https://docs.projectcalico.org/v3.10/getting-started/kubernetes/installation/flannel
Installing with the Kubernetes API datastore (recommended)
curl https://docs.projectcalico.org/v3.10/manifests/canal.yaml -O
sed -i 's#10.244.0.0/16#10.254.0.0/16#g' canal.yaml
kubectl apply -f canal.yaml
Ingress(入站) 默认拒绝所有
kubectl explain networkpolicy
KIND: NetworkPolicy
VERSION: extensions/v1beta1
DESCRIPTION:
DEPRECATED 1.9 - This group version of NetworkPolicy is deprecated by
networking/v1/NetworkPolicy. NetworkPolicy describes what network traffic
is allowed for a set of Pods
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
spec <Object>
Specification of the desired behavior for this NetworkPolicy.
ingress-def.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {}
policyTypes:
- Ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
allow-netpol-demo.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-myapp-ingress
spec:
podSelector:
matchLabels:
app: myapp
ingress:
- from:
- ipBlock:
cidr: 10.254.0.0/16
except:
- 10.254.1.2/32
ports:
- protocol: TCP
port: 80
网络策略
名称空间
- 拒绝所有出站,入站
- 放行所有出站目标本名称空间内的所有pod