[{"data":1,"prerenderedAt":1603},["ShallowReactive",2],{"blog-ja-kubernetes-network-policies-security":3,"blog-ja-kubernetes-network-policies-security-alt":1497},{"id":4,"title":5,"author":6,"body":7,"date":1588,"description":1589,"extension":1590,"image":116,"locale":1591,"meta":1592,"navigation":1497,"path":1593,"seo":1594,"stem":1595,"tags":1596,"__hash__":1602},"blog\u002Fblog\u002Fja\u002Fkubernetes-network-policies-security.md","Kubernetes Network Policy によるゼロトラストセキュリティ実践ガイド","Kubo Team",{"type":8,"value":9,"toc":1562},"minimark",[10,14,24,32,36,45,50,58,81,84,96,100,104,110,223,227,299,303,381,394,398,402,405,749,753,761,900,904,912,1080,1084,1099,1102,1110,1136,1329,1332,1338,1364,1439,1443,1451,1455,1458,1462,1465,1469,1472,1476,1479,1483,1486,1536,1549,1558],[11,12,13],"p",{},"Kubernetes のデフォルト設定では、すべての Pod 間通信が無制限に許可されています。これは、1つのコンテナが侵害されるとクラスタ内のすべてのサービス（データベース、内部API、機密サービス）にネットワークアクセスが可能になることを意味します。",[11,15,16,23],{},[17,18,22],"a",{"href":19,"rel":20},"https:\u002F\u002Fkubernetes.io\u002Fdocs\u002Fconcepts\u002Fservices-networking\u002Fnetwork-policies\u002F",[21],"nofollow","Kubernetes 公式ドキュメント","が定義する Network Policy は、この問題に対するネイティブなソリューションです。本記事では、Default Deny からゼロトラストネットワークの完全実装までを、実際の YAML 設定例とともに解説します。",[11,25,26,31],{},[17,27,30],{"href":28,"rel":29},"https:\u002F\u002Fkubo.hexabase.io\u002F",[21],"Kubo"," は月額48,000円〜のマネージド Kubernetes プラットフォームで、Network Policy のデフォルト適用を含むセキュリティ基盤を提供しています。",[33,34,35],"h2",{"id":35},"ゼロトラストモデルとは何か",[11,37,38,39,44],{},"ゼロトラストとは「何も信頼せず、すべての接続を明示的に許可する」セキュリティモデルです。",[17,40,43],{"href":41,"rel":42},"https:\u002F\u002Fwww.groundcover.com\u002Flearn\u002Fsecurity\u002Fzero-trust-kubernetes",[21],"Groundcover の解説","によれば、Kubernetes においては「Pod は明確なポリシーがある場合にのみ通信できる」ことを意味します。",[46,47,49],"h3",{"id":48},"なぜ-kubernetes-でゼロトラストが必要なのか","なぜ Kubernetes でゼロトラストが必要なのか",[11,51,52,57],{},[17,53,56],{"href":54,"rel":55},"https:\u002F\u002Fatmosly.com\u002Fblog\u002Fkubernetes-network-policies-security-implementation-guide-2025",[21],"Atmosly のセキュリティガイド","は、以下のリスクを指摘しています：",[59,60,61,69,75],"ul",{},[62,63,64,68],"li",{},[65,66,67],"strong",{},"ラテラルムーブメント",": 1つの Pod が侵害されると、同一クラスタ内の全サービスに到達可能",[62,70,71,74],{},[65,72,73],{},"データ漏洩",": データベース Pod への直接アクセスが可能",[62,76,77,80],{},[65,78,79],{},"サプライチェーン攻撃",": 侵害されたサードパーティコンテナからの内部ネットワーク探索",[11,82,83],{},"Network Policy は OSI レイヤー 3-4（IP\u002Fポート）でトラフィックを制御し、これらのリスクを緩和します。",[11,85,86,91,92,95],{},[17,87,90],{"href":88,"rel":89},"https:\u002F\u002Fwww.hexabase.com\u002Fproduct\u002Fcaptain-ai\u002F",[21],"Captain.AI"," と ",[17,93,30],{"href":28,"rel":94},[21]," では、AI ワーカー間の通信も Network Policy で最小限に制限されています。",[33,97,99],{"id":98},"default-denyゼロトラストの第一歩","Default Deny：ゼロトラストの第一歩",[46,101,103],{"id":102},"全-ingress-トラフィックを拒否","全 Ingress トラフィックを拒否",[11,105,106,109],{},[17,107,22],{"href":19,"rel":108},[21],"に記載されている Default Deny ポリシー：",[111,112,117],"pre",{"className":113,"code":114,"language":115,"meta":116,"style":116},"language-yaml shiki shiki-themes tokyo-night","apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: default-deny-ingress\n  namespace: production\nspec:\n  podSelector: {}      # 空セレクタ = namespace 内の全 Pod に適用\n  policyTypes:\n  - Ingress             # Ingress のみ拒否、Egress は許可\n","yaml","",[118,119,120,137,148,157,168,179,187,202,210],"code",{"__ignoreMap":116},[121,122,125,129,133],"span",{"class":123,"line":124},"line",1,[121,126,128],{"class":127},"s0U2E","apiVersion",[121,130,132],{"class":131},"sAklC",":",[121,134,136],{"class":135},"sPY7s"," networking.k8s.io\u002Fv1\n",[121,138,140,143,145],{"class":123,"line":139},2,[121,141,142],{"class":127},"kind",[121,144,132],{"class":131},[121,146,147],{"class":135}," NetworkPolicy\n",[121,149,151,154],{"class":123,"line":150},3,[121,152,153],{"class":127},"metadata",[121,155,156],{"class":131},":\n",[121,158,160,163,165],{"class":123,"line":159},4,[121,161,162],{"class":127},"  