2021-07-07 Calico Network Policy

--- lang: ja breaks: false --- <style> .ui-infobar, #doc.markdown-body { max-width: 1100px; } </style> # 2021-07-07 Calico Network Policy ``` $ cat pods.yaml --- apiVersion: v1 kind: Pod metadata: name: netshoot1 namespace: default labels: app: netshoot1 spec: containers: - name: tmp-shell args: - /sbin/init image: nicolaka/netshoot --- apiVersion: v1 kind: Pod metadata: name: netshoot2 namespace: default labels: app: netshoot2 spec: containers: - name: tmp-shell args: - /sbin/init image: nicolaka/netshoot --- apiVersion: v1 kind: Pod metadata: name: netshoot3 namespace: default labels: app: netshoot3 spec: containers: - name: tmp-shell args: - /sbin/init image: nicolaka/netshoot --- apiVersion: v1 kind: Pod metadata: name: ubnuntu namespace: default labels: app: ubuntu spec: containers: - name: tmp-shell command: - /bin/sh - -c - "tail -f /dev/null" image: ubuntu:latest ``` ``` apiVersion: crd.projectcalico.org/v1 kind: NetworkSet metadata: name: google-dns labels: pol: google spec: nets: - 8.8.8.8/32 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress spec: podSelector: matchLabels: app: netshoot1 policyTypes: - Ingress --- apiVersion: crd.projectcalico.org/v1 kind: NetworkPolicy metadata: name: allow-egress-external spec: podSelector: matchLabels: app: netshoot1 types: - Egress egress: - action: Deny destination: nets: - 1.1.1.1/32 --- apiVersion: crd.projectcalico.org/v1 kind: NetworkPolicy metadata: name: allow-egress-external-google spec: podSelector: matchLabels: app: netshoot1 types: - Egress egress: - action: Allow source: selector: pol == 'google' ```