K8s網路安全策略實戰:從預設拒絕到零信任的6種防禦模式
云原生
你的K8s叢集,網路是裸奔的嗎?
一個預設配置的Kubernetes叢集,所有Pod之間可以自由通訊——前端Pod能直接存取資料庫Pod,測試命名空間能存取生產命名空間,被入侵的Pod能在叢集內橫向移動到任何服務。2025年某金融公司因為一個未設網路策略的Pod被攻破,攻擊者在30分鐘內橫向移動到支付系統,盜取了200萬條使用者資料。這不是電影情節,這是真實發生的安全事件。
Kubernetes NetworkPolicy是叢集網路安全的基石。從預設拒絕到微隔離,從Cilium eBPF到零信任架構,本文涵蓋6種防禦模式,讓你的叢集網路不再裸奔。
核心概念速查
| 概念 | 說明 | 關鍵詞 |
|---|---|---|
| NetworkPolicy | K8s原生網路策略資源,控制Pod間流量 | ingress/egress、selector |
| Default Deny | 預設拒絕所有流量,顯式允許合法流量 | 白名單、零信任基礎 |
| Micro-segmentation | 基於標籤的細粒度網路隔離 | 標籤選擇器、命名空間隔離 |
| Cilium | 基於eBPF的CNI外掛,支援L3-L7策略 | eBPF、L7策略、可觀測性 |
| eBPF | 核心級可程式化技術,實現高效能網路過濾 | 核心態、零拷貝、XDP |
| mTLS | 雙向TLS認證,服務間加密通訊 | 憑證輪換、身份認證 |
| Zero Trust | 零信任網路架構,永不信任,始終驗證 | 持續驗證、最小權限 |
問題深入分析:K8s網路安全的5大挑戰
| 挑戰 | 現狀 | 風險等級 | 根因 |
|---|---|---|---|
| 預設全通 | 叢集內Pod間無任何網路限制 | 🔴 嚴重 | K8s預設不設NetworkPolicy |
| 橫向移動 | 攻擊者突破一個Pod後可存取所有服務 | 🔴 嚴重 | 缺乏微隔離策略 |
| 策略爆炸 | 大規模叢集NetworkPolicy數量失控 | 🟡 中等 | 標籤設計不合理 |
| DNS依賴 | 服務發現依賴CoreDNS,DNS策略缺失 | 🟡 中等 | 忽視DNS層安全 |
| 可觀測性差 | 網路策略效果難以驗證和審計 | 🟠 較高 | 缺乏策略審計工具 |
模式1:預設拒絕所有流量
預設拒絕是零信任網路的第一步。在沒有任何NetworkPolicy的命名空間中,所有Pod可以自由通訊——這是最危險的狀態。
命名空間級預設拒絕
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
允許DNS解析(egress必需)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-egress
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
批次為所有命名空間設定預設拒絕
#!/bin/bash
NAMESPACES=$(kubectl get namespaces -o jsonpath='{.items[*].metadata.name}')
for ns in $NAMESPACES; do
if [ "$ns" = "kube-system" ] || [ "$ns" = "kube-public" ]; then
echo "Skipping system namespace: $ns"
continue
fi
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: $ns
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
EOF
echo "Applied default-deny-all to namespace: $ns"
done
驗證預設拒絕策略
kubectl get networkpolicy -n production
kubectl describe networkpolicy default-deny-all -n production
kubectl run test-client --image=busybox:1.36 -n production --rm -it -- \
wget -qO- --timeout=2 http://api-service.production.svc.cluster.local:8080
模式2:基於標籤的微隔離策略
微隔離透過標籤選擇器實現細粒度的Pod間存取控制,是NetworkPolicy的核心能力。
三層應用微隔離
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: production
spec:
podSelector:
matchLabels:
app: web
tier: frontend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
env: production
podSelector:
matchLabels:
app: ingress-nginx
ports:
- protocol: TCP
port: 8080
- protocol: TCP
port: 8443
egress:
- to:
- podSelector:
matchLabels:
app: api
tier: backend
ports:
- protocol: TCP
port: 8080
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: production
spec:
podSelector:
matchLabels:
app: api
tier: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: web
tier: frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: postgres
tier: database
ports:
- protocol: TCP
port: 5432
- to:
- podSelector:
matchLabels:
app: redis
tier: cache
ports:
- protocol: TCP
port: 6379
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-policy
namespace: production
spec:
podSelector:
matchLabels:
tier: database
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: api
tier: backend
ports:
- protocol: TCP
port: 5432
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
跨命名空間策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-monitoring
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: monitoring
podSelector:
matchLabels:
app: prometheus
ports:
- protocol: TCP
port: 9090
命名空間標籤管理
kubectl label namespace monitoring purpose=monitoring
kubectl label namespace staging env=staging
kubectl label namespace production env=production
kubectl label namespace kube-system kubernetes.io/metadata.name=kube-system
kubectl get namespaces --show-labels
模式3:Cilium eBPF進階網路策略
Cilium基於eBPF技術,突破K8s原生NetworkPolicy的L3/L4限制,支援L7層HTTP/gRPC/Kafka協定策略。
安裝Cilium
helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium \
--namespace kube-system \