name",[121,164,132],{"class":131},[121,166,167],{"class":135}," default-deny-ingress\n",[121,169,171,174,176],{"class":123,"line":170},5,[121,172,173],{"class":127},"  namespace",[121,175,132],{"class":131},[121,177,178],{"class":135}," production\n",[121,180,182,185],{"class":123,"line":181},6,[121,183,184],{"class":127},"spec",[121,186,156],{"class":131},[121,188,190,193,195,198],{"class":123,"line":189},7,[121,191,192],{"class":127},"  podSelector",[121,194,132],{"class":131},[121,196,197],{"class":131}," {}",[121,199,201],{"class":200},"sbD-w","      # 空セレクタ = namespace 内の全 Pod に適用\n",[121,203,205,208],{"class":123,"line":204},8,[121,206,207],{"class":127},"  policyTypes",[121,209,156],{"class":131},[121,211,213,217,220],{"class":123,"line":212},9,[121,214,216],{"class":215},"sgJMe","  -",[121,218,219],{"class":135}," Ingress",[121,221,222],{"class":200},"             # Ingress のみ拒否、Egress は許可\n",[46,224,226],{"id":225},"全-egress-トラフィックを拒否","全 Egress トラフィックを拒否",[111,228,230],{"className":113,"code":229,"language":115,"meta":116,"style":116},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: default-deny-egress\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Egress\n",[118,231,232,240,248,254,263,271,277,286,292],{"__ignoreMap":116},[121,233,234,236,238],{"class":123,"line":124},[121,235,128],{"class":127},[121,237,132],{"class":131},[121,239,136],{"class":135},[121,241,242,244,246],{"class":123,"line":139},[121,243,142],{"class":127},[121,245,132],{"class":131},[121,247,147],{"class":135},[121,249,250,252],{"class":123,"line":150},[121,251,153],{"class":127},[121,253,156],{"class":131},[121,255,256,258,260],{"class":123,"line":159},[121,257,162],{"class":127},[121,259,132],{"class":131},[121,261,262],{"class":135}," default-deny-egress\n",[121,264,265,267,269],{"class":123,"line":170},[121,266,173],{"class":127},[121,268,132],{"class":131},[121,270,178],{"class":135},[121,272,273,275],{"class":123,"line":181},[121,274,184],{"class":127},[121,276,156],{"class":131},[121,278,279,281,283],{"class":123,"line":189},[121,280,192],{"class":127},[121,282,132],{"class":131},[121,284,285],{"class":131}," {}\n",[121,287,288,290],{"class":123,"line":204},[121,289,207],{"class":127},[121,291,156],{"class":131},[121,293,294,296],{"class":123,"line":212},[121,295,216],{"class":215},[121,297,298],{"class":135}," Egress\n",[46,300,302],{"id":301},"全トラフィックingress-egressを拒否","全トラフィック（Ingress + Egress）を拒否",[111,304,306],{"className":113,"code":305,"language":115,"meta":116,"style":116},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: default-deny-all\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Ingress\n  - Egress\n",[118,307,308,316,324,330,339,347,353,361,367,374],{"__ignoreMap":116},[121,309,310,312,314],{"class":123,"line":124},[121,311,128],{"class":127},[121,313,132],{"class":131},[121,315,136],{"class":135},[121,317,318,320,322],{"class":123,"line":139},[121,319,142],{"class":127},[121,321,132],{"class":131},[121,323,147],{"class":135},[121,325,326,328],{"class":123,"line":150},[121,327,153],{"class":127},[121,329,156],{"class":131},[121,331,332,334,336],{"class":123,"line":159},[121,333,162],{"class":127},[121,335,132],{"class":131},[121,337,338],{"class":135}," default-deny-all\n",[121,340,341,343,345],{"class":123,"line":170},[121,342,173],{"class":127},[121,344,132],{"class":131},[121,346,178],{"class":135},[121,348,349,351],{"class":123,"line":181},[121,350,184],{"class":127},[121,352,156],{"class":131},[121,354,355,357,359],{"class":123,"line":189},[121,356,192],{"class":127},[121,358,132],{"class":131},[121,360,285],{"class":131},[121,362,363,365],{"class":123,"line":204},[121,364,207],{"class":127},[121,366,156],{"class":131},[121,368,369,371],{"class":123,"line":212},[121,370,216],{"class":215},[121,372,373],{"class":135}," Ingress\n",[121,375,377,379],{"class":123,"line":376},10,[121,378,216],{"class":215},[121,380,298],{"class":135},[382,383,384],"blockquote",{},[11,385,386,389,390,393],{},[65,387,388],{},"重要",": Default Deny を適用した後は、必要な通信を明示的に許可するポリシーを追加しなければ、アプリケーションが動作しなくなります。