![\"\u56fe\u7247\"](\"\/wp-content\/uploads\/2022\/03\/unnamed-file.png\")
<\/p>\nNetworkPolicy<\/p>\n
\u6307\u7684\u662f\u8bbe\u5b9aPod\u4e4b\u95f4\u7684\u7f51\u7edc\u9694\u79bb\u7b56\u7565,\u9ed8\u8ba4\u662f\u6240\u6709\u4e92\u901a,\u4f46\u662f\u6211\u4eec\u53ef\u4ee5\u8bbe\u7f6e,\u7ed9\u4e0e\u4e00\u4e9b\u767d\u540d\u5355,\u89c4\u5b9a\u767d\u540d\u5355\u4e4b\u5916\u7684\u7f51\u7edc\u8bf7\u6c42\u90fd\u662f\u4e0d\u53ef\u53d6\u7684<\/p>\n
\u53ef\u4ee5\u8bbe\u7f6e\u7684\u5c42\u5ea6\u6709<\/p>\n
\u5141\u8bb8\u7684Pods,\u89c4\u5b9a\u67d0\u4e9bPods\u662f\u5426\u53ef\u4ee5\u88ab\u8bbf\u95ee\u6216\u8005\u53ef\u4ee5\u8bbf\u95ee<\/p>\n
\u67d0\u4e9bnamespaces,\u90a3\u4e9bnamespace\u53ef\u4ee5\u8bbf\u95ee\u6216\u8005\u4e0d\u53ef\u4ee5\u8bbf\u95ee<\/p>\n
IP\u7ec4\u4ef6,\u8bbe\u7f6eCIDR,\u6765\u63a7\u5236\u901a\u4fe1<\/p>\n
NetworkPolicy\u7684\u76f8\u5173\u5bf9\u8c61\u5982\u4e0b<\/p>\n
<\/p>\n
\u90a3\u4e48,\u6211\u4eec\u4f7f\u7528explain\u6765\u67e5\u770b\u4e00\u4e0b\u5bf9\u8c61\u4e2d\u53ef\u9009\u7684\u5b57\u6bb5<\/p>\n
kubectl explain netpol.spec<\/p>\n
| KIND:\u00a0\u00a0\u00a0\u00a0 NetworkPolicy<\/p>\n VERSION:\u00a0 networking.k8s.io\/v1<\/p>\n RESOURCE: spec <Object><\/p>\n DESCRIPTION:<\/p>\n Specification of the desired behavior for this NetworkPolicy.<\/p>\n NetworkPolicySpec provides the specification of a NetworkPolicy<\/p>\n FIELDS:<\/p>\n egress\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <[]Object><\/p>\n List of egress rules to be applied to the selected pods. Outgoing traffic<\/p>\n is allowed if there are no NetworkPolicies selecting the pod (and cluster<\/p>\n policy otherwise allows the traffic), OR if the traffic matches at least<\/p>\n one egress rule across all of the NetworkPolicy objects whose podSelector<\/p>\n matches the pod. If this field is empty then this NetworkPolicy limits all<\/p>\n outgoing traffic (and serves solely to ensure that the pods it selects are<\/p>\n isolated by default). This field is beta-level in 1.8<\/p>\n ingress\u00a0\u00a0\u00a0\u00a0\u00a0 <[]Object><\/p>\n List of ingress rules to be applied to the selected pods. Traffic is<\/p>\n allowed to a pod if there are no NetworkPolicies selecting the pod (and<\/p>\n cluster policy otherwise allows the traffic), OR if the traffic source is<\/p>\n the pod’s local node, OR if the traffic matches at least one ingress rule<\/p>\n across all of the NetworkPolicy objects whose podSelector matches the pod.<\/p>\n If this field is empty then this NetworkPolicy does not allow any traffic<\/p>\n (and serves solely to ensure that the pods it selects are isolated by<\/p>\n default)<\/p>\n podSelector\u00a0 <Object> -required-<\/p>\n Selects the pods to which this NetworkPolicy object applies. The array of<\/p>\n ingress rules is applied to any pods selected by this field. Multiple<\/p>\n network policies can select the same set of pods. In this case, the ingress<\/p>\n rules for each are combined additively. This field is NOT optional and<\/p>\n follows standard label selector semantics. An empty podSelector matches all<\/p>\n pods in this namespace.