--set kubeProxyReplacement=strict \
--set hubble.enabled=true \
--set hubble.relay.enabled=true \
--set hubble.ui.enabled=true \
--set operator.prometheus.enabled=true
L7 HTTP策略
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: l7-http-policy
namespace: production
spec:
endpointSelector:
matchLabels:
app: api
tier: backend
ingress:
- fromEndpoints:
- matchLabels:
app: web
tier: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: "/api/v1/.*"
- method: POST
path: "/api/v1/orders"
- method: PUT
path: "/api/v1/orders/.*"
Kafka協定策略
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: kafka-policy
namespace: production
spec:
endpointSelector:
matchLabels:
app: kafka
ingress:
- fromEndpoints:
- matchLabels:
app: order-service
toPorts:
- ports:
- port: "9092"
protocol: TCP
rules:
kafka:
- role: produce
topic: orders
- role: consume
topic: orders
- fromEndpoints:
- matchLabels:
app: payment-service
toPorts:
- ports:
- port: "9092"
protocol: TCP
rules:
kafka:
- role: produce
topic: payments
- role: consume
topic: payments
基於DNS的egress策略
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: external-api-egress
namespace: production
spec:
endpointSelector:
matchLabels:
app: api
tier: backend
egress:
- toFQDNs:
- matchName: "api.stripe.com"
- matchName: "api.sendgrid.com"
- matchPattern: "*.amazonaws.com"
toPorts:
- ports:
- port: "443"
protocol: TCP
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
rules:
dns:
- matchPattern: "*"
Hubble可觀測性
cilium hubble port-forward &
hubble observe --namespace production --since 1m
hubble observe --namespace production --label app=api --verdict DROPPED
hubble observe --namespace production --http-path "/api/v1/.*" --method GET
模式4:基於DNS的網路策略
原生NetworkPolicy不支援基於網域名稱的策略,但Cilium和Calico擴展了這一能力,讓egress控制更加靈活。
Cilium FQDN策略
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-external-services
namespace: production
spec:
endpointSelector:
matchLabels:
app: payment-service
egress:
- toFQDNs:
- matchName: "api.stripe.com"
- matchName: "api.paypal.com"
toPorts:
- ports:
- port: "443"
protocol: TCP
- toFQDNs:
- matchName: "s3.amazonaws.com"
- matchPattern: "*.s3.amazonaws.com"
toPorts:
- ports:
- port: "443"
protocol: TCP
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
rules:
dns:
- matchPattern: "*"
Calico GlobalNetworkPolicy DNS策略
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-external-dns
spec:
selector: app == "payment-service"
order: 100
types:
- Egress
egress:
- action: Allow
protocol: TCP
destination:
domains:
- "api.stripe.com"
- "api.paypal.com"
ports:
- 443
- action: Allow
protocol: UDP
destination:
selector: k8s-app == "kube-dns"
ports:
- 53
DNS策略監控
cilium hubble observe --dns --namespace production
cilium hubble observe --fqdn "api.stripe.com" --namespace production
kubectl logs -n kube-system -l k8s-app=kube-dns --tail=100
kubectl get endpoints kube-dns -n kube-system
模式5:服務網格mTLS
服務網格透過Sidecar代理實現自動mTLS,為服務間通訊提供加密和身份認證。
Istio嚴格mTLS模式
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: backend-mtls
namespace: production
spec:
selector:
matchLabels:
tier: backend
mtls:
mode: STRICT
portLevelMtls:
8080:
mode: STRICT
Istio AuthorizationPolicy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: backend-authz
namespace: production
spec:
selector:
matchLabels:
app: api
tier: backend
rules:
- from:
- source:
principals:
- "cluster.local/ns/production/sa/frontend"
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/v1/*"]
- from:
- source:
namespaces: ["monitoring"]
principals:
- "cluster.local/ns/monitoring/sa/prometheus"
to:
- operation:
methods: ["GET"]
paths: ["/metrics"]
Cilium Cluster Mesh mTLS
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-mtls-traffic
spec:
endpointSelector: {}
ingress:
- fromRequires:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
