implementing-kubernetes-network-policy-with-calico
使用 Calico NetworkPolicy 和 GlobalNetworkPolicy 实施 Kubernetes 网络分段,实现 Pod 间零信任通信。
Best use case
implementing-kubernetes-network-policy-with-calico is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
使用 Calico NetworkPolicy 和 GlobalNetworkPolicy 实施 Kubernetes 网络分段,实现 Pod 间零信任通信。
Teams using implementing-kubernetes-network-policy-with-calico should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-kubernetes-network-policy-with-calico/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-kubernetes-network-policy-with-calico Compares
| Feature / Agent | implementing-kubernetes-network-policy-with-calico | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
使用 Calico NetworkPolicy 和 GlobalNetworkPolicy 实施 Kubernetes 网络分段,实现 Pod 间零信任通信。
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 使用 Calico 实施 Kubernetes 网络策略
## 概述
Calico 是一个开源 CNI 插件,为 Kubernetes 集群提供细粒度网络策略执行能力。它实现了完整的 Kubernetes NetworkPolicy API,并通过 Calico 专属的 GlobalNetworkPolicy 进行了扩展,支持策略排序、拒绝规则和基于服务账户的选择器。
## 前提条件
- Kubernetes 集群(v1.24+)
- 已安装 Calico CNI(v3.26+)
- `kubectl` 和 `calicoctl` CLI 工具
- 集群管理员 RBAC 权限
## 安装 Calico
### 基于 Operator 的安装(推荐)
```bash
# 安装 Tigera Operator
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/tigera-operator.yaml
# 安装 Calico 自定义资源
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/custom-resources.yaml
# 验证安装
kubectl get pods -n calico-system
watch kubectl get pods -n calico-system
# 安装 calicoctl
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calicoctl.yaml
```
### 验证 Calico 运行状态
```bash
# 检查 Calico Pod
kubectl get pods -n calico-system
# 检查 Calico 节点状态
kubectl exec -n calico-system calicoctl -- calicoctl node status
# 检查 IP 池
kubectl exec -n calico-system calicoctl -- calicoctl get ippool -o wide
```
## Kubernetes NetworkPolicy
### 默认拒绝所有流量
```yaml
# deny-all-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
---
# deny-all-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
```
### 允许特定 Pod 间通信
```yaml
# allow-frontend-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
```
### 允许 DNS 出口流量
```yaml
# allow-dns-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-egress
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
```
### 命名空间隔离
```yaml
# allow-same-namespace.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-same-namespace
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
```
## Calico 专属策略
### GlobalNetworkPolicy(集群级别)
```yaml
# global-deny-external.yaml
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: deny-external-ingress
spec:
order: 100
selector: "projectcalico.org/namespace != 'ingress-nginx'"
types:
- Ingress
ingress:
- action: Deny
source:
nets:
- 0.0.0.0/0
destination: {}
```
### 带拒绝规则的 Calico NetworkPolicy
```yaml
# calico-deny-policy.yaml
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: deny-database-from-frontend
namespace: production
spec:
order: 10
selector: app == 'database'
types:
- Ingress
ingress:
- action: Deny
source:
selector: app == 'frontend'
- action: Allow
source:
selector: app == 'backend'
destination:
ports:
- 5432
```
### 基于服务账户的策略
```yaml
# sa-based-policy.yaml
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-by-service-account
namespace: production
spec:
selector: app == 'api'
ingress:
- action: Allow
source:
