Deploy-Laboratory/ansible/files/06-01/networkpolicy-traefik-egress.example.yaml

# 示例：为 Traefik 放行出站（按实际 namespace 与标签调整）
# 适用场景：后端在其它命名空间、需访问集群 DNS 与 Service VIP。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: traefik-egress-lab-example
  namespace: kube-system
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: traefik
  policyTypes:
    - Egress
  egress:
    # 访问任意命名空间内 Pod（可按需收窄为 namespaceSelector + podSelector）
    - to:
        - namespaceSelector: {}
      ports:
        - protocol: TCP
          port: 8080
        - protocol: TCP
          port: 8000
    # Service CIDR（k3s 默认常为 10.43.0.0/16，请与集群一致）
    - to:
        - ipBlock:
            cidr: 10.43.0.0/16
    # 集群 DNS
    - ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53