Are multiple network policies rules processed logically as "and" rules or "or"?

Question

In the basic example of the documentation for declaring a network policy: https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource

So this sets several rules, as per the documentation:

So, the example NetworkPolicy:

- isolates “role=db” pods in the “default” namespace for both ingress
and egress traffic (if they weren’t already isolated)
- allows connections to TCP port 6379 of “role=db” pods in the “default”
namespace from any pod in the “default” namespace with the
label “role=frontend”
- allows connections to TCP port 6379 of “role=db” pods
in the “default” namespace from any pod in a namespace with
the label “project=myproject”
...

Does this means that the pods of "role=db" label can receive connections from:

• other pods with labels “role=frontend” AND namespace with label “project=myproject”; or
• other pods with labels “role=frontend” OR namespace with label “project=myproject”.

Thanks!

Answer 1

The kubernetes network recipe "ALLOW traffic from apps using multiple selectors" is clear:

• Rules specified in spec.ingress.from are OR'ed.
• This means the pods selected by the selectors are combined are whitelisted altogether.