namespace 中 其 它 未 被 网 络 策 略 选 中 的 Pod 将 继 续 接 收 所 有 流 量 ) < / p >
< h2 id = "networkpolicy-资源" > < code > NetworkPolicy< / code > 资 源 < / h2 >
< p > 查 看 < a href = "https://kubernetes.io/docs/api-reference/v1.7/#networkpolicy-v1-networking" target = "_blank" > API参 考 < / a > 可 以 获 取 该 资 源 的 完 整 定 义 。 < / p >
< p > 下 面 是 一 个 < code > NetworkPolicy< / code > 的 例 子 : < / p >
< pre > < code class = "lang-yaml" > < span class = "hljs-attr" > apiVersion:< / span > networking.k8s.io/v1
< span class = "hljs-attr" > kind:< / span > NetworkPolicy
< span class = "hljs-attr" > metadata:< / span >
< span class = "hljs-attr" > name:< / span > test-network-policy
< span class = "hljs-attr" > namespace:< / span > default
< span class = "hljs-attr" > spec:< / span >
< span class = "hljs-attr" > podSelector:< / span >
< span class = "hljs-attr" > matchLabels:< / span >
< span class = "hljs-attr" > role:< / span > db
< span class = "hljs-attr" > ingress:< / span >
< span class = "hljs-attr" > - from:< / span >
< span class = "hljs-attr" > - namespaceSelector:< / span >
< span class = "hljs-attr" > matchLabels:< / span >
< span class = "hljs-attr" > project:< / span > myproject
< span class = "hljs-attr" > - podSelector:< / span >
< span class = "hljs-attr" > matchLabels:< / span >
< span class = "hljs-attr" > role:< / span > frontend
< span class = "hljs-attr" > ports:< / span >
< span class = "hljs-attr" > - protocol:< / span > TCP
< span class = "hljs-attr" > port:< / span > < span class = "hljs-number" > 6379< / span >
< / code > < / pre >
< p > < em > 将 上 面 配 置 POST 到 API Server 将 不 起 任 何 作 用 , 除 非 选 择 的 网 络 方 案 支 持 网 络 策 略 。 < / em > < / p >
< p > < strong > 必 选 字 段 < / strong > : 像 所 有 其 它 Kubernetes 配 置 一 样 , < code > NetworkPolicy< / code > 需 要 < code > apiVersion< / code > 、 < code > kind< / code > 和 < code > metadata< / code > 这 三 个 字 段 , 关 于 如 何 使 用 配 置 文 件 的 基 本 信 息 , 可 以 查 看 < a href = "https://kubernetes.io/docs/user-guide/simple-yaml" target = "_blank" > 这 里 < / a > , < a href = "https://kubernetes.io/docs/user-guide/configuring-containers" target = "_blank" > 这 里 < / a > 和 < a href = "https://kubernetes.io/docs/user-guide/working-with-resources" target = "_blank" > 这 里 < / a > 。 < / p >
< p > < strong > spec< / strong > : < code > NetworkPolicy< / code > < a href = "https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status" target = "_blank" > spec< / a > 具 有 在 给 定 Namespace 中 定 义 特 定 网 络 的 全 部 信 息 。 < / p >
< p > < strong > podSelector< / strong > : 每 个 < code > NetworkPolicy< / code > 包 含 一 个 < code > podSelector< / code > , 它 可 以 选 择 一 组 应 用 了 网 络 策 略 的 Pod。 由 于 < code > NetworkPolicy< / code > 当 前 只 支 持 定 义 < code > ingress< / code > 规 则 , 这 个 < code > podSelector< / code > 实 际 上 为 该 策 略 定 义 了 一 组 “ 目 标 Pod” 。 示 例 中 的 策 略 选 择 了 标 签 为 “ role=db” 的 Pod。 一 个 空 的 < code > podSelector< / code > 选 择 了 该 Namespace 中 的 所 有 Pod。 < / p >
< p > < strong > ingress< / strong > : 每 个 < code > NetworkPolicy< / code > 包 含 了 一 个 白 名 单 < code > ingress< / code > 规 则 列 表 。 每 个 规 则 只 允 许 能 够 匹 配 上 < code > from< / code > 和 < code > ports< / code > 配 置 段 的 流 量 。 示 例 策 略 包 含 了 单 个 规 则 , 它 从 这 两 个 源 中 匹 配 在 单 个 端 口 上 的 流 量 , 第 一 个 是 通 过 < code > namespaceSelector< / code > 指 定 的 , 第 二 个 是 通 过 < code > podSelector< / code > 指 定 的 。 < / p >
< p > 因 此 , 上 面 示 例 的 NetworkPolicy: < / p >
< ol >
< li > 在 “ default” Namespace中 隔 离 了 标 签 “ role=db” 的 Pod( 如 果 他 们 还 没 有 被 隔 离 ) < / li >
< li > 在 “ default” Namespace中 , 允 许 任 何 具 有 “ role=frontend” 的 Pod, 连 接 到 标 签 为 “ role=db” 的 Pod 的 TCP 端 口 6379< / li >
< li > 允 许 在 Namespace 中 任 何 具 有 标 签 “ project=myproject” 的 Pod, 连 接 到 “ default” Namespace 中 标 签 为 “ role=db” 的 Pod 的 TCP 端 口 6379< / li >
< / ol >
