Implements Kubernetes network segmentation with Calico NetworkPolicy and GlobalNetworkPolicy for zero-trust Pod communication. Guides Calico installation and policy examples like default deny and namespace isolation.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Calico 是一个开源 CNI 插件,为 Kubernetes 集群提供细粒度网络策略执行能力。它实现了完整的 Kubernetes NetworkPolicy API,并通过 Calico 专属的 GlobalNetworkPolicy 进行了扩展,支持策略排序、拒绝规则和基于服务账户的选择器。
Implements Kubernetes network segmentation using Calico NetworkPolicy and GlobalNetworkPolicy for zero-trust pod-to-pod communication with YAML examples.
Implements and audits Calico NetworkPolicy and GlobalNetworkPolicy in Kubernetes for Pod traffic control, namespace isolation, egress restrictions, and zero-trust microsegmentation.
Implements Kubernetes network segmentation with Calico NetworkPolicy and GlobalNetworkPolicy for zero-trust pod-to-pod communication. Covers operator installation, default deny rules, and allow policies.
Share bugs, ideas, or general feedback.
Calico 是一个开源 CNI 插件,为 Kubernetes 集群提供细粒度网络策略执行能力。它实现了完整的 Kubernetes NetworkPolicy API,并通过 Calico 专属的 GlobalNetworkPolicy 进行了扩展,支持策略排序、拒绝规则和基于服务账户的选择器。
kubectl 和 calicoctl CLI 工具# 安装 Tigera Operator
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/tigera-operator.yaml
# 安装 Calico 自定义资源
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/custom-resources.yaml
# 验证安装
kubectl get pods -n calico-system
watch kubectl get pods -n calico-system
# 安装 calicoctl
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calicoctl.yaml
# 检查 Calico Pod
kubectl get pods -n calico-system
# 检查 Calico 节点状态
kubectl exec -n calico-system calicoctl -- calicoctl node status
# 检查 IP 池
kubectl exec -n calico-system calicoctl -- calicoctl get ippool -o wide
# deny-all-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
---
# deny-all-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
# allow-frontend-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
# allow-dns-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-egress
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
# allow-same-namespace.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-same-namespace
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
# global-deny-external.yaml
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: deny-external-ingress
spec:
order: 100
selector: "projectcalico.org/namespace != 'ingress-nginx'"
types:
- Ingress
ingress:
- action: Deny
source:
nets:
- 0.0.0.0/0
destination: {}
# calico-deny-policy.yaml
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: deny-database-from-frontend
namespace: production
spec:
order: 10
selector: app == 'database'
types:
- Ingress
ingress:
- action: Deny
source:
selector: app == 'frontend'
- action: Allow
source:
selector: app == 'backend'
destination:
ports:
- 5432
# sa-based-policy.yaml
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-by-service-account
namespace: production
spec:
selector: app == 'api'
ingress:
- action: Allow
source:
serviceAccounts:
names:
- frontend-sa
- monitoring-sa
egress:
- action: Allow
destination:
serviceAccounts:
names:
- database-sa
# host-endpoint-policy.yaml
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: restrict-host-ssh
spec:
order: 10
selector: "has(kubernetes.io/hostname)"
applyOnForward: false
types:
- Ingress
ingress:
- action: Allow
protocol: TCP
source:
nets:
- 10.0.0.0/8
destination:
ports:
- 22
- action: Deny
protocol: TCP
destination:
ports:
- 22
# security-tier.yaml
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: security
spec:
order: 100
---
# platform-tier.yaml
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: platform
spec:
order: 200
# 列出所有网络策略
kubectl get networkpolicy --all-namespaces
# 列出 Calico 专属策略
kubectl exec -n calico-system calicoctl -- calicoctl get networkpolicy --all-namespaces -o wide
kubectl exec -n calico-system calicoctl -- calicoctl get globalnetworkpolicy -o wide
# 检查特定端点的策略评估
kubectl exec -n calico-system calicoctl -- calicoctl get workloadendpoint -n production -o yaml
# 查看 Calico 日志
kubectl logs -n calico-system -l k8s-app=calico-node --tail=100
# 测试连通性
kubectl exec -n production frontend-pod -- wget -qO- --timeout=2 http://backend-svc:8080/health
order 字段)控制评估优先级