---

title: Kubernetes NetworkPolicy 安全隔离实践

keywords:

• NetworkPolicy
• 隔离
• ingress
• egress
• namespaceSelector

description: 通过 NetworkPolicy 实施命名空间与 Pod 级网络隔离，提供默认拒绝与选择性放行的清单示例。

categories:

• 文章资讯
• 技术教程

---

Kubernetes NetworkPolicy 安全隔离实践

默认拒绝入站

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: app
spec:
  podSelector: {}
  policyTypes: [Ingress]

允许特定来源访问标签为 web 的 Pod

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-api
  namespace: app
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes: [Ingress]
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: app
          podSelector:
            matchLabels:
              app: api
      ports:
        - protocol: TCP
          port: 80

出站限制示例

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-egress
  namespace: app
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes: [Egress]
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.0/16
      ports:
        - protocol: TCP
          port: 5432

总结

组合入站与出站策略可实现细粒度网络隔离，提升整体安全性。