serviceAccounts:
names:
- frontend-sa
- monitoring-sa
egress:
- action: Allow
destination:
serviceAccounts:
names:
- database-sa
```
### 主机端点保护
```yaml
# host-endpoint-policy.yaml
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: restrict-host-ssh
spec:
order: 10
selector: "has(kubernetes.io/hostname)"
applyOnForward: false
types:
- Ingress
ingress:
- action: Allow
protocol: TCP
source:
nets:
- 10.0.0.0/8
destination:
ports:
- 22
- action: Deny
protocol: TCP
destination:
ports:
- 22
```
## Calico 策略层级
```yaml
# security-tier.yaml
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: security
spec:
order: 100
---
# platform-tier.yaml
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: platform
spec:
order: 200
```
## 监控与故障排查
```bash
# 列出所有网络策略
kubectl get networkpolicy --all-namespaces
# 列出 Calico 专属策略
kubectl exec -n calico-system calicoctl -- calicoctl get networkpolicy --all-namespaces -o wide
kubectl exec -n calico-system calicoctl -- calicoctl get globalnetworkpolicy -o wide
# 检查特定端点的策略评估
kubectl exec -n calico-system calicoctl -- calicoctl get workloadendpoint -n production -o yaml
# 查看 Calico 日志
kubectl logs -n calico-system -l k8s-app=calico-node --tail=100
# 测试连通性
kubectl exec -n production frontend-pod -- wget -qO- --timeout=2 http://backend-svc:8080/health
```
## 最佳实践
1. **从默认拒绝开始** - 对每个命名空间应用拒绝所有策略,再允许特定流量
2. **统一使用标签** - 为 app、tier、environment 定义标签规范
3. **排序策略** - 使用 Calico 策略排序(`order` 字段)控制评估优先级
4. **先允许 DNS** - 在应用出口拒绝策略前,始终先创建 DNS 出口规则
5. 使用 **GlobalNetworkPolicy** 建立集群级安全基线
6. **在预发布环境测试策略** - 应用策略后验证网络连通性
7. **监控被拒绝的流量** - 启用 Calico 流量日志以了解被阻断的连接
8. **使用层级** - 将策略组织为安全、平台和应用层级Related Skills
securing-kubernetes-on-cloud
本技能涵盖通过实施 Pod 安全标准(Pod Security Standards)、网络策略、工作负载身份、RBAC 权限控制、镜像准入控制和运行时安全监控,对 EKS、AKS 和 GKE 上的托管 Kubernetes 集群进行加固。涉及云平台特定安全功能,包括 EKS 的 IRSA、GKE 的工作负载身份(Workload Identity)以及 AKS 的托管身份(Managed Identity)。
scanning-network-with-nmap-advanced
使用 Nmap 的脚本引擎、时序控制、规避技术和输出解析,对授权目标网络执行高级网络侦察, 发现主机、枚举服务、检测漏洞并识别操作系统。
scanning-kubernetes-manifests-with-kubesec
使用 Kubesec 对 Kubernetes 资源清单执行安全风险分析,识别错误配置、权限提升风险以及与安全最佳实践的偏差。
performing-wireless-network-penetration-test
执行无线网络渗透测试,通过捕获握手包、破解 WPA2/WPA3 密钥、检测流氓接入点以及使用 Aircrack-ng 和相关工具测试无线网络分段,评估 WiFi 安全性。
performing-ot-network-security-assessment
本技能涵盖对运营技术(OT)网络(包括SCADA系统、DCS架构和工业控制系统通信路径)进行全面安全评估。内容涉及Purdue参考模型各层、识别IT/OT融合风险、评估区域间防火墙规则,以及映射工业协议流量(Modbus、DNP3、OPC UA、EtherNet/IP),以检测关键基础设施中的错误配置、未授权连接和攻击面。
performing-network-traffic-analysis-with-zeek
部署 Zeek 网络安全监控器,捕获、解析和分析网络流量元数据,用于威胁检测、异常识别和取证调查。
performing-network-traffic-analysis-with-tshark
使用 tshark 和 pyshark 自动化网络流量分析,进行协议统计、可疑流量检测、DNS 异常识别以及从 PCAP 文件中提取威胁指标(IOC)
performing-network-packet-capture-analysis
使用 Wireshark、tshark 和 tcpdump 对网络数据包捕获(PCAP/PCAPNG)进行取证分析,重建网络通信、提取传输文件、识别恶意流量,并建立数据渗出或命令与控制活动的证据。
performing-network-forensics-with-wireshark
使用 Wireshark 和 tshark 捕获并分析网络流量,重建网络事件、提取制品并识别恶意通信。
performing-kubernetes-penetration-testing
Kubernetes 渗透测试(Penetration Testing)通过对 API server、kubelet、etcd、Pod、RBAC、网络策略和密钥模拟攻击者技术,系统性评估集群安全性。使用 kube-hunter、Kubescape、peirates 等工具识别可能导致集群被攻陷的错误配置。
performing-kubernetes-etcd-security-assessment
通过评估静态加密、TLS 配置、访问控制、备份加密和网络隔离,评估 Kubernetes etcd 集群的安全态势。
performing-kubernetes-cis-benchmark-with-kube-bench
使用 kube-bench 对照 CIS Benchmark 审计 Kubernetes 集群安全态势,对控制平面、工作节点和 RBAC 执行自动化检查。