kubernetes - 网络策略隔离带端口的 namespace 和Pod

Question

kubernetes V19
创建一个名为allow-port-from-namespace的新NetworkPolicy，以允许内部现有命名空间中的Pod连接到同一命名空间中其他Pod的端口80。
确保新的NetworkPolicy:
不允许访问未在端口80上监听的Pod
不允许来自不在 namespace 内部的Pod进行访问
我需要知道是否可以在不向namspace和pod中添加标签的情况下做到吗？

Answer 1

在k8s networkpolicy docs中，您阅读:

By default, pods are non-isolated; they accept traffic from anysource.

Pods become isolated by having a NetworkPolicy that selects them. Oncethere is any NetworkPolicy in a namespace selecting a particular pod,that pod will reject any connections that are not allowed by anyNetworkPolicy. (Other pods in the namespace that are not selected byany NetworkPolicy will continue to accept all traffic.)

Network policies do not conflict; they are additive. If any policy orpolicies select a pod, the pod is restricted to what is allowed by theunion of those policies' ingress/egress rules. Thus, order ofevaluation does not affect the policy result

这意味着，一旦您分配(选择)了具有网络策略的Pod，就不会设置拒绝规则，因为默认情况下，所有内容都被拒绝。您仅指定允许规则。
对此问题进行解释后，让我们回到k8s文档中，您可以阅读以下内容:

There are four kinds of selectors that can be specified in an ingressfrom section or egress to section:

podSelector: This selects particular Pods in the same namespace as theNetworkPolicy which should be allowed as ingress sources or egressdestinations.

namespaceSelector: This selects particular namespaces for which allPods should be allowed as ingress sources or egress destinations.

namespaceSelector and podSelector: A single to/from entry thatspecifies both namespaceSelector and podSelector selects particularPods within particular namespaces[...]

我不会在此处粘贴所有文档，请检查其余的 here。

现在回答您的问题: "I need to know if i can do it without adding a labels to namspace and pod or not ?"您在上面提到的文档中应该注意的是，只能使用标签来定位 namespace 和Pod。
而且，当您不使用 namespace 标签选择器时，选择器会默认到部署了networkpolicy的 namespace 。
因此，是的，只要在要定位的 namespace 中部署网络策略，就可以在不向 namespace 添加标签的情况下执行此操作。而且，只要这是命名空间中唯一的Pod，就可以在不向Pod添加标签的情况下进行操作。