パート5: Network Policy
対応バージョン: Calico v3.29+ / Kubernetes 1.28+ 最終更新: February 23, 2026
はじめに
Network policy は Kubernetes セキュリティの基本であり、Pod、Namespace、外部エンドポイント間のトラフィックフローを制御します。Kubernetes は基本的な NetworkPolicy API を提供しますが、Calico は Global policy、階層的な policy 評価、DNS ベースのルール、Layer 7 フィルタリングなどの強力な機能でこれを拡張します。
この詳細ガイドでは、Kubernetes 標準 policy と Calico の拡張機能の両方を扱い、エンタープライズのセキュリティ要件に対応するパターンと例を紹介します。
Kubernetes 標準 NetworkPolicy
NetworkPolicy の基礎
Kubernetes NetworkPolicy は、label、Namespace、IP block に基づいて Pod へのトラフィックと Pod からのトラフィックを制御する Namespace スコープのリソースです。
基本的な NetworkPolicy の構造
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: example-policy
namespace: default
spec:
# Which pods this policy applies to
podSelector:
matchLabels:
app: web
# Policy types: Ingress, Egress, or both
policyTypes:
- Ingress
- Egress
# Ingress rules (who can connect TO these pods)
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
- namespaceSelector:
matchLabels:
purpose: monitoring
- ipBlock:
cidr: 10.0.0.0/8
except:
- 10.0.1.0/24
ports:
- protocol: TCP
port: 8080
# Egress rules (where these pods can connect TO)
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432Kubernetes NetworkPolicy の制限事項
| 制限事項 | 説明 | Calico の解決策 |
|---|---|---|
| Namespace スコープのみ | Cluster 全体に適用する policy を作成できない | GlobalNetworkPolicy |
| policy の順序付けなし | すべての policy が同等に評価される | Tiered policy |
| deny ルールなし | allow のみ(暗黙的 deny) | 明示的な Deny action |
| 限定的な L4 filtering | 基本的な port/protocol のみ | Port range、named port |
| L7 filtering なし | HTTP method でフィルタリングできない | HTTP match rule |
| FQDN サポートなし | domain name を使用できない | DNS policy |
| Pod 中心のみ | Node を保護できない | Host endpoint |
Calico NetworkPolicy の拡張
拡張 Protocol サポート
Calico は TCP と UDP 以外の Protocol もサポートします。
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: extended-protocols
namespace: default
spec:
selector: app == 'network-tools'
ingress:
# ICMP ping
- action: Allow
protocol: ICMP
icmp:
type: 8 # Echo Request
code: 0
# ICMPv6
- action: Allow
protocol: ICMPv6
icmp:
type: 128 # Echo Request
# SCTP
- action: Allow
protocol: SCTP
destination:
ports:
- 3868 # Diameter
# UDP with port range
- action: Allow
protocol: UDP
destination:
ports:
- 5000:6000 # Port rangePort range と named port
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: port-examples
namespace: default
spec:
selector: app == 'multi-port-app'
ingress:
# Port range
- action: Allow
protocol: TCP
destination:
ports:
- 8080:8090
# Named ports (from pod spec)
- action: Allow
protocol: TCP
destination:
ports:
- http # References containerPort name
- metrics # References containerPort name
# Mix of specific ports and ranges
- action: Allow
protocol: TCP
destination:
ports:
- 22
- 80
- 443
- 3000:3100拡張 Selector 構文
Calico は Kubernetes より表現力の高い selector 構文を使用します。
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: selector-examples
namespace: production
spec:
# Label equality
selector: app == 'web'
ingress:
# Set membership
- action: Allow
source:
selector: app in {'frontend', 'api-gateway', 'monitoring'}
# Negation
- action: Allow
source:
selector: app != 'untrusted'
# Label existence
- action: Allow
source:
selector: has(security-cleared)
# Combining conditions (AND)
- action: Allow
source:
selector: app == 'backend' && tier == 'internal'
# Complex expression (OR via multiple rules)
- action: Allow
source:
selector: (app == 'frontend') || (app == 'api')
# Namespace selector
- action: Allow
source:
namespaceSelector: environment == 'production'
selector: app == 'authorized-client'GlobalNetworkPolicy
GlobalNetworkPolicy はすべての Namespace にまたがって適用され、Cluster 全体のセキュリティルールに最適です。
GlobalNetworkPolicy の構造
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: cluster-wide-deny-egress
spec:
# Applies to all pods (empty selector)
selector: all()
# Order determines priority (lower = higher priority)
order: 1000
types:
- Egress
egress:
# Block access to metadata service
- action: Deny
destination:
nets:
- 169.254.169.254/32
# Block access to internal DNS except kube-dns
- action: Deny
protocol: UDP
destination:
ports:
- 53
