[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-9947":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":10,"languages":10,"totalLinesOfCode":10,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":17,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":28,"readmeContent":29,"aiSummary":30,"trendingCount":15,"starSnapshotCount":15,"syncStatus":31,"lastSyncTime":32,"discoverSource":33},9947,"kubernetes-network-policy-recipes","ahmetb\u002Fkubernetes-network-policy-recipes","ahmetb","Example recipes for Kubernetes Network Policies that you can just copy paste","",null,6143,1820,171,5,0,1,3,11,70.38,"Apache License 2.0",false,"master",true,[25,26,27],"kubernetes","networking","security","2026-06-12 04:00:47","![You can get stuff like this](img\u002F1.gif)\n_You can get stuff like this with Network Policies..._\n\n# Kubernetes Network Policy Recipes\n\nThis repository contains various use cases of Kubernetes\n[Network Policies](https:\u002F\u002Fkubernetes.io\u002Fdocs\u002Fconcepts\u002Fservices-networking\u002Fnetwork-policies\u002F)\nand sample YAML files to leverage in your setup. If you ever wondered\nhow to drop\u002Frestrict traffic to applications running on Kubernetes, read on.\n\nEasiest way to try out Network Policies is to create a new [Google Kubernetes\nEngine](https:\u002F\u002Fcloud.google.com\u002Fkubernetes-engine) cluster. Applying Network\nPolicies on your existing cluster can disrupt the networking. At the time of\nwriting, most cloud providers do not provide built-in network policy support.\n\nIf you are not familiar with Network Policies at all, I recommend reading my\n[Securing Kubernetes Cluster Networking](https:\u002F\u002Fahmet.im\u002Fblog\u002Fkubernetes-network-policy\u002F)\narticle first.\n\n## NetworkPolicy Crash Course \nNetworkPolicies operate at layer 3 or 4 of OSI model (IP and port level). They are used to control the traffic in(ingress) and out(egress) of pods.\n\nHere are some NetworkPolicies gotcha's  \n- An empty selector will match everything. For example `spec.podSelector: {}` will apply the policy to all pods in the current namespace.\n\n- Selectors can only select Pods that are in the same namespace as the NetworkPolicies. Eg. `spec.podSelector` of an ingress rule can only select pods in the same namespace the NetworkPolicy is deployed to. \n\n- If no NetworkPolicies targets a pod, all traffic to and from the pod is allowed. In other words all traffic are allowed until a policy is applied.\n\n- There are no deny rules in NetworkPolicies. NetworkPolicies are deny by default allow explicitly. It's the same as saying \"If you're not on the list you can't get in.\"\n\n- If a NetworkPolicies matches a pod but has a null rule, all traffic is blocked. Example of this is a \"Deny all traffic policy\". \n```yaml\nspec:\n  podSelector:\n    matchLabels:\n      ...\n  ingress: []\n```\n- Rules are chained together. NetworkPolicy are additive. If multiple NetworkPolicies are selecting a pod, their union is evaluated and applied to that pod.\n\n### Before you begin\n\n> I really recommend [watching my KubeCon talk on Network\nPolicies](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=3gGpMmYeEO8) if you want to get a\ngood understanding of this feature. It will help you understand this repo\nbetter.\n\n- [Create a cluster](00-create-cluster.md)\n\n### Basics\n\n- [DENY all traffic to an application](01-deny-all-traffic-to-an-application.md)\n- [LIMIT traffic to an application](02-limit-traffic-to-an-application.md)\n- [ALLOW all traffic to an application](02a-allow-all-traffic-to-an-application.md)\n\n### Namespaces\n\n- [DENY all non-whitelisted traffic in the current namespace](03-deny-all-non-whitelisted-traffic-in-the-namespace.md)\n- [DENY all traffic from other namespaces](04-deny-traffic-from-other-namespaces.md) (a.k.a. LIMIT access to the current namespace)\n- [ALLOW traffic to an application from all namespaces](05-allow-traffic-from-all-namespaces.md)\n- [ALLOW all traffic from a namespace](06-allow-traffic-from-a-namespace.md)\n- [ALLOW traffic from some pods in another namespace](07-allow-traffic-from-some-pods-in-another-namespace.md)\n\n### Serving External Traffic\n\n- [ALLOW traffic from external clients](08-allow-external-traffic.md)\n\n### Advanced\n\n- [ALLOW traffic only to certain port numbers of an application](09-allow-traffic-only-to-a-port.md)\n- [ALLOW traffic from apps using multiple selectors](10-allowing-traffic-with-multiple-selectors.md)\n\n### Controlling Outbound (Egress) Traffic 🔥🆕🔥\n\n- [DENY egress traffic from an application](11-deny-egress-traffic-from-an-application.md)\n- [DENY all non-whitelisted egress traffic in a namespace](12-deny-all-non-whitelisted-traffic-from-the-namespace.md)\n- 🔜 LIMIT egress traffic from an application to some pods\n- 🔜 ALLOW traffic only to Pods in a namespace\n- [LIMIT egress traffic to the cluster (DENY external egress traffic)](14-deny-external-egress-traffic.md)\n\n-----\n\n##### Author\n\nCreated by Ahmet Alp Balkan ([@ahmetb](https:\u002F\u002Ftwitter.com\u002Fahmetb)).\n\nCopyright 2017, Google Inc. Distributed under Apache License Version 2.0 ,see [LICENSE](LICENSE) for details.\n\nDisclaimer: This is not an official Google product.\n\n![Stargazers over time](https:\u002F\u002Fstarcharts.herokuapp.com\u002Fahmetb\u002Fkubernetes-networkpolicy-tutorial.svg)\n","该项目提供了可以直接复制粘贴的Kubernetes网络策略示例，旨在帮助用户理解和实施Kubernetes环境下的网络安全规则。核心功能包括通过定义YAML文件来控制Pod之间的入站和出站流量，支持限制或允许特定标签的Pod间通信，以及跨命名空间的流量管理。技术特点在于其基于OSI模型的第3层和第4层操作，仅允许显式指定的流量通过，默认情况下拒绝所有未指定的连接尝试。适用于需要增强容器化应用之间安全隔离性的场景，如微服务架构中不同服务间的精细访问控制，或者当组织希望遵循最小权限原则来保护敏感数据时。",2,"2026-06-11 03:25:31","top_topic"]