Docker & KubernetesNetworkPolicy kiểm soát traffic ingress/egress giữa Pods/namespaces/IP blocks, nếu cluster CNI hỗ trợ enforcement. Mặc định nhiều cluster cho phép traffic rộng, nên NetworkPolicy giúp giảm blast radius.
Ví dụ chỉ cho frontend gọi api:
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-from-frontend
spec:
podSelector:
matchLabels:
app: api
ingress:
- from:
- podSelector:
matchLabels:
app: frontendCần test kỹ DNS, metrics, ingress controller và egress dependencies vì policy sai có thể làm app mất kết nối.
NetworkPolicy controls ingress/egress traffic between Pods/namespaces/IP blocks when the cluster CNI supports enforcement. Many clusters allow broad traffic by default, so NetworkPolicy reduces blast radius.
Example allowing only frontend to call api:
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-from-frontend
spec:
podSelector:
matchLabels:
app: api
ingress:
- from:
- podSelector:
matchLabels:
app: frontendTest DNS, metrics, ingress controller and egress dependencies carefully because a wrong policy can disconnect the app.