notSelector: k8s-app == 'kube-dns'一般的な GlobalNetworkPolicy パターン
すべてのトラフィックをデフォルトで Deny:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default-deny-all
spec:
selector: all()
order: 10000 # Lowest priority
types:
- Ingress
- Egress
# Empty rules = deny all
ingress: []
egress: []必須 Service を Allow:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-essential-services
spec:
selector: all()
order: 100
types:
- Egress
egress:
# Allow DNS
- action: Allow
protocol: UDP
destination:
selector: k8s-app == 'kube-dns'
ports:
- 53
# Allow Kubernetes API
- action: Allow
protocol: TCP
destination:
nets:
- 10.96.0.1/32 # ClusterIP of kubernetes service
ports:
- 443機密性の高い Namespace を Block:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: protect-kube-system
spec:
namespaceSelector: kubernetes.io/metadata.name == 'kube-system'
order: 50
types:
- Ingress
ingress:
# Only allow from pods with explicit access
- action: Allow
source:
selector: has(kube-system-access)
# Allow from kube-system itself
- action: Allow
source:
namespaceSelector: kubernetes.io/metadata.name == 'kube-system'
# Deny everything else (implicit)NetworkSet と GlobalNetworkSet
NetworkSet は IP address をグループ化し、policy 間で再利用できます。
NetworkSet(Namespace スコープ)
apiVersion: projectcalico.org/v3
kind: NetworkSet
metadata:
name: corporate-networks
namespace: default
labels:
network-type: corporate
spec:
nets:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
---
# Reference in policy
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-corporate
namespace: default
spec:
selector: app == 'internal-app'
ingress:
- action: Allow
source:
selector: network-type == 'corporate' # References NetworkSet by labelGlobalNetworkSet(Cluster スコープ)
apiVersion: projectcalico.org/v3
kind: GlobalNetworkSet
metadata:
name: external-trusted-ips
labels:
network-group: external-trusted
spec:
nets:
- 203.0.113.0/24 # Partner network
- 198.51.100.0/24 # CDN network
- 192.0.2.50/32 # Specific trusted IP
---
apiVersion: projectcalico.org/v3
kind: GlobalNetworkSet
metadata:
name: blocked-countries
labels:
network-group: blocked
spec:
nets:
# Country IP ranges to block
- 1.2.3.0/24
- 5.6.7.0/24
---
# Reference in GlobalNetworkPolicy
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: external-access-control
spec:
selector: has(external-facing)
order: 200
types:
- Ingress
ingress:
# Allow trusted external
- action: Allow
source:
selector: network-group == 'external-trusted'
# Block known bad actors
- action: Deny
source:
selector: network-group == 'blocked'Tiered Policy

Tier は階層的な policy 評価を提供し、platform、security、application team 間で関心を分離できます。
Policy 評価順序
Tier の作成
# Security team tier (highest priority)
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: security
spec:
order: 100
---
# Platform team tier
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: platform
spec:
order: 200
---
# Application team tier
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: application
spec:
order: 500
---
# Default tier (lowest priority, auto-created)
# order: 1000Tiered Policy の例
# Security tier: Block known threats
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: security.block-threats
spec:
tier: security
order: 100
selector: all()
types:
- Ingress
- Egress
ingress:
- action: Deny
source:
selector: network-group == 'threat-intel'
egress:
- action: Deny
destination:
selector: network-group == 'malware-c2'
# Pass to next tier for further evaluation
- action: Pass
---
# Platform tier: Enforce baseline connectivity
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: platform.baseline
spec:
tier: platform
order: 100
selector: all()
types:
- Egress
egress:
# Allow DNS
- action: Allow
protocol: UDP
destination:
selector: k8s-app == 'kube-dns'
ports:
- 53
# Allow Kubernetes API
- action: Allow
protocol: TCP
destination:
services:
name: kubernetes
namespace: default
# Pass to application tier
- action: Pass
---
# Application tier: Team-specific policies
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: application.frontend-rules
namespace: production