特に ",[65,391,392],{},"DNS（port 53）の Egress 許可"," を忘れないでください。",[33,395,397],{"id":396},"実践的な-network-policy-パターン","実践的な Network Policy パターン",[46,399,401],{"id":400},"パターン1-フロントエンド-バックエンド-データベース","パターン1: フロントエンド → バックエンド → データベース",[11,403,404],{},"典型的な3層アーキテクチャでの Network Policy 設定例：",[111,406,408],{"className":113,"code":407,"language":115,"meta":116,"style":116},"# バックエンド: フロントエンドからの Ingress のみ許可\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-frontend-to-backend\n  namespace: production\nspec:\n  podSelector:\n    matchLabels:\n      app: backend\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - podSelector:\n        matchLabels:\n          app: frontend\n    ports:\n    - protocol: TCP\n      port: 8080\n---\n# データベース: バックエンドからの Ingress のみ許可\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-backend-to-database\n  namespace: production\nspec:\n  podSelector:\n    matchLabels:\n      app: database\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - podSelector:\n        matchLabels:\n          app: backend\n    ports:\n    - protocol: TCP\n      port: 5432\n",[118,409,410,415,423,431,437,446,454,460,466,473,483,490,497,505,515,526,534,545,553,566,578,585,591,600,609,616,626,635,642,649,656,666,673,680,687,696,705,712,721,728,739],{"__ignoreMap":116},[121,411,412],{"class":123,"line":124},[121,413,414],{"class":200},"# バックエンド: フロントエンドからの Ingress のみ許可\n",[121,416,417,419,421],{"class":123,"line":139},[121,418,128],{"class":127},[121,420,132],{"class":131},[121,422,136],{"class":135},[121,424,425,427,429],{"class":123,"line":150},[121,426,142],{"class":127},[121,428,132],{"class":131},[121,430,147],{"class":135},[121,432,433,435],{"class":123,"line":159},[121,434,153],{"class":127},[121,436,156],{"class":131},[121,438,439,441,443],{"class":123,"line":170},[121,440,162],{"class":127},[121,442,132],{"class":131},[121,444,445],{"class":135}," allow-frontend-to-backend\n",[121,447,448,450,452],{"class":123,"line":181},[121,449,173],{"class":127},[121,451,132],{"class":131},[121,453,178],{"class":135},[121,455,456,458],{"class":123,"line":189},[121,457,184],{"class":127},[121,459,156],{"class":131},[121,461,462,464],{"class":123,"line":204},[121,463,192],{"class":127},[121,465,156],{"class":131},[121,467,468,471],{"class":123,"line":212},[121,469,470],{"class":127},"    matchLabels",[121,472,156],{"class":131},[121,474,475,478,480],{"class":123,"line":376},[121,476,477],{"class":127},"      app",[121,479,132],{"class":131},[121,481,482],{"class":135}," backend\n",[121,484,486,488],{"class":123,"line":485},11,[121,487,207],{"class":127},[121,489,156],{"class":131},[121,491,493,495],{"class":123,"line":492},12,[121,494,216],{"class":215},[121,496,373],{"class":135},[121,498,500,503],{"class":123,"line":499},13,[121,501,502],{"class":127},"  ingress",[121,504,156],{"class":131},[121,506,508,510,513],{"class":123,"line":507},14,[121,509,216],{"class":215},[121,511,512],{"class":127}," from",[121,514,156],{"class":131},[121,516,518,521,524],{"class":123,"line":517},15,[121,519,520],{"class":215},"    -",[121,522,523],{"class":127}," podSelector",[121,525,156],{"class":131},[121,527,529,532],{"class":123,"line":528},16,[121,530,531],{"class":127},"        matchLabels",[121,533,156],{"class":131},[121,535,537,540,542],{"class":123,"line":536},17,[121,538,539],{"class":127},"          app",[121,541,132],{"class":131},[121,543,544],{"class":135}," frontend\n",[121,546,548,551],{"class":123,"line":547},18,[121,549,550],{"class":127},"    ports",[121,552,156],{"class":131},[121,554,556,558,561,563],{"class":123,"line":555},19,[121,557,520],{"class":215},[121,559,560],{"class":127}," protocol",[121,562,132],{"class":131},[121,564,565],{"class":135}," TCP\n",[121,567,569,572,574],{"class":123,"line":568},20,[121,570,571],{"class":127},"      port",[121,573,132],{"class":131},[121,575,577],{"class":576},"sOJ5S"," 