除非重新启动网络插件守护程序集，否则不会强制执行 Kubernetes 网络策略。为什么？

我想向您展示，weave-net无需重新启动 Pod 即可NetworkPolicy生效。

您的test-network-policy NetworkPolicy标签应用于命名空间run=prod-nginx中的Pod prod，并允许所有入口流量并拒绝所有出口流量。

我将创建一个示例来说明它是如何工作的。

---

首先，我创建了prod-nginx& prod-testPods 并在没有部署的情况下测试了连接性NetworkPolicy：

# kubectl run prod-nginx --image=nginx -n prod
pod/prod-nginx created

# kubectl run prod-test --image=nginx -n prod
pod/prod-test created
    
# kubectl get pod -o wide -n prod
NAME         READY   STATUS    RESTARTS   AGE   IP          LABELS
prod-nginx   1/1     Running   0          37s   10.44.0.1   run=prod-nginx
prod-test    1/1     Running   0          11s   10.44.0.2   run=prod-test

# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.1 | grep -i success
<p>If you see this page, the nginx web server is successfully installed and

# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.2 | grep -i success
<p>If you see this page, the nginx web server is successfully installed and

一切正常，所以让我们部署test-network-policy NetworkPolicy并再次测试：

# cat netpol.yml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: prod
spec:
  ingress:
  - {}
  podSelector:
    matchLabels:
      run: prod-nginx
  policyTypes:
  - Ingress
  - Egress
  
# kubectl apply -f netpol.yml 
networkpolicy.networking.k8s.io/test-network-policy created

我们可以看到该prod-nginxPod无法连接到其他Pod但是可以连接到自身：
笔记：Pod 不能阻止对其自身的访问（参见：网络策略文檔

# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.1 | grep -i success
<p>If you see this page, the nginx web server is successfully installed and
   
# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.2 | grep -i success
command terminated with exit code 7

现在让我们stage-nginx在命名空间中创建一个 Pod stage，并检查该prod-nginxPod 是否可以连接到它：

# kubectl run stage-nginx --image=nginx -n stage
pod/stage-nginx created

# kubectl get pod -o wide -n stage
NAME          READY   STATUS    RESTARTS   AGE   IP          
stage-nginx   1/1     Running   0          20s   10.44.0.6   

# kubectl exec -it prod-nginx -n prod -- curl 10.44.0.6 | grep -i success
command terminated with exit code 7

我们已经验证出口规则正常工作，并且weave-net不需要重新启动 Pod。