spec:
tier: application
order: 100
selector: app == 'frontend'
types:
- Ingress
- Egress
ingress:
- action: Allow
source:
selector: app == 'ingress-nginx'
egress:
- action: Allow
destination:
selector: app == 'backend'
ports:
- 8080Tier と RBAC の統合
# ClusterRole for security team
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: security-team-policy-admin
rules:
- apiGroups: ["projectcalico.org"]
resources: ["globalnetworkpolicies", "tiers"]
verbs: ["*"]
# Can only manage policies in security tier
resourceNames: ["security.*"]
---
# ClusterRole for application teams
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: app-team-policy-admin
rules:
- apiGroups: ["projectcalico.org"]
resources: ["networkpolicies"]
verbs: ["*"]
- apiGroups: ["projectcalico.org"]
resources: ["tiers"]
verbs: ["get", "list"]
resourceNames: ["application"]FQDN ベースの Egress policy
Calico は domain name に基づいて egress traffic をフィルタリングでき、外部 Service への access 制御に役立ちます。
DNS policy の設定
まず、Felix で DNS policy を有効にします。
apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
name: default
spec:
dnsTrustedServers:
- k8s-service:kube-system/kube-dns
policySyncPathPrefix: /var/run/nodeagentFQDN Egress ルール
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-specific-domains
spec:
selector: app == 'external-api-client'
order: 500
types:
- Egress
egress:
# Allow specific domains
- action: Allow
destination:
domains:
- api.github.com
- "*.amazonaws.com"
- registry.npmjs.org
protocol: TCP
destination:
ports:
- 443
# Allow Google APIs
- action: Allow
destination:
domains:
- "*.googleapis.com"
- "*.google.com"
protocol: TCP
destination:
ports:
- 443
# Deny all other external
- action: Deny
destination:
notNets:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16Wildcard domain パターン
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: dns-wildcards
spec:
selector: all()
egress:
# Single wildcard - matches any subdomain
- action: Allow
destination:
domains:
- "*.example.com" # Matches api.example.com, www.example.com
# Does NOT match
# example.com (no subdomain)
# deep.sub.example.com (multiple levels)HTTP method フィルタリング(Layer 7)
Calico Enterprise と Calico Cloud は、HTTP traffic 向けの Layer 7 policy をサポートします。
HTTP match ルール
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: l7-http-policy
spec:
selector: app == 'api-server'
order: 300
types:
- Ingress
ingress:
# Allow only GET and HEAD for read-only clients
- action: Allow
source:
selector: role == 'reader'
http:
methods:
- GET
- HEAD
paths:
- prefix: /api/v1/
# Allow full access for admin clients
- action: Allow
source:
selector: role == 'admin'
http:
methods:
- GET
- POST
- PUT
- DELETE
- PATCH
# Allow health checks
- action: Allow
http:
methods:
- GET
paths:
- exact: /health
- exact: /readyPath ベースのフィルタリング
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: path-based-policy
namespace: production
spec:
selector: app == 'web-app'
ingress:
# Public endpoints
- action: Allow
http:
paths:
- prefix: /public/
- exact: /
# Admin endpoints - restricted
- action: Allow
source:
selector: role == 'admin'
http:
paths:
- prefix: /admin/
# API endpoints - authenticated only
- action: Allow
source:
selector: has(api-access)
http:
paths:
- prefix: /api/Host endpoint の保護
Host endpoint は Pod だけでなく、Node 自体への/Node 自体からの traffic を保護します。
Host endpoint の有効化
apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
name: default
spec:
defaultEndpointToHostAction: Drop # or Accept, ReturnHost endpoint の定義
apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: node1-eth0
labels:
host: node1
interface: external
spec:
interfaceName: eth0
node: node1
expectedIPs:
- 10.0.1.10
---
# Policy for host endpoints
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: host-ssh-policy
spec:
selector: interface == 'external'
order: 100
types:
- Ingress
ingress:
# Allow SSH from bastion
- action: Allow
protocol: TCP
source:
nets:
- 10.0.0.100/32 # Bastion IP
destination:
ports:
- 22
# Allow kubelet API from control plane
- action: Allow
protocol: TCP
source:
selector: has(control-plane)
