implementing-kubernetes-network-policy-with-calico

使用 Calico NetworkPolicy 和 GlobalNetworkPolicy 实施 Kubernetes 网络分段,实现 Pod 间零信任通信。

9 stars

Best use case

implementing-kubernetes-network-policy-with-calico is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用 Calico NetworkPolicy 和 GlobalNetworkPolicy 实施 Kubernetes 网络分段,实现 Pod 间零信任通信。

Teams using implementing-kubernetes-network-policy-with-calico should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-kubernetes-network-policy-with-calico Compares

Feature / Agentimplementing-kubernetes-network-policy-with-calicoStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用 Calico NetworkPolicy 和 GlobalNetworkPolicy 实施 Kubernetes 网络分段,实现 Pod 间零信任通信。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用 Calico 实施 Kubernetes 网络策略

## 概述

Calico 是一个开源 CNI 插件,为 Kubernetes 集群提供细粒度网络策略执行能力。它实现了完整的 Kubernetes NetworkPolicy API,并通过 Calico 专属的 GlobalNetworkPolicy 进行了扩展,支持策略排序、拒绝规则和基于服务账户的选择器。

## 前提条件

- Kubernetes 集群(v1.24+)
- 已安装 Calico CNI(v3.26+)
- `kubectl` 和 `calicoctl` CLI 工具
- 集群管理员 RBAC 权限

## 安装 Calico

### 基于 Operator 的安装(推荐)

```bash
# 安装 Tigera Operator
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/tigera-operator.yaml

# 安装 Calico 自定义资源
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/custom-resources.yaml

# 验证安装
kubectl get pods -n calico-system
watch kubectl get pods -n calico-system

# 安装 calicoctl
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calicoctl.yaml
```

### 验证 Calico 运行状态

```bash
# 检查 Calico Pod
kubectl get pods -n calico-system

# 检查 Calico 节点状态
kubectl exec -n calico-system calicoctl -- calicoctl node status

# 检查 IP 池
kubectl exec -n calico-system calicoctl -- calicoctl get ippool -o wide
```

## Kubernetes NetworkPolicy

### 默认拒绝所有流量

```yaml
# deny-all-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress

---
# deny-all-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Egress
```

### 允许特定 Pod 间通信

```yaml
# allow-frontend-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080
```

### 允许 DNS 出口流量

```yaml
# allow-dns-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns-egress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53
```

### 命名空间隔离

```yaml
# allow-same-namespace.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector: {}
```

## Calico 专属策略

### GlobalNetworkPolicy(集群级别)

```yaml
# global-deny-external.yaml
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: deny-external-ingress
spec:
  order: 100
  selector: "projectcalico.org/namespace != 'ingress-nginx'"
  types:
    - Ingress
  ingress:
    - action: Deny
      source:
        nets:
          - 0.0.0.0/0
      destination: {}
```

### 带拒绝规则的 Calico NetworkPolicy

```yaml
# calico-deny-policy.yaml
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-database-from-frontend
  namespace: production
spec:
  order: 10
  selector: app == 'database'
  types:
    - Ingress
  ingress:
    - action: Deny
      source:
        selector: app == 'frontend'
    - action: Allow
      source:
        selector: app == 'backend'
      destination:
        ports:
          - 5432
```

### 基于服务账户的策略

```yaml
# sa-based-policy.yaml
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-by-service-account
  namespace: production
spec:
  selector: app == 'api'
  ingress:
    - action: Allow
      source:
        serviceAccounts:
          names:
            - frontend-sa
            - monitoring-sa
  egress:
    - action: Allow
      destination:
        serviceAccounts:
          names:
            - database-sa
```

### 主机端点保护

```yaml
# host-endpoint-policy.yaml
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: restrict-host-ssh
spec:
  order: 10
  selector: "has(kubernetes.io/hostname)"
  applyOnForward: false
  types:
    - Ingress
  ingress:
    - action: Allow
      protocol: TCP
      source:
        nets:
          - 10.0.0.0/8
      destination:
        ports:
          - 22
    - action: Deny
      protocol: TCP
      destination:
        ports:
          - 22
```

## Calico 策略层级

```yaml
# security-tier.yaml
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
  name: security
spec:
  order: 100

---
# platform-tier.yaml
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
  name: platform
spec:
  order: 200
```

## 监控与故障排查

```bash
# 列出所有网络策略
kubectl get networkpolicy --all-namespaces

# 列出 Calico 专属策略
kubectl exec -n calico-system calicoctl -- calicoctl get networkpolicy --all-namespaces -o wide
kubectl exec -n calico-system calicoctl -- calicoctl get globalnetworkpolicy -o wide

# 检查特定端点的策略评估
kubectl exec -n calico-system calicoctl -- calicoctl get workloadendpoint -n production -o yaml

# 查看 Calico 日志
kubectl logs -n calico-system -l k8s-app=calico-node --tail=100

# 测试连通性
kubectl exec -n production frontend-pod -- wget -qO- --timeout=2 http://backend-svc:8080/health
```