ingress:
- fromEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: monitoring
toPorts:
- ports:
- port: "9090"
protocol: TCP
憑證管理
istioctl analyze -n production
istioctl proxy-config secret deploy/frontend.production
kubectl get certificates -n production
kubectl describe certificate backend-cert -n production
kubectl logs -n istio-system -l app=citadel --tail=50
模式6:零信任網路架構藍圖
零信任不是單一技術,而是一套安全架構理念:永不信任,始終驗證,最小權限。
零信任網路架構分層
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: zero-trust-foundation
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector: {}
ports: []
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
零信任身份層
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: identity-based-policy
namespace: production
spec:
endpointSelector:
matchLabels:
app: api
tier: backend
env: production
ingress:
- fromRequires:
- matchLabels:
app: web
tier: frontend
env: production
io.cilium.k8s.policy.serviceaccount: frontend-sa
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: "/api/v1/.*"
- method: POST
path: "/api/v1/orders"
零信任審計層
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
resources:
- group: networking.k8s.io
resources: ["networkpolicies"]
verbs: ["create", "update", "delete"]
- level: Metadata
resources:
- group: cilium.io
resources: ["ciliumnetworkpolicies", "ciliumclusterwidenetworkpolicies"]
verbs: ["create", "update", "delete"]
零信任可觀測性
cilium hubble observe --namespace production --type trace --type drop
cilium hubble observe --verdict DROPPED --since 5m --namespace production
kubectl get ciliumnetworkpolicies -A
kubectl get ciliumclusterwidenetworkpolicies
kubectl get networkpolicies -A
cilium connectivity test --namespace production
零信任架構驗證指令碼
#!/bin/bash
echo "=== Zero Trust Network Audit ==="
echo "[1] Checking default deny policies..."
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do
count=$(kubectl get networkpolicy -n "$ns" 2>/dev/null | grep -c "default-deny" || true)
if [ "$count" -eq 0 ] && [ "$ns" != "kube-system" ]; then
echo " WARNING: No default-deny policy in namespace: $ns"
fi
done
echo "[2] Checking mTLS status..."
istioctl proxy-config secret -n production 2>/dev/null || echo " Istio not installed or no proxies found"
echo "[3] Checking Cilium policy status..."
cilium policy get 2>/dev/null || echo " Cilium not available"
echo "[4] Checking for overly permissive policies..."
kubectl get networkpolicies -A -o json | \
python3 -c "
import json, sys
policies = json.load(sys.stdin)
for p in policies.get('items', []):
ns = p['metadata']['namespace']
name = p['metadata']['name']
ingress = p.get('spec', {}).get('ingress', [])
for i in ingress:
if not i.get('from') and not i.get('ports'):
print(f' WARNING: {ns}/{name} has empty ingress from selector')
egress = p.get('spec', {}).get('egress', [])
for e in egress:
if not e.get('to') and not e.get('ports'):
print(f' WARNING: {ns}/{name} has empty egress to selector')
"
echo "=== Audit Complete ==="
5大常見陷阱
陷阱1:忘記允許DNS流量
# ❌ 錯誤:拒絕所有egress後DNS也無法解析
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
# ✅ 正確:必須顯式允許DNS egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
陷阱2:命名空間缺少標籤
# ❌ 錯誤:namespaceSelector匹配不到任何命名空間
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-monitoring
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: monitoring
# ✅ 正確:先給命名空間打標籤
# kubectl label namespace monitoring purpose=monitoring
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-monitoring
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: monitoring
podSelector:
matchLabels:
app: prometheus
陷阱3:CNI不支援NetworkPolicy
# ❌ 錯誤:flannel不支援NetworkPolicy,策略不會生效
# 使用flannel作為CNI
# ✅ 正確:使用支援NetworkPolicy的CNI
# kubectl get pods -n kube-system -l k8s-app=calico-node
# kubectl get pods -n kube-system -l k8s-app=cilium
# kubectl get pods -n kube-system -l app=antrea
陷阱4:策略順序導致覆蓋