destination:
ports:
- 10250
# Allow node exporter metrics
- action: Allow
protocol: TCP
source:
namespaceSelector: kubernetes.io/metadata.name == 'monitoring'
selector: app == 'prometheus'
destination:
ports:
- 9100Auto Host endpoint
すべての Node に対して host endpoint を自動的に作成します。
apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
name: default
spec:
defaultEndpointToHostAction: Drop
---
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
calicoNetwork:
hostPorts: Enabled # Creates auto host endpointsDoNotTrack と PreDNAT policy
DoNotTrack policy
DoNotTrack policy は connection tracking をバイパスするため、高スループットのシナリオで役立ちます。
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: high-throughput-no-track
spec:
selector: app == 'load-balancer'
order: 10
types:
- Ingress
- Egress
doNotTrack: true
applyOnForward: true
ingress:
- action: Allow
protocol: TCP
destination:
ports:
- 80
- 443
egress:
- action: AllowPreDNAT policy
PreDNAT policy は destination NAT の前に適用され、NodePort access の制御に役立ちます。
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: restrict-nodeport-access
spec:
selector: has(kubernetes.io/os) # Applies to host endpoints
order: 100
types:
- Ingress
preDNAT: true
applyOnForward: true
ingress:
# Allow NodePort access only from trusted networks
- action: Allow
protocol: TCP
source:
nets:
- 10.0.0.0/8
destination:
ports:
- 30000:32767 # NodePort range
# Deny NodePort from everywhere else
- action: Deny
protocol: TCP
destination:
ports:
- 30000:32767Policy のデバッグ
calicoctl の使用
# List all policies
calicoctl get networkpolicy -A
calicoctl get globalnetworkpolicy
# Get policy details
calicoctl get networkpolicy my-policy -n default -o yaml
# Describe endpoints affected by a policy
calicoctl get workloadendpoint -o wide
# Check policy selectors
calicoctl get networkpolicy -o yaml | grep -A5 selectoriptables ルールの確認
# View Calico chains
iptables -L -n -v | grep -i cali
# View filter table
iptables -t filter -L -n -v
# View NAT table
iptables -t nat -L -n -v
# Count packets by rule
iptables -L cali-fw-xxxxx -n -v
# Watch traffic in real-time
watch -n 1 'iptables -L cali-fw-xxxxx -n -v'Felix log
# View Felix logs
kubectl logs -n kube-system -l k8s-app=calico-node -c calico-node | grep -i policy
# Increase log verbosity
calicoctl patch felixconfiguration default -p '{"spec":{"logSeverityScreen":"Debug"}}'
# Check policy sync status
kubectl exec -n kube-system calico-node-xxxxx -c calico-node -- calico-node -felix-readyPolicy 評価フローのデバッグ
# Get workload endpoint details
calicoctl get workloadendpoint -n default --selector='app==web' -o yaml
# Check which policies apply
calicoctl get networkpolicy -A -o yaml | grep -B20 "app.*web"
# Test connectivity
kubectl exec -it test-pod -- nc -zv target-pod 8080一般的な Policy パターンライブラリ
Microservices パターン
# Frontend -> Backend -> Database
---
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: production
spec:
selector: app == 'frontend'
types:
- Ingress
- Egress
ingress:
- action: Allow
source:
selector: app == 'ingress-nginx'
egress:
- action: Allow
destination:
selector: app == 'backend'
ports:
- 8080
---
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: production
spec:
selector: app == 'backend'
types:
- Ingress
- Egress
ingress:
- action: Allow
source:
selector: app == 'frontend'
ports:
- 8080
egress:
- action: Allow
destination:
selector: app == 'database'
ports:
- 5432
---
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: database-policy
namespace: production
spec:
selector: app == 'database'
types:
- Ingress
ingress:
- action: Allow
source:
selector: app == 'backend'
ports:
- 5432Multi-Tenant 分離
# Each tenant namespace is fully isolated
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: tenant-isolation
spec:
namespaceSelector: has(tenant)
order: 500
types:
- Ingress
- Egress
ingress:
# Allow same-tenant traffic
- action: Allow
source:
namespaceSelector: tenant == "$(namespace.tenant)"
egress:
# Allow same-tenant traffic
- action: Allow
destination:
namespaceSelector: tenant == "$(namespace.tenant)"
# Allow DNS
- action: Allow
