尝试在名称空间上添加默认的拒绝所有网络"策略，然后在其后添加允许Internet"策略.

Try adding a default deny all network policy on the namespace, then adding an allow Internet policy after.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-internet-only
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - ipBlock:
        cidr: 0.0.0.0/0
          except:
            - 10.0.0.0/8
            - 192.168.0.0/16
            - 172.16.0.0/20

这将阻止除互联网出站以外的所有流量. 在仅允许互联网"策略中，所有专用IP都有一个例外，它将阻止Pod到Pod的通信. 如果您需要DNS查找，还必须允许从kube-system到Core DNS的出口，因为default-deny-all策略将阻止DNS查询.

This will block all traffic except for internet outbound. In the allow-internet-only policy, there is an exception for all private IPs which will prevent pod to pod communication. You will also have to allow Egress to Core DNS from kube-system if you require DNS lookups, as the default-deny-all policy will block DNS queries.