8080\n",[121,579,581],{"class":123,"line":580},21,[121,582,584],{"class":583},"sGX4V","---\n",[121,586,588],{"class":123,"line":587},22,[121,589,590],{"class":200},"# データベース: バックエンドからの Ingress のみ許可\n",[121,592,594,596,598],{"class":123,"line":593},23,[121,595,128],{"class":127},[121,597,132],{"class":131},[121,599,136],{"class":135},[121,601,603,605,607],{"class":123,"line":602},24,[121,604,142],{"class":127},[121,606,132],{"class":131},[121,608,147],{"class":135},[121,610,612,614],{"class":123,"line":611},25,[121,613,153],{"class":127},[121,615,156],{"class":131},[121,617,619,621,623],{"class":123,"line":618},26,[121,620,162],{"class":127},[121,622,132],{"class":131},[121,624,625],{"class":135}," allow-backend-to-database\n",[121,627,629,631,633],{"class":123,"line":628},27,[121,630,173],{"class":127},[121,632,132],{"class":131},[121,634,178],{"class":135},[121,636,638,640],{"class":123,"line":637},28,[121,639,184],{"class":127},[121,641,156],{"class":131},[121,643,645,647],{"class":123,"line":644},29,[121,646,192],{"class":127},[121,648,156],{"class":131},[121,650,652,654],{"class":123,"line":651},30,[121,653,470],{"class":127},[121,655,156],{"class":131},[121,657,659,661,663],{"class":123,"line":658},31,[121,660,477],{"class":127},[121,662,132],{"class":131},[121,664,665],{"class":135}," database\n",[121,667,669,671],{"class":123,"line":668},32,[121,670,207],{"class":127},[121,672,156],{"class":131},[121,674,676,678],{"class":123,"line":675},33,[121,677,216],{"class":215},[121,679,373],{"class":135},[121,681,683,685],{"class":123,"line":682},34,[121,684,502],{"class":127},[121,686,156],{"class":131},[121,688,690,692,694],{"class":123,"line":689},35,[121,691,216],{"class":215},[121,693,512],{"class":127},[121,695,156],{"class":131},[121,697,699,701,703],{"class":123,"line":698},36,[121,700,520],{"class":215},[121,702,523],{"class":127},[121,704,156],{"class":131},[121,706,708,710],{"class":123,"line":707},37,[121,709,531],{"class":127},[121,711,156],{"class":131},[121,713,715,717,719],{"class":123,"line":714},38,[121,716,539],{"class":127},[121,718,132],{"class":131},[121,720,482],{"class":135},[121,722,724,726],{"class":123,"line":723},39,[121,725,550],{"class":127},[121,727,156],{"class":131},[121,729,731,733,735,737],{"class":123,"line":730},40,[121,732,520],{"class":215},[121,734,560],{"class":127},[121,736,132],{"class":131},[121,738,565],{"class":135},[121,740,742,744,746],{"class":123,"line":741},41,[121,743,571],{"class":127},[121,745,132],{"class":131},[121,747,748],{"class":576}," 5432\n",[46,750,752],{"id":751},"パターン2-namespace-間の通信制御","パターン2: namespace 間の通信制御",[11,754,755,760],{},[17,756,759],{"href":757,"rel":758},"https:\u002F\u002Fwww.redhat.com\u002Fen\u002Fblog\u002Fguide-to-kubernetes-ingress-network-policies",[21],"Red Hat のガイド","で推奨されている、namespace を活用した分離：",[111,762,764],{"className":113,"code":763,"language":115,"meta":116,"style":116},"# monitoring namespace からのメトリクス収集のみ許可\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-monitoring\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - namespaceSelector:\n        matchLabels:\n          purpose: monitoring\n    ports:\n    - protocol: TCP\n      port: 9090\n",[118,765,766,771,779,787,793,802,810,816,824,830,836,842,850,859,865,875,881,891],{"__ignoreMap":116},[121,767,768],{"class":123,"line":124},[121,769,770],{"class":200},"# monitoring namespace からのメトリクス収集のみ許可\n",[121,772,773,775,777],{"class":123,"line":139},[121,774,128],{"class":127},[121,776,132],{"class":131},[121,778,136],{"class":135},[121,780,781,783,785],{"class":123,"line":150},[121,782,142],{"class":127},[121,784,132],{"class":131},[121,786,147],{"class":135},[121,788,789,791],{"class":123,"line":159},[121,790,153],{"class":127},[121,792,156],{"class":131},[121,794,795,797,799],{"class":123,"line":170},[121,796,162],{"class":127},[121,798,132],{"class":131},[121,800,801],{"class":135}," allow-monitoring\n",[121,803,804,806,808],{"class":123,"line":181},[121,805,173],{"class":127},[121,807,132