网络策略需要依赖cni 网络插件，calico 通过自定义k8s 资源支持网络策略

配置文件

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: 
  namespace:
  labels:
  annotations:
spec:

下面详细描述NetworkPolicy.spec
podSelector 指定了该网络策略作用的Pod范围

1. 作用于NetworkPolicy.metadata.namespace名称空间的所有pod

spec:
  podSelector: {}

2. 作用于指定标签的pod

spec:
  podSelector:
    matchLabels:
      app: db

spec:
  podSelector:
    matchExpressions:
    - key: app
      operator: In
      values:
      - db

policyTypes 指定流入流出的网络策略

1. 如果不指定则使用默认的策略，默认Ingress和Egress 都是通过

spec:
  policyTypes: []

2. 禁止所有的流出策略，不定义spec.egress

spec:
  policyTypes:
  - Egress

3. 禁止所有的流入策略，不定义spec.ingress

spec:
  policyTypes:
  - Ingress

4. 允许所有的流出策略

spec:
  policyTypes:
  - Egress
  egress: {}

5. 允许所有的流入策略

spec:
  policyTypes:
  - Ingress
  ingress: {}

ingress 控制流入的具体策略

spec:
  ingress:
  - from:
    - ipBlock:
      cidr: "10.4.7.1/24"
      expect:
      - "10.4.7.50/32"
      - "192.168.123.1/24"
    - namespaceSelector:
      matchLabels: {}
      matchExpressions: {}
    - podSelector:
      matchLabels: {}
      matchExpressions: {}
  - ports:
    - protocol: TCP
      port: 8000

egress 控制流出的具体策略

spec:
  ingress:
  - to:
    - ipBlock:
      cidr: "10.4.7.1/24"
      expect:
      - "10.4.7.50/32"
      - "192.168.123.1/24"
    - namespaceSelector:
      matchLabels: {}
      matchExpressions: {}
    - podSelector:
      matchLabels: {}
      matchExpressions: {}
  - ports:
    - protocol: TCP
      port: 8000

测试文件

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
spec:
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: web
        image: python
        command: ["python","-m","http.server"]
---
apiVersion: v1
metadata: v1
kind: Service
metadata:
  name: myapp
spec:
  selector:
    app: web
  ports:
  - port: 8000
    targetPort: 8000