deny-all-non-whitelisted-traffic-in-the-namespace
# DENY all non-whitelisted traffic to a namespace
💡 Use Case: This is a fundamental policy, blocking all cross-pod networking other than the ones whitelisted via the other Network Policies you deploy.
Consider applying this manifest to any namespace you deploy
workloads to (anything but kube-system
).
💡 Best Practice: This policy will give you a default "deny all" functionality. This way, you can clearly identify which components have dependency on which components and deploy Network Policies which can be translated to dependency graphs between components.
# Manifest
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all
namespace: default
spec:
podSelector: {}
ingress: []
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
Note a few things about this manifest:
namespace: default
deploy this policy to thedefault
namespace.podSelector:
is empty, this means it will match all the pods. Therefore, the policy will be enforced to ALL pods in thedefault
namespace .- There are no
ingress
rules specified. This causes incoming traffic to be dropped to the selected (=all) pods.- In this case, you can just omit the
ingress
field, or leave it empty likeingress:
- In this case, you can just omit the
Save this manifest to default-deny-all.yaml
and apply:
$ kubectl apply -f default-deny-all.yaml
networkpolicy "default-deny-all" created
1
2
2
# Cleanup
kubectl delete networkpolicy default-deny-all
上次更新: 2024/02/26, 10:14:04