],{"class":131},[121,809,178],{"class":135},[121,811,812,814],{"class":123,"line":189},[121,813,184],{"class":127},[121,815,156],{"class":131},[121,817,818,820,822],{"class":123,"line":204},[121,819,192],{"class":127},[121,821,132],{"class":131},[121,823,285],{"class":131},[121,825,826,828],{"class":123,"line":212},[121,827,207],{"class":127},[121,829,156],{"class":131},[121,831,832,834],{"class":123,"line":376},[121,833,216],{"class":215},[121,835,373],{"class":135},[121,837,838,840],{"class":123,"line":485},[121,839,502],{"class":127},[121,841,156],{"class":131},[121,843,844,846,848],{"class":123,"line":492},[121,845,216],{"class":215},[121,847,512],{"class":127},[121,849,156],{"class":131},[121,851,852,854,857],{"class":123,"line":499},[121,853,520],{"class":215},[121,855,856],{"class":127}," namespaceSelector",[121,858,156],{"class":131},[121,860,861,863],{"class":123,"line":507},[121,862,531],{"class":127},[121,864,156],{"class":131},[121,866,867,870,872],{"class":123,"line":517},[121,868,869],{"class":127},"          purpose",[121,871,132],{"class":131},[121,873,874],{"class":135}," monitoring\n",[121,876,877,879],{"class":123,"line":528},[121,878,550],{"class":127},[121,880,156],{"class":131},[121,882,883,885,887,889],{"class":123,"line":536},[121,884,520],{"class":215},[121,886,560],{"class":127},[121,888,132],{"class":131},[121,890,565],{"class":135},[121,892,893,895,897],{"class":123,"line":547},[121,894,571],{"class":127},[121,896,132],{"class":131},[121,898,899],{"class":576}," 9090\n",[46,901,903],{"id":902},"パターン3-dns-と外部通信の許可","パターン3: DNS と外部通信の許可",[11,905,906,911],{},[17,907,910],{"href":908,"rel":909},"https:\u002F\u002Fdaily.dev\u002Fblog\u002Fkubernetes-network-policies-best-practices\u002F",[21],"Daily.dev のベストプラクティス","が強調する、DNS 許可の必須ルール：",[111,913,915],{"className":113,"code":914,"language":115,"meta":116,"style":116},"# DNS Egress を全 Pod に許可（Default Deny Egress と併用必須）\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-dns\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Egress\n  egress:\n  - to:\n    - namespaceSelector: {}\n      podSelector:\n        matchLabels:\n          k8s-app: kube-dns\n    ports:\n    - protocol: UDP\n      port: 53\n    - protocol: TCP\n      port: 53\n",[118,916,917,922,930,938,944,953,961,967,975,981,987,994,1003,1013,1020,1026,1036,1042,1053,1062,1072],{"__ignoreMap":116},[121,918,919],{"class":123,"line":124},[121,920,921],{"class":200},"# DNS Egress を全 Pod に許可（Default Deny Egress と併用必須）\n",[121,923,924,926,928],{"class":123,"line":139},[121,925,128],{"class":127},[121,927,132],{"class":131},[121,929,136],{"class":135},[121,931,932,934,936],{"class":123,"line":150},[121,933,142],{"class":127},[121,935,132],{"class":131},[121,937,147],{"class":135},[121,939,940,942],{"class":123,"line":159},[121,941,153],{"class":127},[121,943,156],{"class":131},[121,945,946,948,950],{"class":123,"line":170},[121,947,162],{"class":127},[121,949,132],{"class":131},[121,951,952],{"class":135}," allow-dns\n",[121,954,955,957,959],{"class":123,"line":181},[121,956,173],{"class":127},[121,958,132],{"class":131},[121,960,178],{"class":135},[121,962,963,965],{"class":123,"line":189},[121,964,184],{"class":127},[121,966,156],{"class":131},[121,968,969,971,973],{"class":123,"line":204},[121,970,192],{"class":127},[121,972,132],{"class":131},[121,974,285],{"class":131},[121,976,977,979],{"class":123,"line":212},[121,978,207],{"class":127},[121,980,156],{"class":131},[121,982,983,985],{"class":123,"line":376},[121,984,216],{"class":215},[121,986,298],{"class":135},[121,988,989,992],{"class":123,"line":485},[121,990,991],{"class":127},"  egress",[121,993,156],{"class":131},[121,995,996,998,1001],{"class":123,"line":492},[121,997,216],{"class":215},[121,999,1000],{"class":127}," to",[121,1002,156],{"class":131},[121,1004,1005,1007,1009,1011],{"class":123,"line":499},[121,1006,520],{"class":215},[121,1008,856],{"class":127},[121,1010,132],{"class":131},[121,1012,285],{"class":131},[121,1014,1015,1018],{"class":123,"line":507},[121,1016,1017],{"class":127},"      