字段定义如下:

// NetworkPolicySpec provides the specification of a NetworkPolicy
type NetworkPolicySpec struct {
    // Selects the pods to which this NetworkPolicy object applies. The array of
    // ingress rules is applied to any pods selected by this field. Multiple network
    // policies can select the same set of pods. In this case, the ingress rules for
    // each are combined additively. This field is NOT optional and follows standard
    // label selector semantics. An empty podSelector matches all pods in this
    // namespace.
    PodSelector metav1.LabelSelector `json:"podSelector" protobuf:"bytes,1,opt,name=podSelector"`

    // List of ingress rules to be applied to the selected pods. Traffic is allowed to
    // a pod if there are no NetworkPolicies selecting the pod
    // (and cluster policy otherwise allows the traffic), OR if the traffic source is
    // the pod's local node, OR if the traffic matches at least one ingress rule
    // across all of the NetworkPolicy objects whose podSelector matches the pod. If
    // this field is empty then this NetworkPolicy does not allow any traffic (and serves
    // solely to ensure that the pods it selects are isolated by default)
    // +optional
    Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"`

    // List of egress rules to be applied to the selected pods. Outgoing traffic is
    // allowed if there are no NetworkPolicies selecting the pod (and cluster policy
    // otherwise allows the traffic), OR if the traffic matches at least one egress rule
    // across all of the NetworkPolicy objects whose podSelector matches the pod. If
    // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
    // solely to ensure that the pods it selects are isolated by default).
    // This field is beta-level in 1.8
    // +optional
    Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`

    // List of rule types that the NetworkPolicy relates to.
    // Valid options are "Ingress", "Egress", or "Ingress,Egress".
    // If this field is not specified, it will default based on the existence of Ingress or Egress rules;
    // policies that contain an Egress section are assumed to affect Egress, and all policies
    // (whether or not they contain an Ingress section) are assumed to affect Ingress.
    // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
    // Likewise, if you want to write a policy that specifies that no egress is allowed,
    // you must specify a policyTypes value that include "Egress" (since such a policy would not include
    // an Egress section and would otherwise default to just [ "Ingress" ]).
    // This field is beta-level in 1.8
    // +optional
    PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"`
}

// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
type NetworkPolicyIngressRule struct {
    // List of ports which should be made accessible on the pods selected for this
    // rule. Each item in this list is combined using a logical OR. If this field is
    // empty or missing, this rule matches all ports (traffic not restricted by port).
    // If this field is present and contains at least one item, then this rule allows
    // traffic only if the traffic matches at least one port in the list.
    // +optional
    Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`

    // List of sources which should be able to access the pods selected for this rule.
    // Items in this list are combined using a logical OR operation. If this field is
    // empty or missing, this rule matches all sources (traffic not restricted by
    // source). If this field is present and contains at least on item, this rule
    // allows traffic only if the traffic matches at least one item in the from list.
    // +optional
    From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"`
}

// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
// This type is beta-level in 1.8
type NetworkPolicyEgressRule struct {
    // List of destination ports for outgoing traffic.
    // Each item in this list is combined using a logical OR. If this field is
    // empty or missing, this rule matches all ports (traffic not restricted by port).
    // If this field is present and contains at least one item, then this rule allows
    // traffic only if the traffic matches at least one port in the list.
    // +optional
    Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`

    // List of destinations for outgoing traffic of pods selected for this rule.
    // Items in this list are combined using a logical OR operation. If this field is
    // empty or missing, this rule matches all destinations (traffic not restricted by
    // destination). If this field is present and contains at least one item, this rule
    // allows traffic only if the traffic matches at least one item in the to list.
    // +optional
    To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"`
}

.spec.PodSelector

顾名思义,它是pod选择器,基于标签选择与Network Policy处于同一namespace下的pod,如果pod被选中,则对其应用Network Policy中定义的规则。此为可选字段,当没有此字段时,表示选中所有pod。

.spec.PolicyTypes

Network Policy定义的规则可以分成两种,一种是入pod的Ingress规则,一种是出pod的Egress规则。本字段可以看作是一个开关,如果其中包含Ingress,则Ingress部分定义的规则生效,如果是Egress则Egress部分定义的规则生效,如果都包含则全部生效。当然此字段也可选,如果没有指定的话,则默认Ingress生效,如果Egress部分有定义的话,Egress才生效。怎么理解这句话,下文会提到,没有明确定义Ingress、Egress部分,它也是一种规则,默认规则而非没有规则。

.spec.ingress与.spec.egress

前者定义入pod规则,后者定义出pod规则,详细参考这里,这里只讲一下重点。上例中ingress与egress都只包含一条规则,两者都是数组,可以包含多条规则。当包含多条时,条目之间的逻辑关系是“或”,只要匹配其中一条就可以。.spec.ingress[].from
也是数组,数组成员对访问pod的外部source进行描述,符合条件的source才可以访问pod,有多种方法,如示例中的ip地址块、名称空间、pod标签等,数组中的成员也是逻辑或的关系。spec.ingress[].from.prots表示允许通过的协议及端口号。

.spec.egress.to定义的是pod想要访问的外部destination,其它与ingress相同。

 

Demo示例:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978