< p > 查 看 < a href = "https://kubernetes.io/docs/getting-started-guides/network-policy/walkthrough" target = "_blank" > NetworkPolicy 入 门 指 南 < / a > 给 出 的 更 进 一 步 的 例 子 。 < / p >
< h2 id = "默认策略" > 默 认 策 略 < / h2 >
< p > 通 过 创 建 一 个 可 以 选 择 所 有 Pod 但 不 允 许 任 何 流 量 的 NetworkPolicy, 你 可 以 为 一 个 Namespace 创 建 一 个 “ 默 认 的 ” 隔 离 策 略 , 如 下 所 示 : < / p >
< pre > < code class = "lang-Yaml" > < span class = "hljs-attr" > apiVersion:< / span > networking.k8s.io/v1
< span class = "hljs-attr" > kind:< / span > NetworkPolicy
< span class = "hljs-attr" > metadata:< / span >
< span class = "hljs-attr" > name:< / span > default-deny
< span class = "hljs-attr" > spec:< / span >
< span class = "hljs-attr" > podSelector:< / span >
< / code > < / pre >
< p > 这 确 保 了 即 使 是 没 有 被 任 何 NetworkPolicy 选 中 的 Pod, 将 仍 然 是 被 隔 离 的 。 < / p >
< p > 可 选 地 , 在 Namespace 中 , 如 果 你 想 允 许 所 有 的 流 量 进 入 到 所 有 的 Pod( 即 使 已 经 添 加 了 某 些 策 略 , 使 一 些 Pod 被 处 理 为 “ 隔 离 的 ” ) , 你 可 以 通 过 创 建 一 个 策 略 来 显 式 地 指 定 允 许 所 有 流 量 : < / p >
< pre > < code class = "lang-yaml" > < span class = "hljs-attr" > apiVersion:< / span > networking.k8s.io/v1
< span class = "hljs-attr" > kind:< / span > NetworkPolicy
< span class = "hljs-attr" > metadata:< / span >
< span class = "hljs-attr" > name:< / span > allow-all
< span class = "hljs-attr" > spec:< / span >
< span class = "hljs-attr" > podSelector:< / span >
< span class = "hljs-attr" > ingress:< / span >
< span class = "hljs-bullet" > -< / span > {}
< / code > < / pre >
< p > 原 文 地 址 : < a href = "https://k8smeetup.github.io/docs/concepts/services-networking/network-policies/" target = "_blank" > https://k8smeetup.github.io/docs/concepts/services-networking/network-policies/< / a > < / p >
< p > 译 者 : < a href = "https://github.com/shirdrn" target = "_blank" > shirdrn< / a > < / p >
< footer class = "page-footer-ex" > < span class = "page-footer-ex-copyright" > for GitBook< / span >                       < span class = "page-footer-ex-footer-update" > update
2017-09-03 14:17:05
< / span > < / footer >
< / section >
< / div >
< div class = "search-results" >
< div class = "has-results" >
< h1 class = "search-results-title" > < span class = 'search-results-count' > < / span > results matching "< span class = 'search-query' > < / span > "< / h1 >
< ul class = "search-results-list" > < / ul >
< / div >
< div class = "no-results" >
< h1 class = "search-results-title" > No results matching "< span class = 'search-query' > < / span > "< / h1 >
< / div >
< / div >
< / div >
< / div >
< / div >
< / div >
< a href = "garbage-collection.html" class = "navigation navigation-prev " aria-label = "Previous page: 2.2.18 垃圾收集" >
< i class = "fa fa-angle-left" > < / i >
< / a >
< a href = "../guide/" class = "navigation navigation-next " aria-label = "Next page: 3. 用户指南" >
< i class = "fa fa-angle-right" > < / i >
< / a >
< / div >
< script >
var gitbook = gitbook || [];
gitbook.push(function() {
2017-09-04 11:47:07 +08:00
gitbook.page.hasChanged({"page":{"title":"2.2.19 NetworkPolicy","level":"1.2.2.19","depth":3,"next":{"title":"3. 用户指南","level":"1.3","depth":1,"path":"guide/index.md","ref":"guide/index.md","articles":[{"title":"3.1 资源配置","level":"1.3.1","depth":2,"path":"guide/resource-configuration.md","ref":"guide/resource-configuration.md","articles":[{"title":"3.1.1 配置Pod的liveness和readiness探针","level":"1.3.1.1","depth":3,"path":"guide/configure-liveness-readiness-probes.md","ref":"guide/configure-liveness-readiness-probes.md","articles":[]},{"title":"3.1.2 配置Pod的Service Account","level":"1.3.1.2","depth":3,"path":"guide/configure-pod-service-account.md","ref":"guide/configure-pod-service-account.md","articles":[]}]},{"title":"3.2 命令使用","level":"1.3.2","depth":2,"path":"guide/command-usage.md","ref":"guide/command-usage.md","articles":[{"title":"3.2.1 