# ❌ 錯誤:先寫允許策略再寫拒絕策略,拒絕不會覆蓋允許
# NetworkPolicy是累加的,沒有優先級概念
# ✅ 正確:NetworkPolicy是白名單模型,所有策略累加
# 如果需要優先級,使用Calico的GlobalNetworkPolicy或Cilium策略
# Calico支援order欄位控制優先級
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: deny-suspicious
spec:
order: 50
selector: all()
types:
- Ingress
ingress:
- action: Deny
source:
selector: app == "compromised-service"
陷阱5:忽略kube-system命名空間
# ❌ 錯誤:對kube-system也設定預設拒絕,導致叢集功能異常
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: kube-system
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
# ✅ 正確:kube-system需要特殊處理,允許必要流量
# 對kube-system命名空間跳過預設拒絕策略
# 或為kube-system中的關鍵元件設定精確的允許策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kube-system-allow
namespace: kube-system
spec:
podSelector:
matchLabels:
k8s-app: kube-dns
policyTypes:
- Ingress
ingress:
- from: []
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
錯誤排查表
| 錯誤現象 | 可能原因 | 排查指令 | 解決方案 |
|---|---|---|---|
| Pod間無法通訊 | 預設拒絕策略過嚴 | kubectl get networkpolicy -A |
新增精確的ingress/egress規則 |
| 服務發現失敗 | DNS egress被阻斷 | kubectl exec -it <pod> -- nslookup api-service |
新增DNS egress允許規則 |
| NetworkPolicy不生效 | CNI不支援 | kubectl get pods -n kube-system -l k8s-app |
切換到Calico/Cilium/Antrea |
| 跨命名空間存取被拒 | 命名空間缺少標籤 | kubectl get ns --show-labels |
給命名空間新增必要標籤 |
| Hubble無法觀測 | Cilium未啟用Hubble | cilium status |
Helm安裝時啟用Hubble |
| mTLS連線失敗 | 憑證過期或未簽發 | istioctl proxy-config secret <pod> |
檢查Certificate資源狀態 |
| L7策略不生效 | Cilium版本過低 | cilium version |
升級到Cilium 1.14+ |
| DNS策略不生效 | CoreDNS版本過低 | kubectl get deploy coredns -n kube-system -o yaml |
升級CoreDNS |
| 策略數量爆炸 | 標籤設計不合理 | kubectl get networkpolicy -A | wc -l |
重新設計標籤體系 |
| Calico策略衝突 | GlobalNetworkPolicy優先級問題 | calicoctl get globalnetworkpolicy -o yaml |
調整order欄位 |
進階最佳化
策略即程式碼(PaC)
使用GitOps管理NetworkPolicy,確保策略變更經過程式碼審查:
git checkout -b feature/add-network-policy
mkdir -p k8s/network-policies/production
cat > k8s/network-policies/production/default-deny.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
EOF
git add . && git commit -m "feat: add default deny policy for production"
git push origin feature/add-network-policy
策略自動化測試
cilium connectivity test \
--test "echo-ingress-l7" \
--namespace production \
--force-deploy
kubectl run policy-test \
--image=busybox:1.36 \
-n production \
--rm -it -- \
wget -qO- --timeout=2 http://api-service:8080/healthz
kubectl run dns-test \
--image=busybox:1.36 \
-n production \
--rm -it -- \
nslookup api-service.production.svc.cluster.local
策略效能最佳化
cilium config | grep policy
cilium bpf policy list
kubectl get ciliumnetworkpolicies -A -o json | \
python3 -c "
import json, sys
policies = json.load(sys.stdin)
print(f'Total CiliumNetworkPolicies: {len(policies.get(\"items\", []))}')
for p in policies.get('items', []):
ns = p['metadata']['namespace']
name = p['metadata']['name']
ingress = len(p.get('spec', {}).get('ingress', []))
egress = len(p.get('spec', {}).get('egress', []))
print(f' {ns}/{name}: ingress={ingress}, egress={egress}')
"
CNI外掛對比
| 特性 | Calico | Cilium | Antrea | Weave Net |
|---|---|---|---|---|
| NetworkPolicy支援 | ✅ 完整 | ✅ 完整+L7 | ✅ 完整 | ⚠️ 基礎 |
| L7策略 | ❌ | ✅ HTTP/gRPC/Kafka | ❌ | ❌ |
| FQDN策略 | ✅ | ✅ | ❌ | ❌ |
| eBPF資料面 | ✅ 可選 | ✅ 預設 | ✅ 可選 | ❌ |
| 可觀測性 | ❌ | ✅ Hubble | ⚠️ Flow Exporter | ❌ |
| 加密 | ✅ WireGuard | ✅ WireGuard/IPsec | ✅ IPsec | ✅ IPsec |
| 效能 | 高 | 極高 | 高 | 中 |
| 多叢集 | ✅ | ✅ Cluster Mesh | ✅ | ❌ |
| Service Mesh | ❌ | ✅ 內建 | ❌ | ❌ |
| 社群活躍度 | 高 | 極高 | 高 | 低 |
| 適用場景 | 通用生產 | 高效能+L7 | vSphere環境 | 開發測試 |
總結
Kubernetes網路安全不是一蹴可幾的,而是一個漸進式加固的過程。從預設拒絕開始,逐步實現微隔離,引入Cilium eBPF獲得L7能力,透過DNS策略控制外部存取,藉助服務網格實現mTLS,最終建構零信任網路架構。每一步都在縮小攻擊面,每一層都在增加防禦深度。記住:沒有NetworkPolicy的K8s叢集,就是攻擊者的遊樂場。
推薦工具
本站提供瀏覽器本地工具,免註冊即可試用 →
#Kubernetes#NetworkPolicy#网络安全#Cilium#微服务安全#2026#零信任