apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: op-deny-ingress

  namespace: op

spec:

  podSelector:

    matchLabels:

      app: op-pvc #匹配标签选择器

  policyTypes:

  - Ingress

  ingress:

  - from:

    - ipBlock:

        cidr: 10.178.0.0/16 #允许这一个大的网段访问

        except:

        - 10.178.135.0/24 #禁止这一个网段

    - ipBlock:

        cidr: 172.88.6.100/32 #允许172.88.6.100访问

    - podSelector:

        matchLabels:

          serviceName: webapp#所有匹配的标签选择器为webapp都可以在上述网络中通信

    ports:

    - protocol: TCP

      port: 8080 #限制端口8080

    - protocol: TCP

      port: 3690 #限制端口3690

    - protocol: TCP

      port: 80 #限制端口80