网络隔离 #

一、网络隔离概述 #

网络隔离是Kubernetes安全的重要组成部分,通过NetworkPolicy控制Pod间的网络通信。

1.1 隔离层次 #

text 
网络隔离层次
    │
    ├── 集群级别
    │   └── 整体网络策略
    │
    ├── 命名空间级别
    │   └── 命名空间隔离
    │
    └── Pod级别
        └── Pod网络策略

1.2 隔离目标 #

目标 说明
限制入站流量 控制可访问Pod的来源
限制出站流量 控制Pod可访问的目标
命名空间隔离 防止跨命名空间访问
外部访问控制 控制外部网络访问

二、默认隔离策略 #

2.1 默认拒绝所有 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

2.2 默认拒绝入站 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress

2.3 默认拒绝出站 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Egress

三、命名空间隔离 #

3.1 完全隔离 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: namespace-isolation
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: production
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: production
  - to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53

3.2 允许特定命名空间 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-monitoring
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: monitoring
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx

3.3 命名空间标签配置 #

bash 
# 给命名空间添加标签
kubectl label namespace production name=production
kubectl label namespace development name=development
kubectl label namespace monitoring name=monitoring
kubectl label namespace ingress-nginx name=ingress-nginx

四、应用层隔离 #

4.1 前端隔离 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      tier: frontend
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          tier: backend
    ports:
    - protocol: TCP
      port: 8080
  - to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53

4.2 后端隔离 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      tier: backend
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          tier: frontend
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          tier: database
    ports:
    - protocol: TCP
      port: 3306
  - to:
    - podSelector:
        matchLabels:
          tier: cache
    ports:
    - protocol: TCP
      port: 6379
  - to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53

4.3 数据库隔离 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      tier: database
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          tier: backend
    ports:
    - protocol: TCP
      port: 3306
  egress:
  - to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53

五、外部访问控制 #

5.1 允许外部访问 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-external
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
    ports:
    - protocol: TCP
      port: 80

5.2 限制外部访问 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-external
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: internal
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.0.0/8
    ports:
    - protocol: TCP
      port: 8080

5.3 出站外部访问 #

yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-external-egress
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
  - to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53

六、多租户隔离 #

6.1 租户命名空间隔离 #

yaml 
# 租户A隔离策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: tenant-a-isolation
  namespace: tenant-a
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          tenant: tenant-a
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          tenant: tenant-a
  - to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53
---
# 租户B隔离策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: tenant-b-isolation
  namespace: tenant-b
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          tenant: tenant-b
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          tenant: tenant-b
  - to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53

七、网络策略管理 #

7.1 查看网络策略 #

bash 
# 查看NetworkPolicy
kubectl get networkpolicy -A

# 查看详情
kubectl describe networkpolicy <policy-name> -n <namespace>

7.2 测试网络隔离 #

bash 
# 测试Pod间连通性
kubectl exec -it <source-pod> -- wget -qO- <target-service>:<port>

# 测试DNS解析
kubectl exec -it <pod> -- nslookup kubernetes

# 测试外部访问
kubectl exec -it <pod> -- curl -I https://www.google.com

八、最佳实践 #

8.1 隔离策略设计 #

text 
隔离策略设计原则
    │
    ├── 默认拒绝
    │   └── 先拒绝所有,再按需开放
    │
    ├── 最小权限
    │   └── 只开放必要的端口和来源
    │
    ├── 分层控制
    │   └── 前端→后端→数据库
    │
    └── 定期审计
        └── 检查策略是否合理

8.2 安全边界 #

text 
安全边界设计
    │
    ├── 外部边界
    │   └── Ingress控制
    │
    ├── 命名空间边界
    │   └── 命名空间隔离
    │
    └── 应用边界
        └── 应用层隔离

九、故障排查 #

9.1 常见问题 #

bash 
# 查看NetworkPolicy
kubectl get networkpolicy -A

# 查看Pod标签
kubectl get pods --show-labels

# 查看命名空间标签
kubectl get namespace --show-labels

# 测试网络连通性
kubectl exec -it <pod> -- curl <service>:<port>

9.2 问题诊断 #

问题 原因 解决方案
连接被拒绝 策略限制 检查NetworkPolicy
DNS解析失败 未允许DNS 添加DNS出站规则
跨命名空间不通 命名空间隔离 添加命名空间选择器

十、总结 #

10.1 核心要点 #

要点 说明
默认拒绝 先拒绝所有流量
分层隔离 按应用层次隔离
命名空间隔离 防止跨命名空间访问
最小权限 只开放必要访问

10.2 下一步 #

掌握了网络隔离后,让我们学习 监控体系,了解Kubernetes的监控机制。

最后更新:2026-03-28