podSelector",[121,1019,156],{"class":131},[121,1021,1022,1024],{"class":123,"line":517},[121,1023,531],{"class":127},[121,1025,156],{"class":131},[121,1027,1028,1031,1033],{"class":123,"line":528},[121,1029,1030],{"class":127},"          k8s-app",[121,1032,132],{"class":131},[121,1034,1035],{"class":135}," kube-dns\n",[121,1037,1038,1040],{"class":123,"line":536},[121,1039,550],{"class":127},[121,1041,156],{"class":131},[121,1043,1044,1046,1048,1050],{"class":123,"line":547},[121,1045,520],{"class":215},[121,1047,560],{"class":127},[121,1049,132],{"class":131},[121,1051,1052],{"class":135}," UDP\n",[121,1054,1055,1057,1059],{"class":123,"line":555},[121,1056,571],{"class":127},[121,1058,132],{"class":131},[121,1060,1061],{"class":576}," 53\n",[121,1063,1064,1066,1068,1070],{"class":123,"line":568},[121,1065,520],{"class":215},[121,1067,560],{"class":127},[121,1069,132],{"class":131},[121,1071,565],{"class":135},[121,1073,1074,1076,1078],{"class":123,"line":580},[121,1075,571],{"class":127},[121,1077,132],{"class":131},[121,1079,1061],{"class":576},[33,1081,1083],{"id":1082},"cilium-vs-calico高度な-cni-の選択","Cilium vs Calico：高度な CNI の選択",[11,1085,1086,1087,1092,1093,1098],{},"標準の Kubernetes Network Policy は L3-L4（IP\u002Fポート）レベルの制御に限定されます。L7（HTTP\u002FgRPC）レベルの制御やより高度な機能が必要な場合は、",[17,1088,1091],{"href":1089,"rel":1090},"https:\u002F\u002Fcilium.io\u002F",[21],"Cilium"," または ",[17,1094,1097],{"href":1095,"rel":1096},"https:\u002F\u002Fdocs.tigera.io\u002Fcalico\u002Flatest\u002Fnetwork-policy\u002Fadopt-zero-trust",[21],"Calico"," を検討しましょう。",[46,1100,1091],{"id":1101},"cilium",[11,1103,1104,1109],{},[17,1105,1108],{"href":1106,"rel":1107},"https:\u002F\u002Fazurebeast.com\u002Fposts\u002Fimplement-zero-trust-network-security-with-cilium-in-aks\u002F",[21],"Cilium のゼロトラストセキュリティ実装","によれば：",[59,1111,1112,1118,1124,1130],{},[62,1113,1114,1117],{},[65,1115,1116],{},"eBPF ベース",": カーネルレベルで高性能にパケットを処理",[62,1119,1120,1123],{},[65,1121,1122],{},"L7 ポリシー",": HTTP メソッド・パス・ヘッダーによるフィルタリング",[62,1125,1126,1129],{},[65,1127,1128],{},"DNS ベースの Egress 制御",": FQDN で外部通信先を制限",[62,1131,1132,1135],{},[65,1133,1134],{},"Hubble",": ネットワークフローのリアルタイム可視化",[111,1137,1139],{"className":113,"code":1138,"language":115,"meta":116,"style":116},"# Cilium L7 ポリシー例: GET リクエストのみ許可\napiVersion: cilium.io\u002Fv2\nkind: CiliumNetworkPolicy\nmetadata:\n  name: l7-api-policy\nspec:\n  endpointSelector:\n    matchLabels:\n      app: api\n  ingress:\n  - fromEndpoints:\n    - matchLabels:\n        app: frontend\n    toPorts:\n    - ports:\n      - port: \"8080\"\n        protocol: TCP\n      rules:\n        http:\n        - method: \"GET\"\n          path: \"\u002Fapi\u002Fv1\u002F.*\"\n",[118,1140,1141,1146,1155,1164,1170,1179,1185,1192,1198,1207,1213,1222,1231,1240,1247,1256,1275,1284,1291,1298,1315],{"__ignoreMap":116},[121,1142,1143],{"class":123,"line":124},[121,1144,1145],{"class":200},"# Cilium L7 ポリシー例: GET リクエストのみ許可\n",[121,1147,1148,1150,1152],{"class":123,"line":139},[121,1149,128],{"class":127},[121,1151,132],{"class":131},[121,1153,1154],{"class":135}," cilium.io\u002Fv2\n",[121,1156,1157,1159,1161],{"class":123,"line":150},[121,1158,142],{"class":127},[121,1160,132],{"class":131},[121,1162,1163],{"class":135}," CiliumNetworkPolicy\n",[121,1165,1166,1168],{"class":123,"line":159},[121,1167,153],{"class":127},[121,1169,156],{"class":131},[121,1171,1172,1174,1176],{"class":123,"line":170},[121,1173,162],{"class":127},[121,1175,132],{"class":131},[121,1177,1178],{"class":135}," l7-api-policy\n",[121,1180,1181,1183],{"class":123,"line":181},[121,1182,184],{"class":127},[121,1184,156],{"class":131},[121,1186,1187,1190],{"class":123,"line":189},[121,1188,1189],{"class":127},"  