<\/p>\n policyTypes\u00a0 <[]string><\/p>\n List of rule types that the NetworkPolicy relates to. Valid options are<\/p>\n [“Ingress”], [“Egress”], or [“Ingress”, “Egress”]. If this field is not<\/p>\n specified, it will default based on the existence of Ingress or Egress<\/p>\n rules; policies that contain an Egress section are assumed to affect<\/p>\n Egress, and all policies (whether or not they contain an Ingress section)<\/p>\n are assumed to affect Ingress. If you want to write an egress-only policy,<\/p>\n you must explicitly specify policyTypes [ “Egress” ]. Likewise, if you want<\/p>\n to write a policy that specifies that no egress is allowed, you must<\/p>\n specify a policyTypes value that include “Egress” (since such a policy<\/p>\n would not include an Egress section and would otherwise default to just [<\/p>\n “Ingress” ]). This field is beta-level in 1.8<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u5176\u4e2d\u7684\u9996\u8981\u5b57\u6bb5\u662fpodSelector,\u8fd9\u662f\u4e00\u4e2a\u6807\u51c6\u7684PodSelector\u683c\u5f0f,\u53ea\u8981\u88ab\u8fd9\u4e2a\u9009\u62e9\u5668\u9009\u62e9\u4e86\u7684Pod,\u9ed8\u8ba4\u7f51\u7edc\u90fd\u5c06\u88ab\u5c01\u95ed,\u8fd9\u662f\u4e0d\u914d\u7f6eIngress\u548cEngress\u7684\u60c5\u51b5<\/p>\n \u5176\u6b21\u662f\u5173\u4e8eIngress\u548cEngress,\u4e8c\u8005\u90fd\u662f\u6570\u7ec4,\u4ee3\u8868\u4e86\u5165\u65b9\u5411\u548c\u51fa\u65b9\u5411\u7684\u89c4\u5219<\/p>\n \u6211\u4eec\u9996\u5148\u6765\u770b\u770bIngress\u7684\u4e66\u5199\u65b9\u5f0f<\/p>\n Kubectl explain netpol.spec.ingress<\/p>\n \u4f1a\u88ab\u544a\u77e5\u5305\u542b\u4e24\u4e2a\u5b57\u6bb5,\u5206\u522b\u662ffrom\u548cport<\/p>\n \u5176\u4e2dfrom\u4ecd\u7136\u662f\u4e00\u4e2a\u5bf9\u8c61\u6570\u7ec4,\u6211\u4eec\u7ee7\u7eed\u6700\u7ec8\u4e0b\u53bb\u67e5\u770b<\/p>\n \u5176\u4e2d\u6709\u4e09\u79cd\u7c7b\u578b,\u5206\u522b\u662fipBlock,namespaceSelector,podSelector<\/p>\n IpBlock \u662f\u6307\u7684ip\u6765\u6e90,\u53ef\u4ee5\u8bbe\u7f6e\u8303\u56f4,\u548cexcept\u8868\u793a\u8303\u56f4\u5185\u4e0d\u88ab\u5141\u8bb8\u7684<\/p>\n NamespaceSelector\u53ef\u4ee5\u5339\u914dnamespace\u7684\u6807\u7b7e,\u4ece\u800c\u8bbe\u7f6e\u5141\u8bb8\u7684namespace<\/p>\n PodSelector,\u4e5f\u662f\u548c\u4e0a\u9762\u4e00\u76f4\u7684\u9009\u62e9\u5668,\u8303\u56f4\u4e3aPod<\/p>\n \u5176\u6b21\u662fport,\u56fa\u5b9a\u4e86\u4e0a\u9762\u8bbe\u7f6e\u7684\u767d\u540d\u5355\u53ef\u4ee5\u8bbf\u95ee\u90a3\u4e9bport,\u4e0d\u5199\u9ed8\u8ba4\u4e0d\u9650\u5236<\/p>\n \u5bf9\u5e94\u7684from\u5219\u662f\u76f8\u53cd,\u6307\u7684\u662f\u51fa\u9632\u7ebf\u7684\u89c4\u5219,\u914d\u7f6e\u9879\u4e00\u6837<\/p>\n \u6211\u4eec\u53ef\u4ee5\u7ed9\u51fa\u4e0b\u9762\u7684\u4e00\u4e2a\u4f8b\u5b50<\/p>\n
|