protocol: UDP
destination:
selector: k8s-app == 'kube-dns'
ports:
- 53Zero Trust パターン
# Default deny everything
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: zero-trust-default-deny
spec:
selector: all()
order: 10000
types:
- Ingress
- Egress
ingress: []
egress: []
---
# Explicit allow for each service
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: zero-trust-api-server
namespace: production
spec:
selector: app == 'api-server'
order: 100
types:
- Ingress
- Egress
ingress:
- action: Allow
source:
selector: app == 'api-gateway'
namespaceSelector: kubernetes.io/metadata.name == 'production'
destination:
ports:
- 8080
egress:
- action: Allow
destination:
selector: app == 'database'
namespaceSelector: kubernetes.io/metadata.name == 'production'
ports:
- 5432
# Allow DNS
- action: Allow
protocol: UDP
destination:
namespaceSelector: kubernetes.io/metadata.name == 'kube-system'
selector: k8s-app == 'kube-dns'
ports:
- 53Egress 制御パターン
# Control outbound internet access
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: egress-internet-control
spec:
selector: has(internet-access)
order: 300
types:
- Egress
egress:
# Allow approved external services
- action: Allow
destination:
domains:
- "*.amazonaws.com"
- api.github.com
- registry.npmjs.org
protocol: TCP
destination:
ports:
- 443
# Allow internal traffic
- action: Allow
destination:
nets:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
---
# Block internet for unlabeled pods
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: egress-internet-deny
spec:
selector: "!has(internet-access)"
order: 400
types:
- Egress
egress:
# Allow internal only
- action: Allow
destination:
nets:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
# Deny external
- action: DenyNamespace 分離パターン
# Isolate namespaces by default
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: namespace-isolation
spec:
namespaceSelector: has(kubernetes.io/metadata.name)
order: 800
types:
- Ingress
ingress:
# Allow same namespace
- action: Allow
source:
namespaceSelector: kubernetes.io/metadata.name == "$(namespace.name)"
# Allow monitoring namespace
- action: Allow
source:
namespaceSelector: kubernetes.io/metadata.name == 'monitoring'
selector: app in {'prometheus', 'grafana'}
# Allow ingress namespace
- action: Allow
source:
namespaceSelector: kubernetes.io/metadata.name == 'ingress-nginx'Policy のパフォーマンスへの影響
パフォーマンスに関する考慮事項
| 要因 | 影響 | 軽減策 |
|---|---|---|
| policy 数 | 線形的な rule 評価 | Tiered policy を使用し、selector を最適化 |
| Selector の複雑さ | match 時間の増加 | 単純な label match を使用 |
| IP set のサイズ | Memory 使用量 | IP range を集約 |
| Log 頻度 | CPU と storage | 大量の場合は sampling を使用 |
| Connection tracking | stateful 用の Memory | stateless には DoNotTrack |
最適化のヒント
- Tiered policy を使用する: deny rule を最初に評価する
- selector の複雑さを最小化する: set operation より equality を優先する
- IP range を集約する: 個別の IP ではなく CIDR block を使用する
- GlobalNetworkSet を使用する: policy 間で IP group を再利用する
- policy caching を有効にする: 最近の Calico version ではデフォルトで有効
Policy パフォーマンスのベンチマーク
# Measure rule evaluation time
kubectl exec -n kube-system calico-node-xxxxx -c calico-node -- \
calico-node -felix-ready
# Check dataplane programming time
kubectl logs -n kube-system -l k8s-app=calico-node -c calico-node | \
grep "Policy sync"
# Monitor iptables rule count
iptables -L -n | wc -lBest Practice のまとめ
設計原則
- default deny から始める: 必要な traffic を whitelist に登録する
- 最小権限を使用する: 必要な port と protocol のみを allow する
- policy を階層化する: Security -> Platform -> Application
- 一貫して label を付ける: policy の対象指定には標準 label を使用する
- policy を文書化する: 意図を説明する comment を含める
運用上の推奨事項
- まず staging でテストする: production 前に policy を検証する
- audit mode を使用する: 新しい policy を強制する前に log を取得する
- policy hit count を監視する: 未使用の rule を特定する
- policy を定期的にレビューする: 古くなった rule を削除する
- policy deployment を自動化する: policy 管理に GitOps を使用する
セキュリティ上の推奨事項
- metadata service を Block する: SSRF attack を防止する
- egress を制御する: 外部 access を承認済み destination に制限する
- control plane を保護する: kube-system への access を制限する
- logging を有効にする: deny された connection を監査する
- FQDN policy を使用する: 名前で外部 Service への access を制御する