endpointSelector",[121,1191,156],{"class":131},[121,1193,1194,1196],{"class":123,"line":204},[121,1195,470],{"class":127},[121,1197,156],{"class":131},[121,1199,1200,1202,1204],{"class":123,"line":212},[121,1201,477],{"class":127},[121,1203,132],{"class":131},[121,1205,1206],{"class":135}," api\n",[121,1208,1209,1211],{"class":123,"line":376},[121,1210,502],{"class":127},[121,1212,156],{"class":131},[121,1214,1215,1217,1220],{"class":123,"line":485},[121,1216,216],{"class":215},[121,1218,1219],{"class":127}," fromEndpoints",[121,1221,156],{"class":131},[121,1223,1224,1226,1229],{"class":123,"line":492},[121,1225,520],{"class":215},[121,1227,1228],{"class":127}," matchLabels",[121,1230,156],{"class":131},[121,1232,1233,1236,1238],{"class":123,"line":499},[121,1234,1235],{"class":127},"        app",[121,1237,132],{"class":131},[121,1239,544],{"class":135},[121,1241,1242,1245],{"class":123,"line":507},[121,1243,1244],{"class":127},"    toPorts",[121,1246,156],{"class":131},[121,1248,1249,1251,1254],{"class":123,"line":517},[121,1250,520],{"class":215},[121,1252,1253],{"class":127}," ports",[121,1255,156],{"class":131},[121,1257,1258,1261,1264,1266,1269,1272],{"class":123,"line":528},[121,1259,1260],{"class":215},"      -",[121,1262,1263],{"class":127}," port",[121,1265,132],{"class":131},[121,1267,1268],{"class":131}," \"",[121,1270,1271],{"class":135},"8080",[121,1273,1274],{"class":131},"\"\n",[121,1276,1277,1280,1282],{"class":123,"line":536},[121,1278,1279],{"class":127},"        protocol",[121,1281,132],{"class":131},[121,1283,565],{"class":135},[121,1285,1286,1289],{"class":123,"line":547},[121,1287,1288],{"class":127},"      rules",[121,1290,156],{"class":131},[121,1292,1293,1296],{"class":123,"line":555},[121,1294,1295],{"class":127},"        http",[121,1297,156],{"class":131},[121,1299,1300,1303,1306,1308,1310,1313],{"class":123,"line":568},[121,1301,1302],{"class":215},"        -",[121,1304,1305],{"class":127}," method",[121,1307,132],{"class":131},[121,1309,1268],{"class":131},[121,1311,1312],{"class":135},"GET",[121,1314,1274],{"class":131},[121,1316,1317,1320,1322,1324,1327],{"class":123,"line":580},[121,1318,1319],{"class":127},"          path",[121,1321,132],{"class":131},[121,1323,1268],{"class":131},[121,1325,1326],{"class":135},"\u002Fapi\u002Fv1\u002F.*",[121,1328,1274],{"class":131},[46,1330,1097],{"id":1331},"calico",[11,1333,1334,1109],{},[17,1335,1337],{"href":1095,"rel":1336},[21],"Calico のゼロトラストガイド",[59,1339,1340,1346,1352,1358],{},[62,1341,1342,1345],{},[65,1343,1344],{},"BGP ルーティング",": 大規模ネットワークでの高いスケーラビリティ",[62,1347,1348,1351],{},[65,1349,1350],{},"GlobalNetworkPolicy",": クラスタ全体に適用されるポリシー",[62,1353,1354,1357],{},[65,1355,1356],{},"ポリシーティア",": 階層的なポリシー管理（セキュリティ > プラットフォーム > アプリケーション）",[62,1359,1360,1363],{},[65,1361,1362],{},"エンタープライズ対応",": 成熟したコンプライアンス機能",[1365,1366,1367,1381],"table",{},[1368,1369,1370],"thead",{},[1371,1372,1373,1377,1379],"tr",{},[1374,1375,1376],"th",{},"比較項目",[1374,1378,1091],{},[1374,1380,1097],{},[1382,1383,1384,1396,1406,1417,1428],"tbody",{},[1371,1385,1386,1390,1393],{},[1387,1388,1389],"td",{},"データプレーン",[1387,1391,1392],{},"eBPF",[1387,1394,1395],{},"iptables \u002F eBPF",[1371,1397,1398,1400,1403],{},[1387,1399,1122],{},[1387,1401,1402],{},"ネイティブ対応",[1387,1404,1405],{},"Envoy 連携が必要",[1371,1407,1408,1411,1414],{},[1387,1409,1410],{},"可視化",[1387,1412,1413],{},"Hubble（組み込み）",[1387,1415,1416],{},"Calico Enterprise",[1371,1418,1419,1422,1425],{},[1387,1420,1421],{},"スケーラビリティ",[1387,1423,1424],{},"高（eBPF）",[1387,1426,1427],{},"高（BGP）",[1371,1429,1430,1433,1436],{},[1387,1431,1432],{},"学習コスト",[1387,1434,1435],{},"やや高い",[1387,1437,1438],{},"中程度",[33,1440,1442],{"id":1441},"段階的な導入戦略monitor-then-enforce","段階的な導入戦略：Monitor-then-Enforce",[11,1444,1445,1450],{},[17,1446,1449],{"href":1447,"rel":1448},"https:\u002F\u002Fwww.youngju.dev\u002Fblog\u002Fkubernetes\u002F2026-03-11-kubernetes-network-policy-cilium-calico-security.en",[21],"2026年のベストプラクティス","は、「Monitor-then-Enforce」ライフサイクルを推奨しています。",[46,1452,1454],{"id":1453},"ステップ1-現在のトラフィックフローを把握","ステップ1: 現在のトラフィックフローを把握",[11,1456,1457],{},"Hubble（Cilium）や