使用kubectl","level":"1.3.2.1","depth":3,"path":"guide/using-kubectl.md","ref":"guide/using-kubectl.md","articles":[]}]},{"title":"3.3 集群管理","level":"1.3.3","depth":2,"path":"guide/cluster-management.md","ref":"guide/cluster-management.md","articles":[{"title":"3.3.1 管理集群中的TLS","level":"1.3.3.1","depth":3,"path":"guide/managing-tls-in-a-cluster.md","ref":"guide/managing-tls-in-a-cluster.md","articles":[]},{"title":"3.3.2 kubelet的认证授权","level":"1.3.3.2","depth":3,"path":"guide/kubelet-authentication-authorization.md","ref":"guide/kubelet-authentication-authorization.md","articles":[]},{"title":"3.3.3 TLS bootstrap","level":"1.3.3.3","depth":3,"path":"guide/tls-bootstrapping.md","ref":"guide/tls-bootstrapping.md","articles":[]},{"title":"3.3.4 kubectl的用户认证授权","level":"1.3.3.4","depth":3,"path":"guide/kubectl-user-authentication-authorization.md","ref":"guide/kubectl-user-authentication-authorization.md","articles":[]},{"title":"3.3.5 RBAC——基于角色的访问控制","level":"1.3.3.5","depth":3,"path":"guide/rbac.md","ref":"guide/rbac.md","articles":[]}]},{"title":"3.4 访问 Kubernetes 集群","level":"1.3.4","depth":2,"path":"guide/access-kubernetes-cluster.md","ref":"guide/access-kubernetes-cluster.md","articles":[{"title":"3.4.1 访问集群","level":"1.3.4.1","depth":3,"path":"guide/access-cluster.md","ref":"guide/access-cluster.md","articles":[]},{"title":"3.4.2 使用 kubeconfig 文件配置跨集群认证","level":"1.3.4.2","depth":3,"path":"guide/authenticate-across-clusters-kubeconfig.md","ref":"guide/authenticate-across-clusters-kubeconfig.md","articles":[]},{"title":"3.4.3 通过端口转发访问集群中的应用程序","level":"1.3.4.3","depth":3,"path":"guide/connecting-to-applications-port-forward.md","ref":"guide/connecting-to-applications-port-forward.md","articles":[]},{"title":"3.4.4 使用 service 访问群集中的应用程序","level":"1.3.4.4","depth":3,"path":"guide/service-access-application-cluster.md","ref":"guide/service-access-application-cluster.md","articles":[]}]},{"title":"3.5 在kubernetes中开发部署应用","level":"1.3.5","depth":2,"path":"guide/application-development-deployment-flow.md","ref":"guide/application-development-deployment-flow.md","articles":[{"title":"3.5.1 适用于kubernetes的应用开发部署流程","level":"1.3.5.1","depth":3,"path":"guide/deploy-applications-in-kubernetes.md","ref":"guide/deploy-applications-in-kubernetes.md","articles":[]},{"title":"3.5.2 迁移传统应用到kubernetes中——以Hadoop YARN为例","level":"1.3.5.2","depth":3,"path":"guide/migrating-hadoop-yarn-to-kubernetes.md","ref":"guide/migrating-hadoop-yarn-to-kubernetes.md","articles":[]}]}]},"previous":{"title":"2.2.18 垃圾收集","level":"1.2.2.18","depth":3,"path":"concepts/garbage-collection.md","ref":"concepts/garbage-collection.md","articles":[]},"dir":"ltr"},"config":{"plugins":["github","codesnippet","splitter","page-toc-button","image-captions","page-footer-ex","editlink","-lunr","-search","search-plus"],"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/eboo
2017-09-03 15:58:39 +08:00
});
< / script >
< / div >
< script src = "../gitbook/gitbook.js" > < / script >
< script src = "../gitbook/theme.js" > < / script >
< script src = "../gitbook/gitbook-plugin-github/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-splitter/splitter.js" > < / script >
< script src = "../gitbook/gitbook-plugin-page-toc-button/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-editlink/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-search-plus/jquery.mark.min.js" > < / script >
< script src = "../gitbook/gitbook-plugin-search-plus/search.js" > < / script >
< script src = "../gitbook/gitbook-plugin-sharing/buttons.js" > < / script >
< script src = "../gitbook/gitbook-plugin-fontsettings/fontsettings.js" > < / script >
< / body >
< / html >