## 最佳实践

1. **从默认拒绝开始** - 对每个命名空间应用拒绝所有策略,再允许特定流量
2. **统一使用标签** - 为 app、tier、environment 定义标签规范
3. **排序策略** - 使用 Calico 策略排序(`order` 字段)控制评估优先级
4. **先允许 DNS** - 在应用出口拒绝策略前,始终先创建 DNS 出口规则
5. 使用 **GlobalNetworkPolicy** 建立集群级安全基线
6. **在预发布环境测试策略** - 应用策略后验证网络连通性
7. **监控被拒绝的流量** - 启用 Calico 流量日志以了解被阻断的连接
8. **使用层级** - 将策略组织为安全、平台和应用层级

Related Skills

securing-kubernetes-on-cloud

9
from killvxk/cybersecurity-skills-zh

本技能涵盖通过实施 Pod 安全标准(Pod Security Standards)、网络策略、工作负载身份、RBAC 权限控制、镜像准入控制和运行时安全监控,对 EKS、AKS 和 GKE 上的托管 Kubernetes 集群进行加固。涉及云平台特定安全功能,包括 EKS 的 IRSA、GKE 的工作负载身份(Workload Identity)以及 AKS 的托管身份(Managed Identity)。

scanning-network-with-nmap-advanced

9
from killvxk/cybersecurity-skills-zh

使用 Nmap 的脚本引擎、时序控制、规避技术和输出解析,对授权目标网络执行高级网络侦察, 发现主机、枚举服务、检测漏洞并识别操作系统。

scanning-kubernetes-manifests-with-kubesec

9
from killvxk/cybersecurity-skills-zh

使用 Kubesec 对 Kubernetes 资源清单执行安全风险分析,识别错误配置、权限提升风险以及与安全最佳实践的偏差。

performing-wireless-network-penetration-test

9
from killvxk/cybersecurity-skills-zh

执行无线网络渗透测试,通过捕获握手包、破解 WPA2/WPA3 密钥、检测流氓接入点以及使用 Aircrack-ng 和相关工具测试无线网络分段,评估 WiFi 安全性。

performing-ot-network-security-assessment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖对运营技术(OT)网络(包括SCADA系统、DCS架构和工业控制系统通信路径)进行全面安全评估。内容涉及Purdue参考模型各层、识别IT/OT融合风险、评估区域间防火墙规则,以及映射工业协议流量(Modbus、DNP3、OPC UA、EtherNet/IP),以检测关键基础设施中的错误配置、未授权连接和攻击面。

performing-network-traffic-analysis-with-zeek

9
from killvxk/cybersecurity-skills-zh

部署 Zeek 网络安全监控器,捕获、解析和分析网络流量元数据,用于威胁检测、异常识别和取证调查。

performing-network-traffic-analysis-with-tshark

9
from killvxk/cybersecurity-skills-zh

使用 tshark 和 pyshark 自动化网络流量分析,进行协议统计、可疑流量检测、DNS 异常识别以及从 PCAP 文件中提取威胁指标(IOC)

performing-network-packet-capture-analysis

9
from killvxk/cybersecurity-skills-zh

使用 Wireshark、tshark 和 tcpdump 对网络数据包捕获(PCAP/PCAPNG)进行取证分析,重建网络通信、提取传输文件、识别恶意流量,并建立数据渗出或命令与控制活动的证据。

performing-network-forensics-with-wireshark

9
from killvxk/cybersecurity-skills-zh

使用 Wireshark 和 tshark 捕获并分析网络流量,重建网络事件、提取制品并识别恶意通信。

performing-kubernetes-penetration-testing

9
from killvxk/cybersecurity-skills-zh

Kubernetes 渗透测试(Penetration Testing)通过对 API server、kubelet、etcd、Pod、RBAC、网络策略和密钥模拟攻击者技术,系统性评估集群安全性。使用 kube-hunter、Kubescape、peirates 等工具识别可能导致集群被攻陷的错误配置。

performing-kubernetes-etcd-security-assessment

9
from killvxk/cybersecurity-skills-zh

通过评估静态加密、TLS 配置、访问控制、备份加密和网络隔离,评估 Kubernetes etcd 集群的安全态势。

performing-kubernetes-cis-benchmark-with-kube-bench

9
from killvxk/cybersecurity-skills-zh

使用 kube-bench 对照 CIS Benchmark 审计 Kubernetes 集群安全态势,对控制平面、工作节点和 RBAC 执行自动化检查。