Calico Enterprise のフロー可視化で、実際の通信パターンを記録します。",[46,1459,1461],{"id":1460},"ステップ2-audit-モードでポリシーをテスト","ステップ2: Audit モードでポリシーをテスト",[11,1463,1464],{},"ステージング環境でポリシーを適用し、意図しないブロックがないか検証します。",[46,1466,1468],{"id":1467},"ステップ3-段階的に-enforce","ステップ3: 段階的に Enforce",[11,1470,1471],{},"namespace 単位で Default Deny を適用し、問題がないことを確認しながら本番環境に展開します。",[46,1473,1475],{"id":1474},"ステップ4-継続的な監視と改善","ステップ4: 継続的な監視と改善",[11,1477,1478],{},"新しいサービスの追加や通信パターンの変更に合わせて、ポリシーを継続的に更新します。",[33,1480,1482],{"id":1481},"まとめゼロトラスト実装チェックリスト","まとめ：ゼロトラスト実装チェックリスト",[11,1484,1485],{},"Kubernetes Network Policy によるゼロトラストセキュリティは、以下の手順で実装できます：",[59,1487,1490,1500,1506,1512,1518,1524,1530],{"className":1488},[1489],"contains-task-list",[62,1491,1494,1499],{"className":1492},[1493],"task-list-item",[1495,1496],"input",{"disabled":1497,"type":1498},true,"checkbox"," 全 namespace に Default Deny（Ingress + Egress）を適用",[62,1501,1503,1505],{"className":1502},[1493],[1495,1504],{"disabled":1497,"type":1498}," DNS Egress を明示的に許可",[62,1507,1509,1511],{"className":1508},[1493],[1495,1510],{"disabled":1497,"type":1498}," アプリケーション間の必要最小限の通信を許可",[62,1513,1515,1517],{"className":1514},[1493],[1495,1516],{"disabled":1497,"type":1498}," namespace 間の通信を制御",[62,1519,1521,1523],{"className":1520},[1493],[1495,1522],{"disabled":1497,"type":1498}," 外部通信（Egress）を必要な宛先のみに制限",[62,1525,1527,1529],{"className":1526},[1493],[1495,1528],{"disabled":1497,"type":1498}," L7 レベルの制御が必要なら Cilium または Calico を導入",[62,1531,1533,1535],{"className":1532},[1493],[1495,1534],{"disabled":1497,"type":1498}," Monitor-then-Enforce の段階的導入を遵守",[11,1537,1538,1544,1545,1548],{},[65,1539,1540,1543],{},[17,1541,30],{"href":28,"rel":1542},[21]," では、Network Policy のベースラインがプラットフォームレベルで適用されています。"," 月額48,000円〜で、セキュアな Kubernetes 環境をすぐに利用できます。",[17,1546,90],{"href":88,"rel":1547},[21]," との統合でAIワークロードのセキュリティも万全です。",[11,1550,1551,1552,1557],{},"ゼロトラストセキュリティの導入支援は ",[17,1553,1556],{"href":1554,"rel":1555},"https:\u002F\u002Fwww.hexabase.com\u002Fcontact-us\u002F",[21],"お問い合わせ"," まで。",[1559,1560,1561],"style",{},"html pre.shiki code .s0U2E, html code.shiki .s0U2E{--shiki-default:#F7768E}html pre.shiki code .sAklC, html code.shiki .sAklC{--shiki-default:#89DDFF}html pre.shiki code .sPY7s, html code.shiki .sPY7s{--shiki-default:#9ECE6A}html pre.shiki code .sbD-w, html code.shiki .sbD-w{--shiki-default:#51597D;--shiki-default-font-style:italic}html pre.shiki code .sgJMe, html code.shiki .sgJMe{--shiki-default:#9ABDF5}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .sOJ5S, html code.shiki .sOJ5S{--shiki-default:#FF9E64}html pre.shiki code .sGX4V, html code.shiki .sGX4V{--shiki-default:#A9B1D6}",{"title":116,"searchDepth":139,"depth":139,"links":1563},[1564,1567,1572,1577,1581,1587],{"id":35,"depth":139,"text":35,"children":1565},[1566],{"id":48,"depth":150,"text":49},{"id":98,"depth":139,"text":99,"children":1568},[1569,1570,1571],{"id":102,"depth":150,"text":103},{"id":225,"depth":150,"text":226},{"id":301,"depth":150,"text":302},{"id":396,"depth":139,"text":397,"children":1573},[1574,1575,1576],{"id":400,"depth":150,"text":401},{"id":751,"depth":150,"text":752},{"id":902,"depth":150,"text":903},{"id":1082,"depth":139,"text":1083,"children":1578},[1579,1580],{"id":1101,"depth":150,"text":1091},{"id":1331,"depth":150,"text":1097},{"id":1441,"depth":139,"text":1442,"children":1582},[1583,1584,1585,1586],{"id":1453,"depth":150,"text":1454},{"id":1460,"depth":150,"text":1461},{"id":1467,"depth":150,"text":1468},{"id":1474,"depth":150,"text":1475},{"id":1481,"depth":139,"text":1482},"2026-05-27","Kubernetes Network Policy でゼロトラストネットワークを実装する方法を、Default Deny からCilium\u002FCalico活用まで実例付きで徹底解説します。","md","ja",{},"\u002Fblog\u002Fja\u002Fkubernetes-network-policies-security",{"title":5,"description":1589},"blog\u002Fja\u002Fkubernetes-network-policies-security",[1597,1598,1599,1600,1091,1097,1601],"Kubernetes","Network Policy","ゼロトラスト","セキュリティ","ネットワーク","BKsRkbMQj5ztyZKz6d1iskYzz0UQ2Cpcdv6uAT5SPpU",1779964617053]